Companies allowing employees to bring their own device (BYOD) for work purposes are toeing a fine line: providing workers with ability to use the smartphone or tablet they’re most comfortable with, but also subjecting the enterprise’s data to potential security risks.
One issue keeping digital security and IT managers awake at night is smartphone rooting.
What Is Smartphone Rooting?
Rooting phones, no matter what the operating system, usually means discovering a bug of some sort that lets you bypass internal protections and gain complete control over the operating system — to become the “root” user, who has all privileges and all access. Rooting is sometimes called “jailbreaking,” as it allows the user to break out of constraints of the operating system.
In the Android ecosystem, since the platform is based upon Linux permissions and file-system ownership, rooting means gaining “superuser” access. Rooting is generally carried out using Android SDK tools to unlock the bootloader and then flash a custom image to the device. Some third-party applications may offer to root your device for you, but users should be particularly cautious of these as they have the potential to introduce malware or other security loopholes.
Not everyone rooting a phone breaks in by finding a bug. Android phones sold for development purposes, for example, may allow rooting to help in the testing and debugging process.
It’s also important to note that rooting is different from unlocking a phone. In the U.S. especially, phones are often sold with a subsidy provided by a telecom carrier. To help enforce the contract terms, phones may be configured by the carrier so that they can only be used on certain networks. Disabling these controls is called “unlocking” the phone, but this does not involve gaining superuser permissions.
Why Do People Root Their Phones?
People root smartphones for many different reasons. They may want to install a specific application, change certain settings, or just because they don’t like being told what they can and can’t do with their phone.
In the early years of Android smartphones, rooting was popular among tech enthusiasts as a way to strip back user interface customizations made by manufacturers to the Android platform. In other instances, the motivation has been to remove preloaded applications.
How Can You Tell If a Phone Is Rooted?
Users who are uncertain if their phone has been rooted have several ways to check.
The presence of a Kinguser or Superuser application on the device is an obvious sign that the device has been rooted. These applications are typically installed as part of the rooting process to allow access to superuser privileges. Users can also download a root checker app or a terminal client to determine if superuser access is configured.
With Samsung’s Android devices featuring Samsung Knox, the user can simply go into Settings and tap “About Phone” to review the software versions on their device. Any irregularities in the software will be noted.
Is Rooting Your Smartphone a Security Risk?
Rooting disables some of the built-in security features of the operating system, and those security features are part of what keeps the operating system safe, and your data secure from exposure or corruption. Since today’s smartphones operate in an environment filled with threats from attackers, buggy or malicious applications, as well as occasional accidental missteps by trusted users, anything that reduces the internal controls in the Android operating system represents a higher risk.
Quantifying that increased level of risk is hard because it depends on how the phone was rooted and what happens next. If a user roots their smartphone and doesn’t do anything outside of normal day-to-day usage, it becomes hard to point and say “this is a big security problem.” But if a rooted phone stops checking for software updates and security patches (or cannot install them because the kernel is no longer signed properly), then even a phone used in a very normal way slowly turns into a ticking time bomb running old software and applications.
On the other hand, IT managers know that many users root their phones and then engage in unsafe behaviors, such as installing pirated applications or malware — even unintentionally. In that case, the security risk rises quickly.
A rooted smartphone — especially one that doesn’t get updated — creates a security problem that gets worse over time. Similarly, some of the important security features of smartphones, such as Samsung’s Trusted Execution Environment (TEE), can be disabled when a smartphone is rooted. This means that applications dependent on the security of TEE for encryption key storage or home/work partitions, for example, either stop functioning entirely or are no longer secure. And that’s why most IT managers strongly discourage rooting phones.
Should Rooted Smartphones Be Used for Work?
Rooting a smartphone changes the fundamental security posture of the device, and this generally makes the device unsuitable for work use, exposing enterprise data and applications to new threats.
Many acceptable use policies (AUPs) explicitly state that rooted devices are not allowed to access corporate networks, applications and data. As discussed in more detail below, IT admins may also use rooting or jailbreak detection capabilities within their Mobile Device Management (MDM) solution to red-flag any compromised devices enrolled. Even if these policies and protections are not in place, users who are aware their device is rooted should think twice before using that phone for business purposes.
What Should IT Managers Do?
First, make it hard for people to root phones. Pick a business-focused phone that has hardware protections that make booting of untrusted code somewhere between difficult and impossible. For example, Samsung’s phones with the built-in Knox platform and TEE use a combination of hardware and firmware to keep untrusted operating systems from loading by verifying a digital signature on each part of the operating system as it’s loaded into memory. If the software is not digitally signed by someone in Samsung’s chain of trust, then the phone won’t load the software at all. The digital signature guarantees, with cryptographic assurance, that the operating system software being loaded has not been modified. That eliminates one favorite technique for rooting phones.
Samsung Knox also has rollback protection as part of the trusted boot process. Another favorite rooting technique is to load an older version of the Android operating system with an old bug that makes it easy to root the phone. With Knox-integrated phones, though, once a new version of the operating system has been loaded, it can set a minimum version number in the TEE, and the smartphone can detect if the operating system meets the minimum requirement. Depending on where the device is in the boot process, it will either refuse to load older, buggier versions of the operating system, or in some cases, it will boot up but clear out the secure area in the TEE which has decryption keys in it, effectively wiping the phone’s data storage. Rollback protection is a one-way street — no amount of factory resetting the phone will clear this information out, so once a phone has been patched and the rollback protection updated, it can’t be unpatched by someone trying to root it.
Finally, after making it harder to root phones, IT managers should actively detect rooted devices, typically using their MDM, Enterprise Mobility Management (EMM) or Unified Endpoint Management (UEM) console. This service helps by providing reporting on device software versions, and any back-tracking of a smartphone to an earlier version should stand out — and cause the MDM/EMM to log a security event. Upon detection of rooting, the admin can choose to have MDM automatically lock the user out of the device, wipe all enterprise data or restrict access.
More advanced phones can also report back to the MDM/EMM on periodic real-time checks on the integrity of the operating system. For example, in Samsung phones with Knox, IT managers can take advantage of Realtime Kernel Protection (RKP) and Periodic Kernel Measurement (PKM) to detect and block kernel tampering at run time.
IT managers can’t convince people not to root their smartphones. But they can make it harder for those devices to be used in the enterprise, and they can better detect policy violations. All it takes is the right hardware, the right software and a keen eye.
What happens when an employee’s smartphone leads to a security incident? Find out why an Incident Response plan is critical for digital security leaders with this free white paper.