Sunday, July 2, 2017

ComTech - Preventing applications running on rooted mobile devices

(Note that the use of the word "rooted" below includes both jailbreaking on iOS and rooting on Android unless otherwise stated)

The Mobile Security Model and Sensitive Data

The iOS and Android security models rely heavily on the fact that one application cannot access another application’s data. If an application which we are testing only stores sensitive data in its own data store then we will generally assign a lower likelihood level compared to if it stores data in a shared location to which multiple applications have access, for example the Android SD card storage.

If a user has rooted their mobile device, any application can request root access which will then provide it access to any other application’s stored data. This therefore breaks this important element of the device security model. In general, it will also provide a malicious application with much wider access to the device and could potentially be used, for example, to intercept traffic.

To block or not to block?

We therefore generally recommend that clients prevent sensitive applications from running on rooted devices. The impact of such a finding generally depends on the sensitivity of data stored locally by the application. For example, we tested a payments application that stored long lived session data on the device. In this case, the potential impact of allowing the application to be used on rooted devices was quite high.

For another example, we tested an OTP application where we observed through testing that we were unable to reproduce the one-time codes on another device even if we had access to the stored variables. As such, we assigned a relatively low impact to this finding for this application.

On the other hand, even on a non-rooted device, a sophisticated malicious application may be able to exploit private/public vulnerabilities to gain root level access and therefore achieve the same result. This is the reason that we include findings on all sensitive data stored unprotected on the device, even if it is only in the application’s own storage area.

A detection arms race.

Whilst it will be relatively straightforward to perform root detection on iOS, it is a lot harder on Android as different “rooting” methods create different file structures.

A bigger problem which clients have described to us is that certain Android devices exhibit signs of being rooted even when they are not, generally the cheaper devices from Asia. This results in regular users who have not rooted their device being unable to use the application on their device and complaining to the application developer.

The other side of that problem is that there are tools on both iOS and Android which can be used to "hide" the fact that the device is rooted so that even if an application tries to detect the root, it will be unable do so.

So what to do?

In our opinion, this comes down to a case of a company's Information Security team deciding which of the following options is most appropriate based on the assessed sensitivity of the application and the issues explained above:

  1. Attempt full root detection across iOS and Android and prevent use from devices where it is detected despite the risk of preventing legitimate users from using the application.
  2. Perform full iOS root detection and prevent use from devices where it is detected but just provide a warning/disclaimer on Android devices to avoid the false positive risk.
  3. Just provide a warning/disclaimer on all devices.

Josh Grossman
Senior Information Security Consultant and Team Leader