Wednesday, 11 April 2018

The Case Against Root: Why Android Devices Don’t Come Rooted



image
We’ve written about rooting your Android smartphones and tablets before, but why don’t they come rooted? Google argues that rooting is a mistake for security reasons, as it subverts Android’s security model.
Over the years, Google has added more and more formerly root-only features to Android – from screenshots to support for encryption and VPNs. The goal is to minimize the need for rooting.

What is Rooting, Anyway?

Android is based on Linux, where the “root” user is equivalent to the Administrator user in Windows. The term “rooting” means gaining root access to your smartphone or tablet and being able to run applications with that root permissions – full system access, in other words.
A standard rooting process will also an application like Superuser or SuperSU. This application supervises access to root. Applications on your device can’t just get root permissions whenever they want – they have to prompt you and you can confirm or deny the request.
image

Breaking Out of Android’s Security Model

Android uses Linux’s security model in a different way. Every Android app runs with its own user ID, or UID. In other words, every app runs as its own user account. This means that every app has its own data isolated from every other app. If you install your bank’s app, its data will be stored so that it’s only accessible by the bank’s app – other apps on your device can’t snoop on it.
On a standard Android configuration, no app can access any other app’s data, no matter how many permissions the app asks for.
This all changes when you run an application as root. The application is no longer running in a sandboxed area – it has access to the entire system. An app with root permissions can read other apps’ data – this is how the excellent Titanium Backup works and why it requires root.

Root Permission Prompts and Malware

The full system access means that malware could potentially exploit root access to do much more damage than it normally could. Once an app is granted root access, it can do anything – run a key logger in the background without telling you, extract your account information from other apps, or even mess up your device by deleting critical system files.
If you know what you’re doing and only download trusted root apps, you can avoid this. However, this is worth remembering when you consider how many less-technical users use Android. They don’t care about running Titanium Backup and having access to the entire root file system – they just want it to work, place phone calls, and play Angry Birds.
In other words, you probably shouldn’t root your relatives’ smartphones and tablets as a favor to them.
image

With Great Power Comes Great Responsibility

The problems don’t only extend to malware. With full access to the root file system, you can delete critical system files in the root file system or disable critical system apps and prevent your device from functioning properly. Windows goes to great pains to prevent average users from mucking around in the C:\Windows folder for the same reason. If the average user doesn’t understand what they’re doing, they can do serious damage to their operating system.
image

Warranty Considerations

Some manufacturers or carriers may try to refuse you warranty service if you have a rooted device. If you’ve used root access to modify your system files and the software no longer works properly, this makes some sense – although you should be able to restore the device to its factory default settings and fix it on your own.
If the device’s hardware is failing, rooting can’t be the cause (unless you’ve installed an overclocking app that required root and killed the hardware with heat). To prevent any arguments, you should unroot the device before taking it in for service.
This is yet another reason why you wouldn’t want to root a non-technical family member’s device – it may cause them problems if they ever need it fixed or replaced.

In summary, rooting grants you great power – more power than Android is designed to give you. (However, it’s Linux underneath, and Linux works just fine with root access.) An app with root access isn’t bound by any permission restrictions and has the potential to cause some serious problems. If you know what you’re doing, you should be okay – but you’ll need to be more careful.
However, this power is only a liability for the average Android user. This is why Android doesn’t come rooted – if any app could pop up a root permission prompt and gain complete access to the system, many less-technical users would allow the access so they can continue using the app. Some apps might even refuse to run without root access just to display nastier ads, just as many ad-supported apps ask for a long list of permissions today. The lack of root helps protect average users.