A root, or superuser, on a Unix based OS has total access to resources on a device. For security reasons, and to avoid giving users too much access, the developers of iOS and Android made root access inaccessible for regular end-users. A regular user of a mobile device does not even need root access to use their device comfortably; thus, the root restrictions do not cause problems for most user.

However, some users prefer to have root access to customise the core OS. The users' goal might be to upgrade to a more recent version of the current operating system, run certain applications they can't find in the mobile marketplace, or debug or reverse-engineer certain applications.

The end-result of rooting a device is that you can install a different version of Android or iOS, but it also allows end-users to execute commands with root access or privilege. In essence, this means that a process, whether legally or not, can assume total and absolute control of the system. Whatever the reason for rooting a device might be, there are some real dangers of obtaining this access.

Most Android users root their phone to be able to upgrade their OS to a more recent version of Android. One of the reasons could be that their device has stopped receiving updates or security patches from their mobile device vendor. Users with such mobile devices, desiring to have the latest patches or a more secure version of Android, are left with the choice to either buy a new phone or root the device and install an unofficial version.

For most iOS users, rooting is most often done to have the superuser ability to modify the OS on their device or to bestow upon themselves the power of being a root user on their device. Whatever the motivations are for doing this, let us look at some real issues that come along with rooting either by choice or by exploitation.

Exploitations:
On Android, gaining root access is relatively easy for most attackers. The attackers can use privilege escalation bugs, found in all but the very latest version of Android, to gain root access. (In an earlier article, we cover an example with the Android bootloader being such a tempting target for root attacks.) Google provides monthly security updates that Android phone vendors can use to protect users from new vulnerabilities. But, as Android has hundreds of big and small vendors, and thousands of different devices, there is no guarantee that end-users run the latest security patches. 

In practice, users of older devices tend to keep using an OS with unfixed or unpatched vulnerabilities. As this post is published, the latest security patch is for June 2020, 2020-06-05 security patch. One of the fixes here is for a privilege escalation attack, CVE-2020-0117 which enables a local malicious application to gain root access, without the user being aware. Malware can exploit this privilege escalation attack on outdated devices, see the section on spyware below. 

On Android you might only get two years of patches on your phone, so a typical user using a phone made in 2017 may have stopped receiving security patches or OS updates at least a year ago. If users do not receive security patches for their device, it means that the user has a hard choice:

1. They can root the device and install an alternative, more up-to-date Android version
2. They can buy a new phone

The dilemma is just as hard for the banks and PSPs trusting the security of the device: How lenient should you be in allowing out-of-date devices?

Code Injection by Malware
A fact most users with rooted devices are not aware of is that it is very possible to modify existing applications code on a user's device when a user or a process has root access. On Android what happens in this scenario is that a process running as root can definitely access stored application code, such as platform application jars on the device and then inject its own malicious code into the application. That leads to a vulnerability that allows attackers to modify transaction details in any application stored on your device. An example of such attacks could be changing the transfer amount to a recipient and the recipient bank account number to the attacker's own. IBM has published an article with an example of how to do this. 

Spyware Accessing System Resources by Exploiting a Privilege Escalation 
On mobile devices, access is restricted to system resources such as the camera, the microphone, and location service on the device. On Android, special permission is needed to access system resources such as these. Whenever such a resource is required, the OS prompts the user to either approve or decline the permission. However, with root access, a Spyware process can skill-fully bypass these permissions (even the SELinux context on Android) to obtain access to monitor you with the sensors on your devices. Most spyware may not even require root access to obtain these resources as described here in this article. One can only imagine the immense power a spyware process running as a root user could have!

Enterprise Security Breach
These days, it is common to see enterprise companies allow staff to bring and use their personal device at work. If a staff member uses a rooted device (whether by choice or by exploitation) that is compromised, this could lead to leaking the organisation’s confidential information. With root access, a process can access all data, including backups, calendars, photos and other confidential items stored on the device, and all this information is available to any attacker with root access. The main issue, as will be discussed in the section below, is that rooting by exploitation is very hard to detect by just using the software.

Access to all Encryption Keys: Nothing is Safe
When a device is rooted, or there is malware with root access, there is no longer a strong protection of keys stored on the device. In other words, access to previously encrypted files or items on the device is possible, and applications can be reverse-engineered by a malicious process or malware with root access.

While this is scary, most attacks do not even need a device that is rooted to initiate an attack that requires root access. The attackers just need to exploit one of the many privilege escalation vulnerabilities on a user's devices that may not have updated their operating system, or may not have received any security patches for an extended period.

This poses a severe problem for most organisations (such as financial organisations). Some of these organisations take extra precautions or steps to stop their applications from running on rooted applications by checking if it is possible to execute a sudo command in the OS. But the main issue, one that is not so easy to address, is that some of the malware used for these exploits gain root access that is not detectable by using the check sudo command test.

This is where Okay shines. We assume that all devices are infected or will probably become infected in the future due to the rising amount of vulnerabilities on most mobile platforms or OSes. The Okay solution provides a secure execution environment to ensure that the device, whether compromised or not, does not interfere or compromise the integrity of transactions happening on that device.