search

nowsecure / secure-mobile-development

A Collection of Secure Mobile Development Best Practices
https://books.nowsecure.com/secure-mobile-development/en/
Other
557 stars 123 forks source link

Root/Jailbreak Detection #41

Closed ngkogkos closed 7 years ago

ngkogkos commented 8 years ago

How come root and jailbreak detection is not under the best practises categories?

sbakken commented 7 years ago

Thanks for your question.

Jailbroken/rooted devices are a much disputed topic. In general, we think people should approach jailbreaking/rooting their device with caution and an understanding that doing so might render certain built-in security controls ineffective.

There are valid reasons for knowledgeable users to jailbreak/root their device, and jailbroken/rooted devices are not necessarily less secure. For example, some people jailbreak/root their device to harden the system or remediate vulnerabilities for which a device manufacturer hasn’t issued a patch.

A seemingly infinite supply of jailbreaking/rooting methods exist, and detection measures will never catch them all. If an app detects a particular method, an attacker typically expends less effort bypassing that detection mechanism than a developer expends trying to catch all of the new methods and update detection mechanisms accordingly. When you compare that developer effort with the minimal gains resulting from the detection of a jailbroken/rooted device, implementing jailbreak/root detection might only give a developer a false sense of security.

Jailbreak/root detection typically detects conspicuous jailbreaking or rooting methods carried out by a user that is not trying to hide their actions. In these situations, detection may simply stop more sophisticated mobile users--people that might become some of an app’s most passionate users--from using the app.

We certainly understand, for example, why the FFIEC recommends that financial institutions educate users on the risks of using a jailbroken/rooted device and carefully consider whether a rooted/jailbroken mobile device will be allowed to access their mobile services (see the FFIEC IT Examination Handbook Appendix E: Mobile Financial Services at https://www.ffiec.gov/press/PDF/FFIEC_booklet_Appendix_E_Mobile_Financial_Services.PDF).

In general, we don’t think jailbreak/root detection is a best practice in all situations. That’s because jailbreak/root detection can exclude users that have no malicious intent and be bypassed by motivated attackers. And for those reasons we think a developer’s efforts are best focused on making the app secure regardless of whether or not it resides on a jailbroken/rooted device.

In terms of Android, developers should consider using Google’s SafetyNet API (https://developer.android.com/training/safetynet/index.html) -- if root detection is important to them. SafetyNet profiles the device an app is running on and compares it to known profiles that have passed Android compatibility testing. The comparison can identify whether the profiled device has passed compatibility testing and whether the device shows signs of rooting or the presence of active attacks. The developer can then use the SafetyNet attestation information to enforce on what sorts of profiles they will allow their app to run. That way a developer can offload detection work to Google and instead concentrate on the security of their particular app.