To root or not to root? What are the pros and cons of rooting?

[Vlad Soare]

Thank you. Unfortunately, I have limited experience with Linux system scripts, and none with firewall scripts in particular. I'll do some reading on this subject, but in the meantime I think I'd better stick with an app written by somebody more experienced than I am.
I've installed AFWall+ and set it up. It seems to work fine, meaning that whitelisted apps work normally, while the others raise an error when trying to access the network. The only thing I'm not so sure about are system services. Some of them must be whitelisted in order for some apps to work, but what if a malicious app directs its network requests via a system service? For instance, I must allow the Download Manager access to the network, so that legitimate apps (like the Google Play Store) can download files. But what if a malicious app tries to covertly download something, but directs the request via the Download Manager instead of opening a connection itself? This way, even if the app itself is not whitelisted, the download might still succeed. Or maybe not?
OK, this may not be the best example, it's just something I'm making up, but you get the point.

 

[EarlyMon]

I could get into hypotheticals about how the Download Manager has to alert you or assurances that system services is statistically safe but I'd rather not.

Your insightful question deserves a much better answer.

When I think about the highest levels of security, I think about nations and war. And I know from working with them that military strategic planners have one thing that keeps them up nights - the plan is perfect but it's based on what we learned from the last war.

And so it is with computer security - we plug the holes that we know about because they've been used against us before.

Rather than look at the specifics of your example, I think it's just that - an example - trying to illustrate the bigger question, and that is - how do we know when we're done?

And the cold, hard truth proven with every shocking new threat that rolls in from beyond left field is crystal clear - we don't know and we'll never know when we're done.

And it's also the subtle truth to what I've been hammering about - working in layers.

That phrase sounds like a platitude or a combination of buzz words.

To a small extent - it is.

But it survives because experience shows that the approach has a way of changing the security game in ways we didn't plan - and that's the part that isn't just a phrase.

I honestly expected my Stagefright simulation to hit SuperSU based on analysis - but it was trapped by a different layer first, and the actual delivery might have been trapped by other layers before that.

Do I have a phone hardened against security threats?

Please trust me when I say, you bet, probably beyond your imagination.

So is it hardened to all possible threats?

Nope.

Because I built my security based on what I've learned from the last war.

There is such a thing as hardened Android - a version of the OS that is so locked down and filtered by security monitoring using encryption and message passing through security services that they've been willing to guarantee your security.

The owner of this site and I are at bitter odds over their validity. He openly supports his writers calling anyone believing that they need it tinfoil hat wearing idiots - while I call it a good start.

And yet, when their system was cracked, they ran the story quietly and didn't say Jack Robinson about it - because it's a sobering thought when security you can't imagine anyone needing gets cracked.

Do I allow system services through my firewall?

Yes. Yes I do.

But not because I have illusions over the mighty firewall.

It's because I believe that by the time that's been compromised, I've already lost through my other layers whether on my phone, at home, or at work.

But I can't prove I'm right - I can only try to make my plan against the last war sound really good.

If I'm wrong and you get hit, you'll have me for good company - all I can say is that they say I'm a lot of fun at parties.

The FBI central computer system has been hacked.

Based on that alone, only an idiot can promise that it cannot be done to a phone.

But with a healthy approach to layers and a diligence with your tools, you can do better than any other approach.

Probably not what you wanted for a discussion but I plead The Rolling Stones defense of my answer - you can't always get what you want, but if you try, sometimes, you get what you need.

That's my best shot, sorry if it's not enough.

In any case, please don't be offended when I say, don't stop asking questions like that - because that kind of thinking and questioning is exactly what is called for.

 

[EarlyMon]

And after that big assed rant, here's a sample layer to consider against your specific examples -

Don't know if you can trust system services?

Firewall it, run your phone and see what doesn't work.

Among those things, decide what you're ok with - and open up system services on the firewall only when you mean to do those things on purpose.

Don't know if you can trust your Download Manager?

Block it at the firewall, unblock it only when you know that you really want to download something.

The dynamical nature of your decisions, actions, and reasoning makes your tools more than just things - they become dynamic and situational.

Those are examples of taking you out of the victim category, putting you into the dynamical control system - and are very subtle ways of showing that working and protecting yourself in layers is much more than a bunch of words.

Hope this helps!

 

[Crashdamage]

Very well said, as usual EarlyMon. We agree 100% on this. As the B****phone guys found out and you put so eloquently, there is no perfect security. There is very good security and everything less than that.

 

[smootskin]

Since I rooted my Galaxy S I9000, I haven't rooted any Android phone.
First, my Galaxy were barely usable after so many flashes, i'm afraid to break it.

I don't think i'll ever root a phone unless I really don't mind ruin it...

 

[EarlyMon]

Recommended post -

http://androidforums.com/index.php?posts/7060764

 

[mpoehling]

It's a horse, water, drink situation.

It's an information problem.

It's an Internet issue.

In the years before Google+ and lower occurrence of independent blogs, people relied on forums for rooting information.

People were afraid of bricks and the threat level was low.

Back then a common first post was, "I'm new here, I need help understanding what a nandroid backup is, I'm want to try rooting." Further discussion revealed lurking occurred before selecting one or more forums.

Today, forum traffic is down everywhere and the common first post is either, "I bricked my unnamed phone and I don't see why I should include more information, plz help fix it right away, it's urgent," or, "I accidentally erased all of my partitions and I don't have a nandroid backup, what's my next move?"

We had an epidemic of that earlier this year when our own sister news site ran a low rate story of how easy it was go clickity clack, get rooted, and rush over to XDA to find out how to fix your phone by installing a new rom (with a don't forget, CM is teh bestest).

I complained to deaf ears. They've run that story often before and they're going to again for the same reason that all of the blogs, big and small, do it - clicks and lots of them.

Let's talk about piracy, it's absolutely related.

Once upon a time, someone would ask how to root and get warez - and be flamed by a hundred voices to wake up.

No more. Another popular first post, "I'm having trouble pirating warez, help me right away." And it's rarely reported or posted against outside of staff.

But here's a statistic that is not made up - 5/6 of the known Android infections due to a bad app came from piracy.

And what lesson did Stagefright teach that so far as I know, I'm the only one who mentioned it with no ensuing discussion?

That it may have been possible all along to become completely compromised by movie piracy directly from the movies instead of just from the distributing web sites.

And only one known hole is getting plugged.

We are very close on this issue but we're also far apart.

When you give anti-anti-virus advice or say don't root, you're expressing your holistic approach in parts.

That's why I always enjoy our discussions on this - I want lurkers to see the full picture.

If I'm one in a hundred and people are asking, I don't think that the answer is that rooting makes you less secure as a con, and hope to reduce the number of rooters.

I want to increase the ratio of getting it done right because people are going to do it anyway.

I'd like a lot more people to see what I see all of the time -

You install an app that seems straightforward - and the next thing you know, your firewall is unhappy or worse, Network Connections says that your new flashlight app just had a long conversation with a server in China.

Or you visit a good website, see a thoughtful comment with a link that explains more, you click it and you get - page not available - but it is on your pc.

Safe practices are not enough for most people, and I'm talking about knowledgeable folks who are actually trying to follow safe practices. They're still susceptible to those attacks and have fallen victim often without ever knowing.

For the first six months of advising the use of a proper firewall for Android here and elsewhere, I was generally ridiculed. That changed after one other guy spoke up in favor. Then it started to spread.

In my pro reasons for rooting I try (and probably fail) to be consistent - the advantages are the firewall, ad blocking (because it's not just ads, it can block toxic sites), and better backups.

And if you're not rooting, yes, a security suite to at least try to help with what rooting can help you achieve, and using your not fastest browser in favor of one that will help you ad block. That's a distant second to rooting.

I've been torn since I've known what I showed here about sharing my Stagefright simulation in the Stagefright thread or other security threads.

On the one hand, I want people who root to know that you can protect yourself from the unknown - evidence suggests that if the bad guys had gotten there first, I would have been safe from the threat.

But the danger is that too many people these days would do a TL/DR and say, oh root protects me, where's Google - ah unsafe Chinese clickity clack rooter, no problem...

Anyway, thanks for the correction on Kondik's name. The danger of a learning keyboard - misspell it once and it corrects the wrong spelling forever after. You're going to see a moderator edit mark on your post and my previous one to fix only that out of respect for the man.

And if Kondik said that you can take steps to make your system more secure on the key points mentioned without root - have you?

Has Google?

I don't think so.

There are some people who really just want to learn and by doing and asking questions just helps me learn. We all have to start somewhere. Thank you Earlymon, Very interesting read.
I get very discouraged when I got to sites I am in and ask questions and most of the time I get moved and not answered at all. So it is hard to learn from the best when they think your questions are not worth their time or they think your a new.. So it can be hard for people like me...