Android root detection

In previous blogs, we talked about how world events are encouraging the adoption of mobile applications for everyday activities and how this will lead to increased attention from cybercriminals.

Right now, per the International Data Corporation (IDC), Android dominates the smartphone market with an impressive 85% market share, so it stands to reason that Android apps and devices would be a prime area of interest for cybercriminals. According to sources on the subject, the data overwhelmingly confirms the hypothesis that the larger the market share, the larger the share of targeted attacks as well. For example, the Nokia Threat Intelligence Report – 2019 reported that “Among smartphones, Android™ devices are the most commonly targeted by malware. In mobile networks, Android devices were responsible for 47.15% of the observed malware infections, Windows©/ PCs for 35.82%, IoT for 16.17% and iPhones© for less than 1%”.

This doesn’t mean those iOS devices are perfect, and our previous blog discussed how the risk profile for that platform was evolving as well. More people worldwide use Android devices so, naturally, cybercriminals will focus more on that platform as a result.

As application security professionals, we understand. And Google is fighting back. Eight years ago, Google created the foundations of its Play Protect ecosystem, a collection of device and cloud services ranging from SafetyNet to Verify App and Safe Browsing APIs, to reduce Potentially Harmful Applications (malware) in Android devices.

The result of these endeavors has shown a great deal of success. Today, a user who only downloads applications from Google’s App Store is “Nine times less likely to get a Potentially Harmful Applications (PHA) than devices that download apps from other sources.”

In addition to the ecosystem changes, Google has been adding numerous security enhancements to its operating systems. With Android 10, Google issued more than 50 new security features ranging from scoped storage to a number of changes around personal privacy, with things like restricting clipboard access and modifying applications’ access to location data. Android 11 builds on that strong security/privacy foundation by adding many new permission controls, blocking background location access, and enhancing application sandboxes by mandating scoped storage: more on this later.

Of course, having all these enhanced new security features doesn’t benefit Google subscribers if the app they’re downloading still uses old APIs. This is why Google has started mandating that new applications submitted after Nov 2nd, 2020 target the API level associated with Android 10. These rules ensure that new applications conform to the latest Android security architectures.

Google is continuing to make great strides in raising the security profile of its platform. In terms of application security, one of the most significant changes was the introduction of Scoped Storage. Prior to Android 10, applications had their own sandboxed private storage. If an application wanted to access a file outside of its sandbox, it had to request (and receive) access to “shared storage”. This permission covered all scenarios and granted access to any file or file type located in “shared storage” on the device. As a result, almost any application could justify getting this level of permission, and the app could then use this to collect files/information outside of its original specified intent, undermining Google’s privacy goals.

Scoped Storage changes this by ensuring that permissions are intrinsically handled when an app requests access to files within its own sandbox, but notifies the user when an app attempts to access a file outside of the sandbox. Scoped storage makes it easy for an app to access its own sandboxed file system and notifies the user when an app tries to access files outside of the sandbox. This implementation will result in more frequent and specific file permission requests to the user. However, increased data privacy and a significant reduction in the data harvesting that can be performed by downloaded applications is a benefit. If you’re interested in a more detailed look at scoped storage, I like the blog “Scoped Storage in Android 10 & Android 11” by Gaurav Goyal.

Maintaining the integrity of the application sandbox on a device is a bedrock of the Android security model. The detection of conditions that alter the integrity of this security model is vital, also known as root hack or rooting your device. We know why somebody would want to root a device. People do it to circumvent application protections. There was a colorful example in the recent article “People are hacking their Peloton bikes so they can watch Netflix and cheat the leaderboard ranking system” from Business Insider.

Magisk is the most common root hack today. It can be used to bypass SafetyNet security checks as it is a systemless root hack. As noted by the Android development guide, rooting gives “full access to all applications and application data”. From an application security perspective, it’s clear that rooting modifies the default security posture of scoped storage. What about encryption?  The guide points out that encrypting the data with an offsite key provides only limited protection unless it is backed by hardware. It turns out this is not as common as you may think. More on this in another blog.

So from an application security perspective, Google has made tremendous strides, but device integrity is critical to maintaining Google’s security model. Rooting removes the foundation of that model so measures such as data encryption are not enough: App developers also need to understand if they are running on a compromised device. Whether they do it through SafetyNet or via a third-party security solution, understanding if the device operating system has been rooted is critical to understanding the risks to the application and its data.

Follow us here to stay up to date! You can also read more here to get the latest content about Trusted Software!

Click here to get in touch with Irdeto’s Trusted Software team to learn more!