23
Apr
26-Android-security_thumb

While not everyone who owns an Android device roots, the Android modding community is at the very heart of everything we love about our little green buddy. Security researcher Dan Rosenberg recently gave a presentation where he elaborates on root and modding methods, as well as expounding on the security implications of modding Android phones.

Rosenberg also had quite a lot to say about how carriers influence the Android landscape. Said Rosenberg:

"Of the 10 vulnerabilities that I discovered and used for rooting on Android, 9 of them are related to "stupid" file permissioning not present in the stock Android code, but introduced by the manufacturers"

This won't come as any surprise to anyone who's not fond of carrier skins. It does raise many interesting questions, though. If most root exploits come from carrier skins, and one of the biggest reasons to root is to install custom ROMs, which are frequently based on stock, is it even worth it to carriers to try to prevent users from switching ROMs? We're told that carriers prevent rooting via methods like locked bootloaders to make phones more secure, yet a large number of root vulnerabilities are being found in carrier code.

He went on to explain that relatively harmless root vulnerabilities are patched much more quickly than real security bugs. This only furthers the idea that custom skins are hurting consumers at least as much as helping them, if not more. One can hope that carriers might consider a less invasive approach to adding their own branding and value to handsets, similar to how Google uncoupled many of their stock apps from the OS so they can be updated independently.

Hey, a guy can dream, can't he?

Source: SecureList (Slides)

Eric Ravenscraft
Eric is a snarky technophile with a taste for the unusual. When he's not obsessing about Android, you can usually find him obsessing about movies, psychology, or the perfect energy drink. Eric weaves his own special blend of snark, satire, and comedy into all his articles.

  • http://www.androidpolice.com/ Artem Russakovskii

    I bookmarked the presentation immediately after reading through it before handing off to Eric, as it contained the best explanation of the state of the rooting scene, the Android modding community, and details about things like locked bootloaders, RUU, S-OFF, S-ON, mbm, HBOOT, fastboot, nvflash, RSD, SBF, Odin, KDZ, PDL, SBK, adb, build and local props, and much more.

    FYI, Dan rooted many devices and is one of the brightest minds of the rooting/security community.

    • shabbypenguin

      i happened to think it was a good read as well ;)

  • delta echoe

    I would have liked to have been there for the presentation, Dan Rosenberg is definitely a skilled security researcher and with that being my main career focus (still in college), it would have been a nice learning experience...oh well

  • http://www.facebook.com/brianhislop Brian Hislop

    That was a very interesting read. Thanks for posting it guys :)

  • falconator

    Very good presentation! 

    If carriers are so "worried" about rooting and would like users to "stop", then I would suggest they actually allow users to remove garbage bloatware. I don't care about a NFS demo, Lets Golf 5k demos, Blockbuster crap, NFL garbage, etc. Allow us to remove garbage and I'm sure the amount of users who root would get cut down. 

    I'm satisfied with the stock unrooted rom. I just want that trash off my phone.

  • Picaim Inc.

    NEW SOCIAL NETWORK FOR ANDROID - Picaim

    Picaim is a project that aims to become a social network to see and share things that are happening in your city and in the world.
    The service is based on sharing geo-located photos of things that are happening in your city.

    The great idea is that photos can not be sent by the computer, just for mobile devices, and only at the moment they were captured. This measure helps prevent false information inserted in the social network.

    This means, you see what is happening, what the person who took the photo has to say, and where that is happening at the moment what is happening.
    You can see content classified by what is happening in your city.

    Also you can post anonymously, if you wish to protect their identity to share with the world.

    Anyone can see what is happening in your city on our web site, without registration or application for mobile.

    The project was launched this week, still has very few users, and we are asking for help to all who possess an android phone, just download the application, test and share with friends in your city.

    To check out the project, visit:
    http://www.picaim.com

    The application for Android already available in the market!

    Help us to share with the twitter hashtag: #PicaimForAndroid

    OBS.: If you can not take the picture because of the gps location, try again in an open environment.

  • http://www.cubesthecomic.com/ Akshay

    A very informational presentation. Thank you :) I've embedded it on my blog (www.cubesthecomic.com)