Timeline for answer to Bank complains about rooted Android. Is it really any worse than a Windows desktop? by Silverfox
Current License: CC BY-SA 3.0
Post Revisions
17 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 29, 2019 at 17:28 | comment | added | Silverfox | @Luc I'll be more than happy if you could edit the answer and apply your suggested fixes/improvements. More specifically, which part do you think misinforms the readers? | |
| Mar 29, 2019 at 15:39 | comment | added | Luc | -1 This answer is about as accurate as dihydrogen monoxide warnings. All facts are true, but it completely misinforms anyone reading the answer about the riskiness of mobile root vs desktop root (or administrator or whatever). It also doesn't even mention normal rooting and only talks about using exploits made by some third party. | |
| Feb 23, 2018 at 4:42 | comment | added | forest |
@CBHacking I'm not sure about Windows, but Linux often prevents this with the ubiquitous Yama LSM. It modifies ptrace and related syscalls (like process_vm_writev) so they cannot be used on sibling processes, only on child processes. In the most strict mode, it prevents the calls from being made at all. However, even if this were not true, Android naturally runs each app with a different UID, which prevents a given application from interfering with another.
|
|
| Feb 22, 2018 at 15:56 | history | edited | Silverfox | CC BY-SA 3.0 |
fixed the point made in the last comment
|
| Feb 22, 2018 at 15:55 | comment | added | Silverfox | @CBHacking you're right, I'll edit my post to reflect this. | |
| Feb 20, 2018 at 20:28 | comment | added | CBHacking |
The security model for operating systems like Windows or Linux ... does prevent applications from accessing each others' memory. This is actually FALSE! Assuming you're talking about same-user scenarios (say, a music player and an email client running as the same user, rather than under two different users), one process can read (and even write!) memory of another. For example, see Windows' ReadProcessMemory. To prevent this, untrusted apps have to be sandboxed (as non-root mobile apps are).
|
|
| May 1, 2016 at 21:39 | comment | added | atdre | @Silverfox: That's ok, it's a common misconception. See more thorough analysis of the repackaging problem, as well as the conceptual hooking techniques (applies to Android as well as iOS) here -- security.stackexchange.com/a/98326/140 -- but also here -- frida.re/docs/ios/#without-jailbreak -- and here -- frida.re/docs/android | |
| May 1, 2016 at 18:14 | comment | added | Silverfox | @atdre I can't see how the same techniques apply on a non-rooted device, even for simple tasks like pulling applications database via adb you'd need root permission, one of our other concerns here is malware having root access too. Rooted device has its risks which are different from non-rooted devices but I have to agree it's not as big of as a red flag as it may seem to be. It's threat is conditional. | |
| May 1, 2016 at 17:56 | comment | added | atdre | The OWASP Mobile Security Project has been trying to remove those requirements. There's no reason why a bank or any mobile app shouldn't run on a jailbroken or rooted device. They are more at-risk on a jailed or non-rooted device because all of the same reversing, subverting, and memory-dumping techniques still apply. | |
| Apr 30, 2016 at 21:20 | vote | accept | Fiksdal | ||
| Apr 30, 2016 at 15:18 | comment | added | Silverfox | @AlexanderO'Mara Applications can't defend themselves apart from techniques like data encryption, but what I meant was that the OS protects the applications with permissions it defines and then when you give root permission to a specific application, it can access anything and bypasses that security control that was put in place. | |
| Apr 30, 2016 at 15:14 | comment | added | Alexander O'Mara | Also, rooted devices do not necessitate the inability to update the OS, it depends on the OS. For example, may Android users root and replace the OS with something like CyanogenMod. | |
| Apr 30, 2016 at 15:12 | comment | added | Alexander O'Mara | Can an app with only user-level access on either Windows or Android (or any OS?) really guard itself against another app which has root access? How would that work? Or is there some other side-effect to rooting you are referring to? | |
| Apr 30, 2016 at 11:10 | comment | added | Fiksdal | Alright, I'm glad I got that right. That part of your answer is very relevant in terms of OP. | |
| Apr 30, 2016 at 10:54 | comment | added | Silverfox | @Fiksdal True, that's what I was trying to say, although you may find some exceptions to this, but ultimately mobile devices have some security controls that are not present on desktops and vice versa, and by rooting your device you're potentially bypassing some of these controls, and the mobile application is notifying you about this. (Even though these controls may not be present on desktops at all) | |
| Apr 30, 2016 at 10:46 | comment | added | Fiksdal | Detailed answer, thanks. I think one of your points is that that browsers in Windows, as well as the bank's webapp there, are designed to run in a system where other applications have administrative privileges. Thus that browser and webapp may have built in defenses against some threats on such a platform. The Android app, on the other hand, may be, in terms of security, only designed to run on a non-rooted device. Was that one of your points, or did I misunderstand? | |
| Apr 30, 2016 at 10:34 | history | answered | Silverfox | CC BY-SA 3.0 |