All Your Root Checks Belong to Us: The Sad State of Root Detection

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

Today, mobile devices are ubiquitous; a facet of everyday life for most people. Due to increasing computational power, these devices are used to perform a large number of tasks, from personal email to corporate expense account management. It is a hassle for users to be required to maintain multiple mobile devices to separate personal and corporate activities, but in the past this was a commonplace requirement.The Bring Your Own Device (BYOD) revolution has promised to consolidate personal and business applications onto one device for added convenience and to reduce costs. As business applications move to personal devices, a clear problem has arisen: how to keep business data secure and personal data private when they reside on the same device. Many solutions exist, both for increasing the security of mobile devices as well as BYOD and Mobile Device Management (MDM) software, to allow access to business applications and data while keeping it secure.One chink in the armor for both security and business applications is "rooted" devices. These devices have been unlocked, providing low-level system access to users and applications. With root access, users may be able to bypass BYOD mechanisms in place to protect data, and malware may be able to access both private personal and business data on devices. As such, security applications and business applications often attempt to identify rooted devices and report them as compromised.In this talk, we analyze the most popular Android security focused applications along with market leading BYOD solutions to discover how "rooted" devices are identified. We dissect the aforementioned applications with commonly available open source Android reverse engineering frameworks to demonstrate the relative ease of circumventing these root checks. Finally, we present AndroPoser, a simple tool that can subdue all the root checks we discovered, allowing "rooted" devices to appear "non-rooted."


  • Yun Shen - Symantec Research Lab
    Dr. Yun Shen is a researcher at Symantec Research Labs. Dr. Shen received his PhD in Computer Science from University of Hull, UK in 2005, where his research focused on indexing and retrieval of distributed XML data. He received his bachelors degree in Computer Science from Sichuan University, China in 2000.Dr. Shen is currently involved in the BIGFOOT project, funded by the European Community's Seventh Framework Programme (FP7). Before joining Symantec, he was a researcher in the HP Labs Bristol, working on privacy enhancing technologies and Cloud Computing infrastructure. Prior to this, he conducted research on intelligence analysis supported by government funding in the University of Bristol. He has published papers in international journals and conferences.
  • Nathan Evans - Symantec Research Lab
    Nathan Evans joined the SRL CARD research group based in Herndon, Virginia in September of 2011. He received his doctoral degree from the Technical University of Munich in 2011, a Master of Science degree in Computer Science from the University of Denver, a Bachelor of Science degree in Computer Science from Baldwin-Wallace College and a Bachelor of Arts degree in Criminal Justice also from Baldwin-Wallace College.Dr. Evans' research interests cover a wide range of topics including peer-to-peer networking, low-level systems software, parallel/distributed systems design and testing, and security. His most recent work focuses on areas of network security and systems design, including research on network topology discovery in modern enterprise networks, and I/O redirection for software security and performance testing.Prior to joining Symantec, Dr. Evans was a member of the Free Secure Network Systems Group, as a primary developer of GNUnet (GNU's Framework for Secure Peer-to-Peer Networking), where he focused on the creation of a secure and reliable DHT algorithm for open P2P overlay networks. He was also a co-creator of the DUP System, a language system designed for parallel and distributed stream programming utilizing pipes and TCP/IP streams.
  • Azzedine Benameur - Symantec Research Lab
    Dr. Azzedine Benameur is a researcher at Symantec Research Labs working on government-funded projects. Dr. Benameur received his PhD in Computer Science from Lyon University, where his research focused on Service Oriented Architecture security. He received his masters degree from INSA Lyon (National Institute for Applied Sciences, Lyon). Dr. Benameur is currently conducting research on securing executables of uncertain provenance, on I/O redirection, and on diversification techniques. Before joining Symantec, Dr. Benameur was a researcher in the Cloud and Security Lab of HP Labs Bristol, UK. At HP, he worked on privacy as part of the European Union's EnCoRe project, investigating fine-grained consent and revocation in user-centric applications. Prior to this, he worked on SERENITY, another European Union security research project, at the Security & Trust Lab of SAP Research. Dr. Benameur has published papers and has patents in the area of web service security.


Similar Presentations: