Android Security Risks

Android is a pretty solid operating system. Like any operating system it has some issues regarding system security. In the area of system security there are some obvious holes we could talk about. Almost all (actually I can’t think of any that have not) phones have been rooted through some security exploit.

For the uninitiated having a rooted phone or obtaining root on your phone is akin to being system administrator on your PC. You can do anything to the Android system, essentially you have God Mode. For obvious reasons no manufactures ship their phones with root enabled. Doing so would put users at extreme risk of doing some kind of irreparable harm to their phone. It also puts the phone at a risk for malicious software to have unimpeded access to the entire device.

So Why Root My Phone?

Honestly, I can’t answer that question for you. Many people are perfectly happy with how their phone is setup as shipped from the manufacturer. For others, tinkers and customizers, rooting can be the beginning of opening up Android’s power as a mobile OS. For those of you who fall into the former group the remainder of this article really doesn’t apply to you. However, if you’ve had the desire to tinker with your phone or customize its look, keep, or operation then please consider the following.

With Great Power Comes Great Responsibility

This fact is often stated in this manner and it has become a cliche, yet in regards to obtaining root on your Android phone it sums up the achieved results succinctly. As I mentioned once your phone is rooted you have unfettered access to the entire operating system. Nothing prevents you from changing system files or running commands that would turn your phone into an expensive piece of plastic and glass.

Now once you achieve root how can you still maintain a level of security? This question can be answered by looking to how Linux handles its privileged access to system level commands. In Linux there is a command called sudo. Interpreted into plain text this essentially means “do as super user”, or execute the following commend with privileged access. Generally all methods of obtaining root, when distributed from developers, contain some method of managing root access. In Android there are two main applications for managing all requests for privileged execution, Superuser and SuperSU.

What Does This Mean?

Here’s an analogy. Once you have root access in Android controlled by an application like Superuser or SuperSU you’re running in a mode that is very similar to how a home user’s PC is setup for Windows 7. When some app wants to do some operation which requires elevated permissions Superuser or SuperSU will intercept the call and present a dialog to the user letting them know what application is requesting elevated permissions. Now neither of these applications have the ability to know what that request is going to do. The onus is on the user to know what each application does when it they wish to use root permissions.

For the most part these are utilities or other applications that have a specific task. This goes very close to with how most Windows 7 home users operate with their PC. When they initiate some operation either via the system or an application which is going to make changes to parts of the system that require privileged access the UAC dialog box shows alerting the user to what application is making the request.

This Get Us To This Point

Practice practical safe computing! You can be like a person in a bubble and operate around the internet. Your browsing experience will be severely hampered. No JavaScript, Flash, Java, etc would make for a very text oriented view of the world wide web. You’d also have to insist upon viewing sites only over HTTPS.

The same goes for running a rooted phone with Android. You could easily not root your phone and have no worries about the day to day operations of your phone being affected in any negative way. However the power of root access is desired and necessary for some users and operations. Being diligent about what applications you use which request root is the best practice. Acquiring these applications from the Play Store or from the developer is the best way to insuring that you’re getting an application which hasn’t been altered to do bad things. It is even better if the developer publishing their app subscribes to the belief of OSS. You then have the ability to scrutinize their code as well as being able to know that the Android community has the same power as well.

Now, if you’ve read this far you’re probably wondering why I’ve gone through giving a rough overview of rooting an Android phone. Well, I have a topic which I want to discuss. I’ll be publishing that article soon. I want to discuss an interesting discovery that I made in the Android world that provides a very cool solution that gives tremendous amount of power to developers yet poses a unique security quandary to users. This article is a primer for the upcoming topic. I’ll try to do a little more research on “down-to-earth” discussion of rooting articles and post some links so that anyone still confused can read my next article without feeling completely lost.

That said, if you have questions or want some clarifications or you think I may have left an important point or subject out please let me know in the comments!

About Mike

I'm a software engineer. Look into the about page for more information about me.
Tagged , , . Bookmark the permalink.

Leave a Reply