Android Rooting: It's Advantage and Disadvantage

Android Rooting techniques are typically used to root Android devices. In this article, we will begin with the basics of rooting and its pros and cons. Then, we shall move on to topics such as various Android partition layouts, boot loaders, boot loader unlocking techniques, and so on. 

This article acts as a guide for those who want to root their devices, and want to know the ins and outs of rooting concepts before they proceed.

The following are some of the major topics that we will discuss in this article:

  • What is rooting?
  • Advantages and disadvantages

What is rooting?

Android is built on top of the Linux Kernel. In UNIX-based machines such as Linux, we see two types of user accounts  normal user accounts and root accounts:

  • Normal user accounts usually have low privileges and they need permission from root to perform privileged operations such as installing tools, making changes to the Operating System, and so on.
  • Whereas root accounts have all the privileges such as applying updates, installing software tools, the ability to run any command, and so on.

Essentially, this account has granular control over the whole system. This privilege separation model is one of the core Linux security features.

As I mentioned earlier, Android is an operating system built on top of the Linux Kernel. So many features that we see in traditional Linux systems will also be present in Android devices. Privilege separation is one among them.

When you buy a brand new Android device, technically you are not the owner of your device, meaning you will have limited control over the device in terms of performing privileged operations that are possible for root accounts. So gaining full control over the device by gaining root access is termed rooting. 

One simple way to check if you have root access on the device is by running the su command on an ADB shell:
Microsoft Windows[Version 6.3.9600]
(c) 2013 Microsoft Corporation. All right reserved.

C:\users\mrdev> abd shell
shell@android:/ $ su
/system/bin/sh: su: not found
127|Infinix-X650C:/ $

su” is Unix's way of executing commands with the privileges of another user.

As we can see in the preceding excerpt, we have no root access to the device.

On a rooted device, we usually have UID value 0 with a root shell having # rather than $ representing the root account. That looks as shown on my screen:

Microsoft Windows[Version 6.3.9600]
(c) 2013 Microsoft Corporation. All right reserved.

C:\users\mrdev> abd shell
shell@android:/ $ su
root@android:/ # id
uid=0(root) gid=0(root)
root@android:/ #

Why would we root a device?

As mentioned earlier, we do not have complete control over Android devices due to the limitations imposed by hardware manufacturers and carriers. So, rooting a device gives us additional privileges to overcome these limitations. 

However, the goal of rooting a device could vary from person to person. For example, some people root their devices to get more beautiful themes, a better look, and feel, and so on by installing custom ROMs. Some may want to install additional apps known as root apps that cannot be installed without root access. Similarly, others may have other reasons.

In our case, we are going to root our device for penetration testing purposes as a rooted device gives us complete control over the file system and additional apps such as “Cydia Substrate” which can be installed to audit the apps. Whatever the reason may be, rooting has its own advantages and disadvantages. Some of them are described next.

Advantages of rooting

This section describes some of the advantages of rooting an Android device:

Unlimited control over the device

By default, we cannot fully access the device as a normal user. After rooting an Android device we get full control over the device. Let's see the following example. The following excerpt shows that a normal user without root access cannot see the listing of installed app packages inside the /data/data directory: 

shell@android:/ $ ls data/data
ls: data/data: Permission denied
shell@android:/ $

As root users, we can explore the complete file system, modify the system files, and so on. The following excerpt shows that a root user can see the listing of installed app packages inside the /data/data directory:

Microsoft Windows[Version 6.3.9600]
(c) 2013 Microsoft Corporation. All right reserved.

C:\users\mrdev> abd shell
shell@android:/ $ su
root@android:/ # ls data/data

Installing additional apps

Users with root access on the device can install some apps with special features. These are popularly known as root apps.

For example, BusyBox is an app that provides more useful Linux commands that are not available on an Android device by default:

More features and customization

By installing custom recovery and custom ROMs on an Android device, we can have better features and customization than that provided by the vendor-given stock OS.


Disadvantages of rooting

This section describes various disadvantages of rooting an Android device and why it is dangerous for end-users to root their devices.

It compromises the security of your device

Once a device is rooted, it compromises the security of your device. By default, each application runs inside its own sandbox with a separate user ID assigned to it. This user id segregation ensures that one application with its UID running on the device cannot access the resources or data of other apps with different UID running on the same device.

On a rooted device, a malicious application with root access will not have this limitation and so it can read data from any other application running on the device. A few other examples would be bypassing lock screens, extracting all the data such as SMS, call logs, contacts, and other app-specific data from a stolen/lost device.

Let's see a practical example of what it looks like.

content://sms/draft is a content provider URI in Android to access the draft SMS from the device. For any application on your device to access the data through this URI, it requires READ_SMS permission from the user. When an application tries to access this without appropriate permission, it results in an exception. Open up a shell over USB using adb and type in the following command with a limited user shell (without root access):

shell@android:/ $ content query --uri content://sms/draft 
Error while accessing provider:SMS 
java.lang.SecurityException: Permission Denial: opening provider com.
android.providers.telephony.SemcSmsProvider from (null) (pid=4956,uid=2000) requires android.permission.READ_SMS or android.permission.

 at android.os.Parcel.readException(
 at android.os.Parcel.readException(
 at Method)
 at dalvik.system.NativeStart.main(Native Method)
shell@android:/ $

As we can see in the preceding excerpt, it is throwing an exception saying permission was denied. Now, let's see what it looks like when we query the same URI using a root shell:

shell@android:/ $ su
root@android:/ # content query --uri content://sms/draft
Row: 0 _id=1, thread_id=1, address=, person=NULL, date=-1141447516,
date_sent=0, protocol=NULL, read=1, status=-1, type=3, reply_path_
present=NULL, subject=NULL, body=Android Rooting Test, service_
center=NULL, locked=0, sub_id=0, error_code=0, seen=0, semc_message_
priority=NULL, parent_id=NULL, delivery_status=NULL, star_status=NULL,
root@android:/ #

As we can see in the preceding output, we do not require seeking any permission from the user to be able to read SMS with root privileges and thus compromising the data of the application sitting on the device. It is quite common to see root apps executing shell commands on devices to steal sensitive files such as mmssms.db.

Bricking your device

Rooting processes might brick your device

What can you do with a brick? 

The same is applicable to a bricked/dead Android device, meaning it may become useless and you need to find a way to get it back.

Voids warranty

A device that is rooted voids the warranty. Most manufacturers do not provide free support for rooted devices. After rooting a device, even if you are in a warranty period, you may be asked to pay for your repairs.

Locked and unlocked boot loaders

A bootloader is the first program that runs when you boot your device. The bootloader takes care of and initiates your hardware and Android kernel. Without this program, our device doesn't boot. Those manufacturers of your devices usually write bootloaders and so usually they are locked. This ensures that the end-users cannot make any changes to the device firmware. 

To run custom images on your device, the bootloader has to be unlocked first before we proceed with it. Even when you want to root a device with a locked bootloader, it requires unlocking it first if there is a possible and available way to do it. Some manufacturers provide an official method to unlock the bootloaders.

In the next section, we will see how to unlock a bootloader on Samsung devices. If the boot loader cannot be unlocked, we will have to find a flaw that allows us to root the device.

Post a Comment

If you have any doubts or any queries you can specify here.

Previous Post Next Post