Your device’s safety in someone else’s hands: root and jailbreak

While manufacturers force increasing limitations on their systems, users constantly look for ways to bypass them. What the public is not aware of, though, is that rooting and jailbreaking a device brings more harm than good.

Manufacturers impose restrictions to protect users and reduce the chance of an unauthorized system configuration, among other reasons. In some cases, unlimited access to all properties and hidden functions allows tweaks, performance enhancement, or OS upgrades for older, unsupported devices.

For Android and iOS users, there are two seemingly similar procedures to enhance user rights, called root and jailbreak. Not welcome by manufacturers, each year they become more complicated but popular, among hackers as well as users.

What are root and jailbreak, really?

Rooting is the process of gaining privileged control over, or root access to, various Android systems. Jailbreak is a technique that enables the user to bypass limitations on an Apple device; it generally involves exploiting vulnerabilities in the system. They may have similar purposes, but they have different characteristics.

Android is based on Linux, so rooting can be treated similarly to superuser permissions on Linux. Let us remember that a super user on a Unix-based OS has total access to the resources found on a device and can, for example, execute commands with root privileges. In general, rooting allows the user to change settings and install or replace system applications, run specialized applications that require administrative permissions, and perform other actions usually inaccessible to users.

Jailbreak is similar to rooting in that it involves privilege escalation and allows users to install apps from third-party stores (Android does not need root for such an operation) or change an iPhone’s default browser and mail clients.

Why root or jailbreak?

The first and main reason for rooting or jailbreaking a phone is to configure the device according to one’s needs. Obtaining superuser access rights allows owners to take full control of the system. Such a modification is especially interesting to customers who have devices that are older and unsupported.

There are many popular applications that help to obtain superuser privileges on the Android platform, like: Kingroot, 360 Root, Framaroot, Baidu Easy Root, Towelroot, One Click Root, or Mgyun.

With root, users can manually:

• Upgrade OS to the newest version.
• Unlock options inaccessible to standard users.
• Install third-party apps (not from the store).
• Access all system resources.
• Customize low-level device configuration (e.g., increase performance by overclocking).
• Enhance battery life.
• Automate some processes in the task scheduler (tasker).
• Customize rooms.
• Block ads.
• Fully back up the device (e.g., Titanium backup).
• Obtain newly-developed features.
• Remove bloatware.

On non-rooted systems, all apps work in isolated environments (sandboxes), which is why devices cannot gain access to non-approved resources. However, with superuser access, an app can work outside of the sandbox and take full control over the device, including private data, application data, cryptographic key access, etc. Hence, the most important reason for not rooting or jailbreaking a device is safety.

Safety problems: the most common attacks

Any type of privilege escalation bug found in Android can be used to gain root access. Despite monthly security updates, Android has problems with security vulnerabilities because big and small vendors have no guarantee that users apply the latest patches.

On average, two years after the release, a device goes out of date; during this period, it will typically no longer be receiving security patches or new OS versions.

Most users with rooted devices are not aware that it is very possible to modify an existing application code. When a process is running with enhanced privileges, it can access stored application codes on the device, for example application jars. This way cybercriminals can inject their own malicious codes into a legitimate application. Now the attacker can do almost anything, from logging into activities to changing transaction details on any app on the device.

Any process with root access can skillfully bypass permissions in order to monitor the user with sensors installed on his or her device. The spyware process running as the root user is in control. In addition, with root access, hackers can access all data, including backups, resources, calendars, and confidential data stored on the device (like encryption keys). All this information is vulnerable to malware such as Trojans, which can:

• Steal passwords from a browser (like the Tordow banking Trojan).
• Secretly purchase applications in Google Play (like the Guerrilla and Ztorg Trojans).
• Substitute URLs in a browser (like the Triada Trojan).
• Stealthily install apps, also on system partitions.
• Modify firmware so that Trojans remain on a device even after it is reset to factory settings.

A rooted device inside the internal enterprise infrastructure can be susceptible to any type of attacks like data theft or ransomware. In most cases, malware is capable of gaining superuser access rights on its own by exploiting blind spots in the system. Users rooting their own devices offer quite a gift to malware developers.

Detecting root and jailbreak

From a technical point of view, remote detection of root and jailbreak is still very difficult and is not foolproof. Here are a few dead giveaways that a device has been tampered with:

• The presence of Cydia, a third-party application installer similar to the App Store.
• An access to certain directories that should not be available to an app without escalated privileges (such as /bin/bash, /etc/apt).
• Being able to find symbolic links to usually unavailable directories or to write to a directory where that should not be possible.

A good, if not very convenient example of a free open-source solution is the Mobile Verification Toolkit (MVT) project. A single-track approach may help, but in today’s world it is insufficient, which is why we recommend multi-track solutions based on packages, libraries, and process and privilege analysis.

There are also numerous specialized tools on the market, combining the best heuristic practices powered by AI, money laundering detection mechanisms and event-driven security. They process many sources of information, starting from typical packages and privileges and ending on intents and application behavior.

Conclusion

According to 2021 Check Point Cyber Security Report, almost every surveyed organization experienced at least one mobile malware attack in 2020. A total of 93 percent of these attacks originated in the device network.

In addition, 46 percent of organizations had at least one incident of an employee downloading a malicious mobile application that threatened networks and data or gave command-and-control communication to malware that is already on the device.

In 2020, multiple vulnerabilities were discovered in Android and iOS, the most severe of which can enable remote code execution within the context of a privileged process (CheckRa1n and ROM, jailbreak vulnerabilities).

By rooting or jailbreaking a device, we forfeit our safety. A correct distribution of privileges is extremely important. Accurate detecting, tracking and isolating jailbroken and rooted devices can ensure security for the corporate infrastructure and help to reduce attacks. The best way to achieve this goal is to use modern, event-driven monitoring solutions powered by AI because they efficiently detect many types of tampering.

Be secure and explore Comarch’s solutions in the cyber security industry: tPro Mobile application and the cyber fraud prevention system.