Root and Jailbreak - To Ban or Not to Ban?

Rooting Android phones and jailbreaking Apple phones are generally considered to be bad things to do and strong indicators of evil intent. In this article we will explore this position a little deeper and dig into the topic. We’ll discover that the truth is much more nuanced than that and one size does indeed not fit all. Finally we will propose the methodology you should consider when setting your security policies.

What are Root & Jailbreak?

The first thing we should appreciate is that root on Android and jailbreak on iOS are not equivalent. They may have similar purposes as we will see in the next section, but they have distinct characteristics.

Rooting is the process of enabling Android device users to gain privileged control or root access over various Android subsystems. As Android is derived from Linux, rooting can be considered similar to administrative or superuser permissions on Linux. Essentially, rooting allows the user to alter or replace systems applications or settings, run specialized applications that require administrative permissions, or perform other actions normally inaccessible to regular users. For example, a user may choose to completely replace their device’s operating system after rooting.

Jailbreak is a technique for circumventing prohibitions on users which are enforced by Apple and generally involves exploiting a vulnerability in the system. Jailbreak is similar to rooting in that it involves privilege escalation, but jailbreak also enables the installation of apps from 3rd party stores (sideloading) which in Android does not require root access. 

Another way to think about the two activities is that root is not something that Google objects to; but jailbreak is definitely something that Apple wants to outlaw. As summarized by John Wu, developer of the well respected Android rooting tool, Magisk:

Why Do People Root/Jailbreak their Phones?

One of the most frustrating and problematic aspects of the root/jailbreak detection discussion is that there are both good and bad reasons for doing it, ensuring that distinguishing between those actions will be challenging. Worse, even if the primary reason for rooting/jailbreaking is essentially ‘good’, the very act itself may open up security holes which can be exploited by other software. Oh and it might void your device warranty and could even brick your phone if it doesn’t go well. 

Anyway, there are actually quite a few reasons why non-black hats root their phone, for example:

• Custom ROMs to replace/update the OS, delivering system improvements quicker.
• Closer management of battery consumption.
• More effective backups.
• Removing unwanted bloatware apps.
• Deep automation to control features normally requiring manual intervention, eg GPS toggling, or turning the display on/off.
• Extreme customization to radically change the UI into something much cooler, eg installing custom fonts or a new boot logo.

When it comes to jailbreak, the list of ‘good reasons’ is a bit smaller, namely:

• Ability to install and use unauthorized apps, since some people think that Apple’s App Store policies are too draconian.
• Removing unwanted bloatware apps.
• Extreme customization to radically change the UI into something much cooler, eg installing custom fonts or a new boot logo.

So it should be clear by now that weeding out the good guys from the bad guys in this context is going to be non-trivial.

How Do People Root/Jailbreak their Phones?

Before getting into the detail of how root/jailbreak is done, one important thing to note is that it is non-trivial and not for the technically faint-hearted. It can be complex and twists and turns should be expected on different devices. Anyone who tells you it’s easy may have been lucky or may have a full time hobby that you didn’t know about.

The rooting process is well explained here but in summary contains the following steps:

• Backup your device.
• Install the Android SDK Platform Tools.
• Install appropriate device drivers.
• Unlock the bootloader.

As referenced in the article above, there are a number of rooting apps that make the process much simpler, but be careful to make sure that the rooting app is suitable for your particular device and OS version.

On Apple, as often seems to be the case, things are very straightforward. The Cydia app store is the place to go, where you can find a jailbreak app and all the associated tools and instructions you need.

Another thing to consider here is that unrooting an Android phone is a much simpler proposition than reversing a jailbroken Apple phone. 

How Can I Tell if Root/Jailbreak is Benign or Malicious?

This is a difficult one, for the simple reason that root/jailbreak on its own doesn’t tell you anything about the intentions of the user. If you are an enterprise with a significant mobile business, you will need to decide what your security policy should be towards rooted and jailbroken phones. Do you allow them and monitor their activities to see if anything suspicious is going on, or do you implement a blanket ban on them?

This will vary considerably depending on the vertical sector you are operating in. Regulated industries such as financial services and healthcare are more likely to look unfavourably upon root/jailbreak than retail for example. 

Monitoring all traffic and checking for potentially suspicious activities is a significant activity and also opens the possibility of false positives where genuine users get blocked in error. A more pragmatic approach is to use a multi-factor gate to decide whether a device and its runtime environment may be being used for non-legitimate purposes. For example, if a device is rooted/jailbroken but additionally is running on an emulator, or is connected to a debugger, or is running a hooking framework like Xposed or Frida, then that would probably be a better candidate for blocking than some traffic that looks ‘unusual’.

How Do I Detect Root and Jailbreak?

The straightforward answer to this is that there are ways to detect some rooted and jailbroken phones some of the time, but that the list is a moving target. The detection mechanisms employed rely on checking for the presence or absence of certain files in certain places amongst other things; essentially looking for micro-traces left by the root/jailbreak procedures. As you will appreciate, this is just another cat and mouse game between the good guys and the bad guys and it probably always will be.

To compound this situation even further in the Android world, there are a number of root detection bypass solutions available and their objective is to hide the fact that the phone is rooted from the mechanisms employed to detect it. Some of these bypass systems are extremely effective as you see from this article. This takes the arms race to another level unfortunately.

That all being said, security vendors such as us do work hard to keep our detection mechanisms up to date and current as the shifting sands of the bad guys’ techniques move around. The bottom line is that there will always be root and jailbreaks which are not detectable for a while, there will always be bypass tools and there will always be genuine users who root/jailbreak their devices for genuinely benign reasons. Therefore, there is no single source of truth here and multiple factors must be considered to identify fraudulent activities; and the factors you use to define your security policies must be flexible because they may need to change at short notice as new threats emerge.

How Does Approov Help?

Approov is a security solution to ensure APIs which service mobile apps can only be used by genuine instances of the apps associated with the APIs. To achieve this we use a patented method to check that the ‘DNA’ of the mobile app is present and unmodified. However, we also make a series of checks of the runtime environment in which the mobile app is running in order to identify situations where a genuine mobile app is running in an unsafe environment. This is important because it is a likely sign of nefarious activities.

But wait, what constitutes an unsafe environment? The answer is that you, as the enterprise customer, decides. You may feel somewhat daunted about that but there is no need to be concerned about it because we have provided rich granularity across all the different characteristics of an unsafe environment so that you can create a security policy based on one of the many standard rejection policies which we provide. These are being updated regularly and we believe they represent a good spectrum of choices. 

The Approov service also allows you to update your security policies instantaneously and as frequently as possible using our over-the-air capability which can update apps automatically in the field without disturbing app users. This is a key requirement because of the rapidly changing threat landscape and also because you may wish to change your security policies based on the demographics of your user base. The Approov metrics give you lots of information about the characteristics of the app versions being used by your customers and the environment in which they are running. An overview of what you can do with the Approov analytics can be found here and the full details of how to drive it are here.

Note that the Approov over-the-air capability also enables us to instantly extend our detections whenever new threats or techniques or tools emerge. Being able to react quickly in this way, without requiring an app release, is very helpful in the ongoing battle.

Summary

Root and jailbreak shouldn’t be put in the same bucket, and neither should they be considered universally bad. In years to come, root and jailbreak may become even more prevalent so make sure that your enterprise platform security policies  have flexibility built into them in order to future proof appropriate protections for mobile apps and APIs.

The rate of change and diversity of the threat landscape is likely to continue to accelerate and therefore security solutions which rely on app updates to repel new threats should be avoided. Nimbler solutions which are adaptable to the nuances of genuine customer usage and the subtleties of evolving hacking techniques should be preferred.