5.1 What is Rooting?

5.2 Potential Issues

5.3 Custom ROMs

5.4 Implications of Rooting

5.5 Rooting for Testing

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Fundamentally, rooting is a process by which one obtains
“root” or system level access to an Android device.
This is equivalent to having a root account on a Linux system.
But unlike a typical Linux system, the manufacturers and/or
carriers do not intend for the user to have this level of access
to their device.
Essentially, it’s breaking into your own device, to get more
flexibility in customizing it.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Because many OEMs and/or carriers don’t want users to have
this access, obtaining root access often requires exploiting a
vulnerability on a device.
The vulnerability generally needs to be in a process, which
itself has system level access.
Otherwise, two exploits may be required, one to gain
unprivileged access and a second to elevate that access to
system or “root” level.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
These vulnerabilities are often specific to device, version or
specific piece of code, so while there may be a published
means to obtain root on one device, there may not be one for
another, even if they are of the same generation.
Once the exploit is complete, the next step in the process
involves copying the Linux su binary to a location specified in
the in the user’s PATH environment variable, for example
/system/xbin.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
The su or “substitute user” binary, allows users to become
other users, including root. Once su is configured with the
proper permissions, another Android app is used to interface
with the su binary and process requests for superuser or
“root” access.
Two of the most commonly used apps are Superuser and
SuperSU, which are available from the Google Play store.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
The rooting process is filled with potential danger for even
the most savvy users.
Many times, users are blindly trusting strangers on the
Internet to give them quality, secure and non-malicious
software in order for them to root their devices.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Even if the developers of the rooting software aren’t
deliberately malicious, they make mistakes and could easily
cause a user to turn their device into a paperweight, either
through poor instructions or by badly designed
software/exploits.
If they are malicious, or sloppy about security themselves,
well then it’s game over for the user, because they potentially
just gave a hacker root access to their device.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Some users also choose to replace the OS that comes with
their device with custom firmware.
This is usually done to extend the usefulness of an older
device, bypass software restrictions put in place by the
carriers or OEM, or to gain access to the latest Android code
without waiting on the carriers to release an update.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
OmniROM and LineageOS are two of the most popular
families of customized firmware you’re likely to encounter.
In many cases, this requires rooting the device, in order to
modify the bootloader which loads the custom ROM
firmware.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Some manufacturers however, are open to letting people run
custom firmware. They allow the unlocking of their
bootloaders in a well-documented, safer and easier fashion.
The most notable of these is Google’s Nexus devices.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
By allowing easy unlocking, Google avoids the need for
people to use possibly malicious exploits to gain access to the
root functionality.
Additionally, Nexus devices do not come with carrier
bloatware pre-installed, so there is less desire to root the
device.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Once a device has been rooted, the potential exists that any
app on the device could request root access.
If a malicious app obtains this capability, either through a
vulnerability, social engineering or other method, there is
literally no limit to the destruction it can cause to the device’s
software and the user’s data.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Remember, the cornerstone of the Android security is the UID
separation between apps. The UID is what prevents a normal
app from modifying the system configuration as well.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Unlike normal users, developers and security testers often
need root access to devices in order to see what’s going on
under the hood.
For example, we may need to view what data was written to
a protected file, which wouldn’t normally be allowed, even
using ADB.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
For many cases, the use of an emulator will suffice, because
they do allow root access.
Even with that, you will occasionally find it either too slow or
inconvenient, or incapable of duplicating the scenario you
need tested.
For these situations, it’s best to have a Nexus device on hand
as a test device. This avoids the need for exploits.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
You should now have an understanding of the usefulness and
potential security impacts of rooting a device.
Because each rooting process is different, we aren’t going to
dive into the specifics beyond what has already been covered.
If you want to see a rooting process in action, there are
numerous videos available on the Internet.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Please use caution before installing any software
recommended from this course.
There is always a chance they could compromise the security
of your computer or Android device.

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017
Superuser SuperSU

OmniROM LineageOS

Mobile Application Security and Penetration Testing v 2.5 - Caendra Inc. © 2017