Honestly, I won't run a non-rooted device (although I admit that the current way to root a device is questionable in parts). But here's a real, honest question: Why would services stop working because of root access?
Why can't Android Pay work on a rooted device. Samsung's crappy equivalent (I use neither, but I think those are often considered examples for 'stops working if rooted' issues)?
I also own my credit card. Just like my mobile. What is the danger that these services try to protect against, why is root a problem in these cases?
This really has nothing to do with services not working because root is enabled, instead it has everything to do with companies (Netflix in this case, or Google for Android Pay in your example) preventing widespread theft of employee/customer data.
Even the most cautious users can accidentally click "allow" by mistake. Here's a example of how that might happen:
Build an app that some user wants - maybe a game. Make the user click a "Start" button to play. Time how long between presenting the button and receiving the click, after a few rounds of this, wait a fraction of a second less than the average time and trigger the sudo call which in turn usually triggers an allow/deny popup.
Did it register with you in time, or did you click allow? Did you even notice it if the game starts anyway? Probably not! Netflix just gave an attacker an entry point, and Google just lost the confidence of their banking partners, who are likely looking for any excuse to avoid working with Google (and Apple etc) anyway.
A good IT department has to protect the company from risks like this, and nothing the company requires you to do will require root (There are obviously exceptions, but the number of employees worldwide who fit this bill, outside of phone OS development, is likely less than a 5 or 6 figure number).
If you need root for personal tasks, and the company isn't happy with root, then they are entirely within their right to deny that device access to company systems.
That said: I question that services should stop working if I have the ability to grant root. Reasons:
1) Maybe I know what I'm doing (honestly .. I consider myself capable and still have cringe while writing this)
2) Your software isn't immediately compromised in its core functionality if _I_ own my _own_ device.
For Netflix, this feels like another failed attempt to close the analog hole. Android Pay and whatever else might try to be your wallet (I'm a huge fan, as you might notice in this thread) should be able to withstand that. Otherwise it's just a crappy payment system.
I can pay stuff from my PC (various operating systems) and I do have root (or the equivalent permissions). I also own - as I stated in my original post - a CC that allows me to spend money freely. I don't know how hard it would be to copy it physically, but you'd be able to strip the core details (name, number, CSC) in a couple seconds/with two pictures.
Why is the CC secure, but a rooted phone isn't. Ignore Netflix, they're brain-dead and content related DRM isn't what I'm going for. I'm asking why random legitimate services refuse to work on a phone, because .. the owner actually seems to own the device?
Stethoscope has nothing to do with user's of Netflix's service, and the DRM on it. This is for Netflix employees, on IT managed smartphones. This could have just as easily come from any of a number of other companies that issue phones to employees.
The scope of risks are so significantly larger than the traditional "people who can place their hands on your wallet, or read the number while you have it in the open"...
My example kinda covers this, phones really are getting faster... It's no longer a case of "I know what I'm doing" when it now comes down to human recognition and reaction time. In other words, you clicked allow before your brain had time to stop you. How do you prevent this?
> 2) Your software isn't immediately compromised in its core functionality if _I_ own my _own_ device.
100% agreed. For the Google Pay example, fair enough. It's your credit cards, and it's harder to come up with a counter point.. For the OP / Netfix example, it's not your data, and likely not your device - or - by connecting to company services, you've basically agreed it's not yours (This could be a whole sidetrack on it's own! :))
> Android Pay and whatever else might try to be your wallet (I'm a huge fan, as you might notice in this thread) should be able to withstand that. Otherwise it's just a crappy payment system.
Credit card companies are generally responsible for theft of money where you remained in possession of your card at all times. Sure, they really hate admitting it, and gathering the proof is hard, many times impossible. But that doesn't change the responsible party when the proof is found.. Given this, it's easier for them to accept less secure alternatives (e.g. the US's reliance on signatures).
The rise of NFC credit cards has changed this somewhat, if a credit card hands out all the details needed to make a purchase to anyone who bumps into you on the street, possession is now not the only factor, and banks have built safeguards around this (e.g. max transaction size, max NFC transactions before being required to enter your PIN).
Google with Android Pay must prevent that same bump on the street from stealing their customers money. The cell phone payment version of this comes in the form of other apps on the device, hackers breaking into the phone remotely, etc. With a rooted device, or a device using unknown firmware, all bets are off.
> I can pay stuff from my PC (various operating systems) and I do have root (or the equivalent permissions).
And this is a security hole, granted it's one I wouldn't want to see shutdown, but it's still security hole. I don't have any good answers here, but I do look forward to seeing a solution that works while letting me keep root access on my Linux box!
> Why is the CC secure, but a rooted phone isn't.
I'm think I've mostly covered this, but you're looking at two totally different landscapes. They just cant be compared in the same way.
> Ignore Netflix, they're brain-dead and content related DRM isn't what I'm going for.
While I'm no DRM fan, this entire article is about Netflix's corporate employee device security, it's nothing to do with DRM or content..
: Unknown firmware in this case means firmware google doesn't trust - unrooted AOSP built from a unknown manufacturer can't be trusted any more than rooted firmware from Google itself.
If this really is a problem, the OS could pop up a question such as "This app is requesting escalated privileges", and then wait ten seconds before popping up the allow/deny buttons so the user doesn't click blindly.
The simple solution to this specifically (which I think has been implemented already anyway for some Android rooting options?) is to have a few seconds of delay where the "Allow" button on the root permission request is greyed out.
Re adding a delay to counter this, see my other reply here https://news.ycombinator.com/item?id=13701227 - a delay isn't enough..
The best SU apps have a timeout on the popup specifically to prevent this. I specifically use phh superuser (or, rather, MagiskSU) which has a 2 or 3 second timer from when the popup shows up till you can press accept.
I was drawing parallels between hostile NFC readers and hostile apps/hackers :)
"hackers/hostile apps can do evil things on desktop" is nearly identical to "hackers/hostile apps can do evil things on phone"
So while in a vacuum you could argue that you need to protect against hostile apps the same way you protect against hostile NFC, it's a weak comparison. While the treatment of hostile apps on your heavier home computing device is a super strong comparison.
Example: CVV numbers, these are needed for "Card not present" transactions are must not be saved (e.g. no browser will save them). Using your phone for an NFC payment on the other hand does not need this number.
Yes, this is a tiny detail. But this detail entirely changes the share of responsibility between the consumer/merchant/payment processor/bank.. This is usually reflected in the different fees that are charged for different types of transactions, card swipe vs card not present vs Chip+PIN vs NFC.
Assuming that just because a CC number + errata stored on a PC can be stolen an abused, that the banks etc should just let me do that on e.g. Android Pay is just wrong..
Nobody is stopping you from creating a text file on your phone with the card and CVV numbers, but don't expect to be able to use that text file as a NFC payment method!
Edit: in case I wasn't clear (I know I wasn't, because I kinda forgot to say it ;)), once your phone is untrusted - as in untrusted by the bank etc - everything stored on it may as well be that plain text file as far as they are concerned.
I would consider this a software fault. Your SuperSU-or-equivalent app should do something similar to what Firefox does for downloads (the button is greyed out for a few seconds before you can click it).
But - they don't currently do this, and there's no way that I can think of to reliably, as a third party, validate SuperSU etc is actually doing this.
EDIT: Also, some users really are.. ill informed and gullible. I hate saying it, but a large number of employees even at a tech company will click accept after a quick popup that says "For best 3D performance, we need root access to use your phones graphics chip directly".
The app is also on the Play Store, but the adblocking features are only in the Github version (presumably Google will not approve this functionality for Play Store apps).
Google will likely never do this :(
But suppose you established that the user intentionally rooted the phone (somehow). It'd still not be clear whether the rootkit that the user used was trustworthy. Even if you established that it was trustworthy (stretching the bounds of reasonableness; who is auditing these?), you couldn't assume that the user hadn't run other malicious programs. That last point is true for non-rooted phones, of course, but since this user had root access those hypothesized malicious programs become much more dangerous.
(Also, I doubt you own or have root access to your credit card. But what would you do with it if you did? All I can come up with is to consolidate a few of them onto one piece of plastic.)
My (honest, I'm not trying to pull your leg or anything) question is:
I have a phone. I own it. You (payment provider) cannot control it and I might do stupid things.
I have a credit card. I own it. You (card issuer) cannot control it and I might do stupid things.
Where's the difference? How can CCs work, but Android Pay/Samsung WhateverWhyWouldIUseIt doesn't, given my current impressions above. Can you correct my errors?
I think it is reasonable to assume, as mentioned elsewhere, that rooted devices are more prone to data-compromising attacks. And, due to security bugs, devices that are rooted may not have been rooted with the owners knowledge or permission.
but everyone ignores that :-P
That means (for example) spyware has one less thing stopping it form manipulating (eg) Android Pay to steal money.
I must be reading the image wrong. Jailed has a green check mark beside it, and Up-to-date has a red negative sign. Presumably, this is why the device would require attention?
You don't own your credit card either. The piece of plastic is actually owned by the bank. As they will likely be the ones that take a loss in the event of fraud from malware breaking into Android Pay, but similarly they gain nothing from letting you root your device, so their behavior makes sense.
You can get Android Pay to work on a rooted device using systemless Xposed framework and root cloak, it basically just lies to the dumb checks.
Yeah, that's pretty dumb security theatre. If the device is rooted, it can fake your root checks. Just ask Blizzard.
Better to figure out how to operate even when that happens.
What happened with Blizzard and rooting?
It's a never-ending task.
> By providing personalized, actionable information–and not relying on automatic enforcement–Stethoscope respects people's time, attention, and autonomy, while improving our company’s security outcomes.
Most Android devices can't just be updated to the latest version, which is counter to the proposed goal of being user actionable.. Won't this particular check just result in alert fatigue? Once any single alert comes in that the user has no control over, they HAVE to ignore it, and once they ignore one, it's easier to choose to ignore more..
They were Mojave Networks but looks like their website is no more. Acquired by Sophos... I guess their called Cloud Web Gateway now. See links.
[Edit] : Found this - https://github.com/scottyab/rootbeer
I think this will be useful for applications that want to know if the execution environment is safe or not - Banking / Payments etc.
I don't know the current state of jailbreak detection in iOS, but I do remember that some time ago, as a rudimentary jailbreak detection, iBooks tried to run unsigned code at launch, and if it ran, the app would refuse to open.
I think right now the only way "around" it has been Magisk .
Given that developments in the root community are few but well-known, it'd only take a weekly visit to the XDA Developers forum by an intern to learn about any new rooting method, and not many resources to successfully block them.
No need for a complicated (and expensive) information gathering and mining rig _for SafetyNet_. Could they be gathering that information with other purposes? Given that Play Services de-facto has root powers within Android, maybe.
Rooting or jail breaking your device is taking control of your device into your own hands, if you use something like Magisk, you can fully bypass root detection, even via the nastiest methods on Android.
Detecting it as a security problem is moronic. In fact, I'd argue it's actually a security improvement due to things like XPrivacy.
By definition a jailbroken device is vulnerable to something as that is how it was jailbroken in the first place. Having the most up to date version is usually the safest thing for a user.
That's not true of rooted Android devices though, most Android devices allow you to enable a developer mode which will allow you to replace the ROM entirely if you like with no need to exploit anything.
I generally choose usability over security, but maybe I should be more paranoid.
I do not have android pay enabled on my phone but I'm not sure I'd be comfortable with it even if I wasn't rooted. I insist on root because I want to block ads and install themes. It's possible to do these things without root, but it's harder.
Please comment people with deeper knowledge of security.
But that's not where it stops. You see, there's still plenty of great data they can grab when you blindly click accept on that permissions dialog. Contacts are grabbed by many applications, unique device identifiers, loading your app with ads, even grabbing GPS location are pretty much standard practice now.
These practices which used to be labeled spyware or adware and hunted down and removed are now the norm.
These apps grab this data and then throw it out onto the open internet, often over unencrypted connections to parties who you don't know or trust, who are often unrelated to the app developer almost entirely, most often just so some advertiser knows you play a certain game or live in a certain city.
It depends on your definition of security - if it's strictly clicking on an ad and getting malware - it's great - but if it includes things like leaking contacts, locations and identifying information - it's terrible. XPrivacy is the only solution I've seen to really hit back at it.
Rooting your device does NOT immediately lose all sandbox benefits. It only selectively bypasses it. If you don't approve EvilMalware to bypass the sandbox - it still can't break out.
As for Android Pay? Go ahead and use it. Rooted or not, to my understanding, you're not liable for fraud on it, your credit card company will still reverse transactions no problem.
CM ships pre-rooted - you just enable it in the settings, but the su binary is present and can be detected by any app looking for it. So that's a very common way to detect it on CM.
That's an interesting stance, you don't care about rootkits? What about malware, which has been found in the wild, which abuses root privileges to steal account information? That malware is extremely difficult to detect directly.
What you're thinking of are things which use exploits to gain root - this may be done by some users, but most often Android devices are rooted via bootloader unlocking these days, which does _not_ use an exploit.
Exploits however are used by malware - and not having your device rooted won't prevent them. They gain root via exploitation, whether you want them to or not.
Not to mention that the kind of root detection done is by looking for things that only the legitimate sort of root leaves behind, like a su binary which prompts the user if they want to permit root or not.
Often times, rooting your device legitimately may allow you to flash a custom ROM and get updates that your original vendor hasn't released for your device, allowing you to actually _prevent_ exploitation by malware, even after your vendor has long abandoned the device.
That'd be some very stupid malware - anyone who was actually rooted would notice immediately when their root tool told them their support binary needs to be updated.
Which is the safe one ? The default ecosystem or the jailbroken one ?
I ask because most of the advanced security measures and hardening that I ever considered doing on an android phone required jailbreaking ...
Secureboot  creates trust between hardware and software, but here you have to trust the hardware. An interesting question is how can software audit its hardware that is driving it ?
ARM TrustZone  is another way to offload all the sensitive computation onto another embedded SoC. But, its hard to know what the application is using. You sort of have to trust the banks to do the best job.
I had conditional paths for showing ads, and some rooted phones had blocked ads based on IP address.
I used to have my work email and Slack on my phone. Eventually we started to implement stricter security, which I found disagreeable, so I purged everything work-related.
I thought the "various data sources" scenario was exactly what Falcor was for - interesting that they used React.
The part of that that I don't agree with, is "on their own time". What if the change that needs to be made an urgent security fix?
Many company provided phones are locked down completely, you can't install or upgrade anything yourself.
This is so close, it has to be intentional !
Still today, its editing interface is awful and reminiscent of the early 2000s WYSIWYG editors.
Even still today, it insists on serving me all its content in the language of the country I'm currently visiting, even though I have my language set to en-us in my Google account and on my browser and I consistently change its language settings back to English.
>7 admires sidearm
"That's an awful purty wife you got there; shame if something happened to you"
They don't need that stuff so I deleted the app.
You can upgrade your Android version possibly, to find that the Netflix app will not require those permissions if you install it.
But you arbitrarily can't watch stuff in Incognito Mode?
But I've been having a hard time figuring it out. Inspect the playback bar to see what I'm talking about. Anyone have any luck extending the playback UI or hooking into it?
At first it was super slow. I paused almost every frame to look up words or phrases with google translate. If I still can't divine the phrase, I switch the the English subs for that frame.
Over time I just got better. Now I can watch shows without much pausing or word lookups.
I can read Spanish fairly well these days. Unfortunately, it didn't seem to work out my hearing/speaking muscles at all and I have to train those independently.
The upside is that I can netflix & chill with a Spanish speaker.
The catch is that this isn't a good strategy for shows that you particularly want to enjoy. Translations lose pretty much all the character, becomes robotic, and the characters are spread between the same 2-3 voice actors.
I think anything is better than nothing, though. I personally watch movies/shows now always with foreign subtitles.
I think they were going for a "friendly" approach but it just doesn't do it for me. Now, you may argue that the logo isn't important but some users will utilize a tool purely based on aesthetics...why a creepy giraffe? Am I missing something in American pop culture..? (I'm Canadian...)
This explains some of what you are describing
The designer did a great job drawing it...but something just doesn't feel right...
Toned back slightly, I'd probably have not noticed it.
Totally backwards. As Mr Trump would put it, SAD!
There is no evidence that jailbroken or rooted users have resulted in any significant compromises.
At least in the Android world, you must still approve any application which wants root access and rooting your phone allow you to gain access to some pretty impressive security tools you otherwise wouldn't have available to you. Generally speaking, users who are rooted or jailbroken are sophisticated enough to handle this on their own - and often use it to improve their security, not damage it.
You were given that device to do work on, not take apart and do whatever you wish with it. If you want your own dev device, buy your own phone. I see plenty of coworkers who carry around two devices each day.
Companies that lock down the employee computers to only allow whitelisted applications to run deal with a lot less reimaging and malware cleaning that those that give local admin access to the employee. It does result in employees having to request installation of things outside the standard core software but it still takes less time than dealing with typical malware.
It only "opens up access" to applications I allow explicitly. And I run things like XPrivacy which allow me to hook privacy compromising applications.
In reality it's much better for security to be rooted if you know what you're doing.
It's only a problem if you're allowing root for say, random games you download... and I don't think many people are doing that. Generally if you're rooted or jailbroken, you know what you're doing.
And if you don't, it's potentially much worse security. If your device is rooted, that's an attack vector that didn't previously exist. Since this tool is about informing and not enforcing, then if you really do know what you're doing then you can choose to take no action. If, however, you're not aware of the risks rooting a device exposes you too, then the tool provides an opportunity to learn that.
Further, this tool wasn't made with protecting an individual so much as protecting an organization. Yeah, you know what you're doing, but are you willing to bet your organization's security on that being true for everyone now and in the future? One compromised device can be all it takes for an attacker to get in. Not everyone who roots really knows what they're doing, it's very easy to root some phones, a quick download on a PC, run an app, click a button, and tada! Also, what about the non-techie person that asks their tech-savvy friend to root because they want to be able to <any single one of the things rooting allows>? Do you trust the judgement of every person tech-savvy enough to do this to never root another's phone without them really understanding the consequences?
Phones don't seem to be very popular attack vectors and many main attack methods could be performed without the need to root the device at all.
All in all, I'd be very surprised if rooting a device ever resulted in a significant compromise which couldn't have been done without root. Exploitation excluded obviously.
It's not what's being referred to here, but there's no weirdness in the language.