We'd much prefer to abandon our rooting efforts entirely and have the market flooded with phones that have the equivalent of "fastboot oem unlock", or have easy ways to flash custom ROMs like the Dell Streak (no signature required), the original Droid and some of Samsung's devices. The energy we spend working on root could be better applied in finding and fixing the security holes that exist on the Android platform.
Until then we'll keep poking holes in the security of HTC devices (our focus) and make them work as hard as possible to figure out which holes we've exploited to keep the rooting window open as long as possible. We'll also keep recommending that people put their money on open devices like the Nexus One and the Nexus S.
* The exception to this was the skyagent hole, where HTC and Sprint shipped a suid-root program that would give any program you installed full control of your device. We notified them of the problem, then shipped a root based on it shortly after:
What do you tell your laymen friends and family that you do? Do you call it hacking? Security analysis? Something else?
As a user of an unlocked Evo, I want to thank you for doing this work. It makes my life more enjoyable!
When you do the same to the phone, there is much less mayhem. But there's absolutely nothing illegal about the first scenario.
The sad part is that Android is supposed to solve this problem, but (for many of the devices) it doesn't seem to change it at all.
Android is much more difficult to exploit for us because most processes don't run with the equivalent of root. Even through we're able to exploit the browser occasionally, we can't normally use that to escalate to root (there are some exceptions to this that I won't go into :)). There are system processes, but generally these important processes run as "system" rather than root. Generally, only the processes that need to setuid() to another user run as root.
I believe (but I'm not sure) that the iPhone has two users: one at a root level for system processes/applications and another for installed applications. This allows the iPhone dev team to attack the browser and use that to quickly gain control of the entire device.
The nice part on Android for us is having access to the adb shell, which occasionally lets us poke into things we shouldn't normally be able to poke at. Most Android root attempts happen through this shell user which is generally inaccessible to installed applications. You can see the additional groups granted to the shell user here:
However, if, on an iOS device, you do find an exploit in a root process, you still don't have a way to do much. Because of the code signing requirements and the W^X protection, you can't run your own binary or even execute shellcode: ROP is the only method possible to run code. So you still have to exploit the kernel to disable those, making root code execution is only slightly more useful than 'mobile' code execution for that purpose.
But that's not even really relevant, since only a few (JailbreakMe, Spirit, the on-bootup component of limera1n and greenpois0n) of the "jailbreaks" (a really misleading term, since they are more of "injected kernel patches to remove code signing requirements") are even done from a booted device at all! Most of the exploitation happens in the lower-level bootloaders, over USB (using the protocols intended for restoring the device if the higher-level components fail). Once you get access there, you can pretty much do anything you want (run a different OS, remove restrictions from the kernel), but only for this one boot cycle. After a reboot, you need to apply these patches again, leading to what's known as a "tethered jailbreak": you have to exploit the bootloaders each reboot to start up the device. This can be avoided with yet another exploit, which breaks the chain of trust at boot time to apply the patches without user intervention.
Edit: some clarification.
Edit 2: I should turn this into a blog post ;P.
Much of the work we do on Android involves some of the lower-level bootloaders well. Because each of the different Android manufacturers has implemented their own bootloaders, we tend to find lots of potential exploits at that level.
The work you guys do on the iPhone side is impressive.
Edit: Unrelated: I just realized you made the Treo 650 Linux version -- that was awesome!
You really have a flair of explaining such complex issues in understandable prose.
I don’t see that as likely. In fact, Android’s “openness” can lead to maliciousness on the part of carriers and phone makers against their users. I cite Android phones that come from carriers with unremovable junkware & phones that have hardware encryption that prevents user rooting.
Are they? What is your source for that?
"Rootability" is not an accident there, but part of the design.
This, of course is unless your (subsidized) phone is locked down to hell and then some. This is much less a problem in Europe, since you can always buy the unlocked phone and as a matter of fact, with the exception of pre-paid phones, even subsidized phones are not SIM-locked (you sign a contract anyway) and I never had one loaded with un- removable crap-ware.
a company, that can dump money on every kind of crap, discontinued sales of something. how much worse do you want it to get until you accept it was a joke for sales?
..funny thing is that people are paying now in ebay MORE than the original price to have the device.
When I went in to the T-Mobile store, I came out with a G1 because the T-Mobile lady was explaining all of the hoops one must jump through to use a Nexus One. They don't carry them so you have to order online and wait 4-7 days for the phone to arrive (my old phone was broken, so this alone made it not an option for me), you can't use T-Mobile's normal plans on them, I wouldn't have been able to buy with subsidy because my previous contract had one month left and therefore manager override was necessary to grant the discount on the phone, and I didn't have $500-$600 cash sitting around to spend on a phone, and so on.
If the N1 got the same kind of carrier marketing and buy-in that the other phones got, I'm sure it would have done well. Carriers, however, did not want to provide that marketing or support because doing so would minimize their death grip on the end-user and count as a success for something not loaded with carrier crapware, which they don't want either.
The carriers know, of course, that nobody really _likes_ having a permanent, unremovable Blockbuster app on their phone. But since people will tolerate it, and the carrier gets a lot of money from Blockbuster (or NASCAR or whatever) for doing that, they want to keep phones that are free from this crapware as far away as possible; if they didn't, people would prefer phones that are without crapware, and this would impede the carrier's ability to sell contracts to include crapware.
i rather very much pay the phone i can afford and not be abused like that.
T-Mobile offers a couple of different options, one of which is a $10-$20 discount on the monthly plan for non-contract phones, or a zero-interest amortized 24-month payment plan that allows you to still get the subsidy and the discounted plan. To me, not having to drop $500 to get a phone when I don't have $500 is worth $10-$20/mo (which, over two years, depending on the phone you get and the price you pay with contract, is usually pretty close to the sticker price for the phone anyway, maybe +$100-$200 than buying outright, a reasonable finance charge), and I didn't know about the payment plan when I signed up, though it's generally been agreed that that turns out to be the best option.
Actually, paying more on eBay for a device that is scarce is just called economics. Though, it would be surprising to learn that the price was much higher than the original unlocked price + $30 - since you can still purchase one if you have registered yourself as a developer with an Android Market account.
The telephone companies? They don't care - they don't want open. And they control the sales channel.
Signalling to the telephone manufacturers? They're powerless - if they anger Verizon they'll lose all of their customers.
Until that changes, Android, and wireless in general, will continue to be a lot less open than it should be.
Android Dev: OMG! You easily installed a new OS on your Dell desktop?! Windows Security must suck!
Of course the Ubuntu live disc worked fine and offered to install a better display and wifi driver for me automatically when I had wifi or an internet connection next.
Sorry - it's a question that's worth asking. If everyone was assaulting each other with wrenches, we'd declare martial law - the constitution isn't a suicide pact. If Android is the hottest smartphone OS in the US right now (and it is), why are the app attachment rates so low?
As a console game developer whose friends have developed iOS and Android apps that have seen huge download and play numbers (as measured by leaderboard submissions) but have seen almost no purchases, I have zero interest in developing for either platform.
Of course that's a false dilemma; my app is earning several hundred dollars a month with zero marketing and zero copy protection. The vast majority of apps are not going to be Angry Birds-scale hits, and that's true with or without piracy.