All Your Root Checks Are Belong to Us: the Sad State Of
Total Page:16
File Type:pdf, Size:1020Kb
All your Root Checks are Belong to Us: The sad state of Root detection Nathan Evans Azzedine Benameur Yun Shen Symantec Research Labs Symantec Research Labs Symantec Research Labs Herndon, VA Herndon, VA Dublin USA USA Ireland [email protected] [email protected] [email protected] ABSTRACT Categories and Subject Descriptors Today, mobile devices are ubiquitous; a facet of everyday life D.4.6 [Security and Protection ]: [Android Security, Root for most people. Due to increasing computational power, Detection, Library Interposition] these devices are used to perform a large number of tasks, from personal email to corporate expense account manage- ment. It is a hassle for users to be required to maintain 1. INTRODUCTION multiple mobile devices to separate personal and corporate The wide proliferation of smartphones in recent years has activities, but in the past this was a commonplace require- led to a boom in Android (Linux based) mobile devices. An- ment. Today, the Bring Your Own Device (BYOD) rev- droid is so popular that, as of the end 2014 it was installed olution has promised to consolidate personal and business on over 70% [2] of smartphones and tablets sold globally. applications onto one device for added convenience and to Following the same trend, personal devices penetrated en- reduce costs. As business applications move to personal de- terprises; putting corporate crown jewels alongside personal vices, a clear problem has arisen: how to keep business data applications, data and threats. This led to the wide spread secure and personal data private when they reside on the adoption of Mobile Device Management (MDM) and Bring same device. Many solutions exist, both for increasing the Your Own Device (BYOD) in corporate security solutions security of mobile devices as well as BYOD and Mobile De- to protect their assets against malicious applications and vice Management (MDM) software to allow access to busi- malicious or unsuspecting users. ness applications and data while keeping it secure. Android is successful, in part, due to its open nature that One chink in the armor for both security and business ap- avail users, enterprises, governments and telecommunica- plications is \rooted" devices. These devices have been un- tions providers of numerous customization options. How- locked, providing low level system access to users and ap- ever, Android's openness (and Linux ancestry) has also given plications. With root access, users may be able to bypass rise to applications that leverage \root" access to modify the BYOD mechanisms in place to protect data, and malware most intricate parts of the operating system. Such low-level may be able to access both private personal and business and overprivileged access is often seen as a security risk [6, data on devices. As such, security applications and busi- 8] as it provides complete access to the system that can ness applications often attempt to identify rooted devices be leveraged by malware targeting Android devices. For and report them as compromised. In this paper, we ana- this reason, mobile software security vendors often include lyze the most popular Android security focused applications checks for rooted devices, either to warn the user, provide along with market leading BYOD solutions to discover how added functionality or simply record and report it. \rooted" devices are identified. We dissect the aforemen- tioned applications with commonly available open source Even without considering the possibility of enabling mal- Android reverse engineering frameworks to demonstrate the ware running on a rooted device to do more harm, it is relative ease of circumventing these root checks. Finally we difficult if not impossible for enterprises to guarantee that present AndroPoser, a simple tool that can subdue all the their corporate policies can be enforced for rooted BYOD root checks we discovered, allowing \rooted" devices to ap- devices. Typically corporate policy prohibits the use of cer- pear \non-rooted". tain dangerous apps, requires the use of some security and policy enforcing apps, and may include device tracking and remote shutdown/wipe capability. However, rooted devices Permission to make digital or hard copies of all or part of this work for threaten these policies because users or malicious apps that personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear gain access can manipulate the underlying operating sys- this notice and the full citation on the first page. Copyrights for components tem. Also, apps used for business purposes often encrypt of this work owned by others than ACM must be honored. Abstracting with their data at rest, but a user or application that can ob- credit is permitted. To copy otherwise, or republish, to post on servers or to serve the memory and library usage of these apps are able redistribute to lists, requires prior specific permission and/or a fee. Request to access this data when unencrypted in memory. permissions from [email protected]. MobiWac'15, November 02-06, 2015, Cancun, Mexico ACM 978-1-4503-3758-8/15/11 ...$15.00 Approaches currently exist to turn Android into a trusted DOI: http://dx.doi.org/10.1145/2810362.2810364 platform [3], which allow sensitive functions such as encrypt- 81 ing and decrypting data, storing encryption keys, etc. in a alyzing the behavioral differences between the original app trusted computing base, but these are not widely deployed. and repackaged versions. Interestingly, Yeongung Park et al. Currently the barriers to entry are that a trusted platform proposed RGBDroid [10] to protect the system by effectively complicates development, requires partnerships with chip- responding after an attacker has already attained root-level makers, and the functionality of a trusted base is rather access. limited. Therefore, both security focused applications and BYOD solutions alike embed checks for the sole purpose of Root evasion Applications have emerged to evade root de- detecting if a device is \rooted". Like many security mea- tection; [1] allows users to hide the presence of the su binary sures root detection and avoidance has quickly become a cat- by renaming or removing it. Others such as [4] use Java re- and-mouse game where applications have emerged to hide flection to intercept standard API calls and change their traces of \rooting" [4, 1], and application developers have de- behavior. The main limitation is that if the check happens veloped more and more checks. While it is well known in the to be done using native code it cannot be bypassed. community that checks for \rooted" devices are in place, as well as countermeasures (and counter-counter measures), no Misc. Ongtang et al. proposed Secure Application INTer- systematic analysis of these methods and their usage across action (Saint) [9] to govern install-time permission assign- security and BYOD/MDM applications exists as far as we ment and their run-time use according to security policies know. To fill that gap, in this paper we provide an analy- defined by the app authors. Rastogi [11] evaluated the state- sis of the state of the art in root detection across security of-the-art commercial mobile anti-malware products for An- and BYOD/MDM applications based solely on static analy- droid to test how resistant they are against various common sis of application packages freely available for Android. Our obfuscation techniques which are usually leveraged by mal- analysis reveals that, unfortunately, root detection remains ware to hide root exploit code. a tricky task, with no method being able to detect rooted devices in the presence of a determined user. In addition, we In our study of the state of the art we were unable to find provide details on how devices are rooted in the first place, a paper that focuses on the mechanisms employed by appli- and how privilege escalation to root works on Android. We cations to detect the presence of \rooted" phones. Thus we also discuss which root detection methods are more difficult believe this to be the first paper to investigate these methods to evade than others, as well as which ones are better at and uncover their simplicity. avoiding detection by simple static analysis. 3. ROOT CHECKS The remainder of the paper is organized as follows. Section 2 presents related work. Section 3 describes how root access 3.1 How does Root work works on mobile devices along with a detailed analysis of the There are two common ways that root access is attained mechanisms used to detect such access amongst popular se- on Android: either a custom Android image (aka ROM) is curity focused applications and BYOD/MDM applications. installed that provides privilege escalation or an application Section 4 presents AndroPoser; a simple tool that despite exploits a flaw in the operating system to add a privilege its simplicity can circumvent all of the checks we encoun- escalation binary to the system partition. tered, causing apps to behave as if installed on a device that is non-rooted while it in fact is \rooted". Finally Section 5 Unlike standard Linux systems the invocation of \su" is com- summarizes our work and concludes the paper. monly not enough to elevate privileges to root. Following the conventions of the Android ecosystem root privilege is 2. RELATED WORK managed through intents. With these intents, an applica- tion must ask for permission to escalate privileges and this MDM In [13] the authors present an enhanced root man- request must be granted by a supervisor process. Figure 1 agement system for protecting rooted Android phones by depicts the life-cycle of an application requesting root priv- providing a fine-grained policy and more contextual informa- ileges. First the application invokes the su binary, which tion about applications that are requesting root privileges.