Tuesday, June 24, 2014

The Samsung Galaxy S5 has been rooted. Now what?

Samsung released the latest edition of their flagship Galaxy smartphone to great fanfare in April. Tinkerers immediately set about looking for ways to gain root privileges (in other words, full control over their device, rather than the limited control that Samsung and the various cellular providers wish you to have). A seasoned developer known as Chainfire quickly found ways to gain root on international versions, and shortly afterward on US versions running on T-Mobile and Sprint networks. Alas Verizon and AT&T models proved more difficult to exploit. So difficult in fact that a crowd-funded bounty reached over $18,000, to be claimed by the first person that published a reliable way to root these models.

In early June a researcher found a flaw in a Linux kernel module. Android is built upon Linux, and made use of this module, thus also contained the flaw. On Father's Day, a developer known as geohot released to the world an app dubbed "Towelroot" that would achieve root on the Samsung Galaxy S5 for Verizon and AT&T. And the world rejoiced.

Others have written about the downside to this particular type of exploit - not so much that geohot's exploit is malicious (it probably is not, given his track record), but rather that the same vulnerability could be exploited by others with less noble intentions. I won't duplicate what has already been said. Instead, I want to discuss the thought that should go into whether or not to root a device in the first place.

The Android security model is such that applications run in a virtual machine, essentially a "computer within a computer." Each application also runs under a unique user ID. This means applications should not have the ability to manipulate the operating system itself, nor to mess with other applications. Individual applications may chose to make their data and functions available to other applications - but that requires an intentional choice by the developer.

Security is always a balancing act between risk and reward (or value, or usability, or productivity, or...). I can unplug a computer, put it in a locked box, wrap chains around the box, encase it in concrete, drop it in the depths of the Pacific Ocean, and have darn good security. It won't do me much good, but it's secure. Conversely, I can plug that computer into the Internet, turn off the firewalls, fire up some web hosting and remote access services, remove the passwords, and make it available to anyone and everyone that wishes to use it. Very usable, but not at all secure. The right balance depends on my purpose for the computer - if I run a bank or work for the NSA, perhaps I want very tight controls at the expense of usability; if I run a training lab to teach hacking skills, perhaps I want a pretty open system at the expense of security.

The point is that the "right" degree of security depends on a lot of factors, and the developer's idea of "right" might not match my idea of "right." So it is with Android devices - manufacturers and cellular carriers have a different idea of "right security" than some users. Some users want to run bleeding edge Android mods - i.e. install their own operating system and completely forgo any support from the manufacturer. Others just want a phone, and don't care to do any customizing. In the middle are folks like me that want to tweak a few things but more or less use what the vendor provided.

Rooting gives one the ability to tweak things, without necessarily making the device less secure. That is because a rooted Android device simply makes a superuser privilege available. This is quite different from Apple's design, in which jailbreaking actually causes the user to run as the superuser. Rooted Android devices still run as normal users, but apps can request superuser rights either one time or permanently. Of course, a malicious app could request superuser rights, just as a malicious Windows app may request administrator rights. With a rooted device, it behooves the owner to think before allowing superuser rights to some random program. Why would an app want SU rights? Here are a few possibilities:

  • File Explorer and Task Manager apps on a stock device can access files created by the user, view running apps and available memory, and perhaps uninstall user-installed apps. With root, the same can access files anywhere on the system, disable or remove unwanted stock apps, and view or kill processes that run in the background using up memory and CPU. Even though most android devices support external storage (micro SD cards and such), there is still a finite and unchangeable amount of internal storage, and most apps require at least some space on internal storage.
  • The Galaxy s5 has an annoying habit of resetting audio volume to a preset mid-level each time you connect anything to the headset jack. This makes a little sense if you are connecting headphones - no sense blowing out your ears with an unexpectedly loud start. Some of us use our phones as a music source in the car, in the living room, or elsewhere that we connect to an amplifier, and from there control the volume. In this case, setting the device to maximum puts its output near traditional line level suitable for controlling from the amplifier. It is quite annoying to have to reset the volume every time I plug into my car. With a rooted device, there are several third-party apps that will disable the loud volume warning (and eliminate the automatically-reduced volume level).
  • Certain mobile carriers charge a "tethering" fee for the ability to use a phone as a mobile hotspot. With legacy unlimited-data plans that was at least justifiable - there is only so much data one will consume from a phone, whereas using the phone as a wifi hotspot for other devices (multiple tablets, laptops, etc) likely means using far more data. However this entitlement check is also in place for some limited data plans - meaning you are paying for a specific amount of data, then paying again for the means to use that data (in the case of Verizon, this is in fact contrary to an FCC ruling in 2012). With a rooted phone, there are ways to bypass this entitlement check. Note that while I do not advocate this as a means to bypass paying for tethering on an unlimited plan, as with many tools it can be used both for legitimate purposes and for illegitimate gain. Just be aware that under Verizon terms of service, the latter puts you at risk of losing the no-longer-available unlimited plan.
One side note: while a few manufacturers will sell a pre-rooted "developer edition" of their product, rooting a device generally involves finding and exploiting a security flaw in the device design. If you can use that flaw to root the device, so could someone else with malicious intent. The act of rooting a phone does not by itself create new security risks, but it does create the ability for you to grant superuser rights to a malicious app, and it shows that there is a way for someone else to compromise your device. As always, don't click unexpected links, don't install apps from "unofficial" app stores, and physical control of your device is paramount.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen