Here’s the short answer: you can’t prevent it — at least, not entirely.

Rooting phones, no matter what the operating system, means discovering a bug of some sort that lets you bypass internal protections and gain complete control over the operating system. Much as we’d like to wish otherwise, there will always be these kinds of bugs. So if anyone tells you that they have an Android phone that can’t be rooted, they’re mistaken.

On the other hand, Android phone vendors are taking the problem of rooted phones very seriously, and there are a ton of protections that make it harder to root phones and easier to detect when a phone has been rooted. For enterprise IT managers, that’s good news, because, generally, a rooted phone represents a much bigger risk to security than an unrooted one.

So what should IT managers responsible for securing smartphones do?

Step 1: Protection

First, make it hard for people to root phones. Pick a business-focused phone with hardware protections that make booting of untrusted code somewhere between “difficult” and “impossible.”

For example, Samsung’s phones have the built-in Knox platform and the Trusted Execution Environment (TEE). This uses a combination of hardware and firmware to keep untrusted operating systems from loading by verifying a digital signature on each part of the operating system as it is loaded into memory. If the software is not digitally signed by someone in Samsung’s chain of trust, then the phone won’t load the software at all. The digital signature guarantees, with cryptographic assurance, that the operating system software being loaded has not been modified. That eliminates one favorite technique for rooting phones.

Samsung Knox also has rollback protection as part of the trusted boot process. Another favorite rooting technique is to load an out-of-date, unpatched version of the phone’s firmware to make it easy to root the phone. With Knox phones, though, once a new version of the operating system has been loaded, it can set a minimum version number in some special one-time writeable memory, and the smartphone can detect when something funny is going on. Depending on where the phone is in the boot process, it will either refuse to load older, buggier versions of the operating system, or, in some cases, it will boot up but will clear out the secure area in the TEE that contains decryption keys, effectively wiping the phone’s data storage. Rollback protection is a one-way street — no amount of factory resetting will clear out this information — so once a phone has been patched and the rollback protection updated, it can’t be unpatched by someone trying to root it.

Some phones, including Samsung’s phones with the Knox platform, even have something called the “warranty bit,” which is another one-way street: once the smartphone detects that it has been tampered with, it never forgets that. Someone who succeeds in rooting a smartphone with this protection can’t reset or clear it back to a trusted state ever again. The phone’s not a brick, but Knox’s TEE components will permanently lock down to protect any residual enterprise data or keys.

Android itself has some protection features as well. For example, post-boot operating system protection is handled by a built-in feature called “dm-verity” (Device Mapper Verity). If an attacker modifies the disk to try to get root, dm-verity will catch the modification before it can be loaded by the operating system. Rather than simply throwing a warning and allowing a potentially dangerous operation to proceed, dm-verity will pretend that the disk had an error (which can happen, and so is already handled by the operating system) and not return any data. This means an attacker can’t gain any advantage by changing the read-only portions of the operating system.

A warning to IT managers, though: finding hardware protections for rooting means digging deep into the manufacturer’s specifications. Just because a phone has “Samsung” written on it doesn’t mean that it has full Knox protections — though all Samsung phones do have the anti-rooting protections discussed above. All of the big phone manufacturers, Samsung included, have high-end and low-end phones, and one way to make a more inexpensive handset is to pull out some of the extra hardware needed to provide some rooting protections and detections. So when you’re looking for a phone with hardware protection against rooting, check the specifications carefully — and be prepared to select something other than the cheapest model available. Both the Galaxy S9 and Galaxy Note8 devices include full Knox features.

Step 2: Detection

Second, after making it harder to root phones, IT managers should actively detect rooted devices and those in a trustworthy state, typically using their Mobile Device Management (MDM) console. The phone will help a little with this.

Samsung devices offer a feature called Knox Attestation, used by MDMs to check the status of the smartphone. Other smartphone vendors may have more or less sophisticated ways of checking device trust. With Knox Attestation, the MDM can request at any time that the device check its current state (for example, the kernel software and important data structures), along with other boot-time checks (for example, the warranty bit) to determine whether or not the device has been tampered with.

The MDM helps by providing reporting on device software versions, and any backtracking of a smartphone to an earlier version should stand out — or even cause the MDM to log a security event. More advanced phones also can report back to MDM on periodic real-time checks on the integrity of the operating system. For example, with Samsung Knox, IT managers can take advantage of Realtime Kernel Protection (RKP) and Periodic Kernel Measurement (PKM).

PKM is a passive check that runs in the TrustZone TEE and periodically checks the kernel to detect if code or data have been modified by malicious software, or if “SE for Android” has been disabled. RKP is an active security check (more protection than detection) that runs in the TrustZone TEE. Because it’s active, it actually intercepts attempts to modify the operating system kernel, is able to inspect them, and if there’s something suspicious, blocks by rebooting the phone. All of the events from PKM are propagated up to the MDM, and an IT manager can use that to find and act on rooted smartphones.

IT managers can’t keep people from rooting smartphones. But they can make it harder, and they can better detect rooted phones. All it takes is the right hardware, the right software, and a good pair of eyes.

Gaps in enterprise security can be devastating. Take our mobile security assessment to find out if your company is covered — and how you can stay ahead of the curve.