Android 4.4’s verified boot has device modders worried

November 6, 2013

Droid-Razr-Locked-BootloaderOne of the new security features in Android 4.4 KitKat is verified boot which is designed to detect persistent rootkits that can hold onto root privileges and compromise a device’s security. At the moment the feature is experimental and optional which means it is unlikely that many manufacturers will use it now, however it could become popular in the future.

A rootkit is a clever piece of malware which because it has root access can hide itself from the host operating system and can even trick any security software installed because its systems privileges allow it to “lie” to any detection methods. One way to check that a device hasn’t been infected by a rootkit is to check the integrity of the system files. On a normal Android device apps are installed in the user space part of the OS and each app is self-contained and runs in what is known as a sandbox. The app performs unhindered in its own sandbox, but it has no authority to change files in other parts of the system or in the sandbox of another app.

Clever malware with root privileges can hide from detection programs and otherwise mask themselves. The rooting software can do this because it is often more privileged than the detectors, enabling the software to 'lie' to to the detection programs.

If an app does manage to get root access (due to a security vulnerability in the underlying OS) then its root access is often temporary as once the device is rebooted the app won’t necessarily be running or be in a position to enable its root access again. However once a rootkit manages to gain root access it attempts to modify the system area of Android so that its root access is persistent.

To detect these changes to the system area Google has implemented dm-verity a feature that looks at the individual blocks of data on the Android file system to see if they are in the expected configuration. It does this using hashes to check that the data hasn’t been modified.

This is all great when it is applied to rootkits, but here is the problem: many of the techniques used by modders to root a device, gain system privileges and install custom ROMs or kernels are very similar to the techniques used by rootkits. Therefore trying to root a device with dm-verity enabled becomes a whole lot harder, maybe even impossible.

End of custom firmware?

Pulser_G2 has written an article over at xdadevelopers called “Google Taking Aim at Device Modders in Android 4.4 KitKat.” The title is a little inflammatory as Google aren’t specifically targeting modders but rather malware, however the consequences of Google’s actions will affect modders.

One aspect of the Android eco-system that appeals to some is its open source nature and the freedom that open source gives. There are several popular alternative Android ROMs including Cyanogenmod which recently went commercial and has partnered with Oppo to release a smartphone with Cyanogenmod installed by default. These custom firmware builds often rely on the user gaining root access before installing the new ROM. Manufacturers who ship devices with locked bootloaders and with dm-verity enabled will be effectively closing the door on custom firmware installations.

However all is not lost, first there aren’t actually any devices yet shipping in this configuration so it is too early to tell how prominent this will become. Second, since companies like Samsung and HTC are happy to ship “Google Play Editions” of their devices and while others ship Developer editions with unlocked bootloaders it seems that they aren’t closed to the idea of handsets made specifically for those who want to tweak their phones.

The happiest outcome to this would be if manufacturers ship handsets with locked bootloaders and with dm-verity enabled for those who want to ensure that their devices aren’t infected by rootkits (specially those using their phones for business purposes), while at the same time offering open models for those who want the freedom to load other firmwares.

What do you think, does dm-verity signal the end of custom ROMs?

Comments

  • mumusen

    Google turning itself into Apple? Not cool.

    • MasterMuffin

      I don’t see it like that, Apple doesn’t want you to mess with their system, Google doesn’t care as long as its users are safe so they can use its services and give them money. And this only makes things harder if you buy from a carrier and accept locked bootloaders, otherwise you can just change the kernel and be done with it. Read the XDA article from source

      • Mayoo

        Apple : Dictator
        Google : Permissive with constraints

        or you can see it like this :

        Apple : Bad parenting
        Google : Good parenting

      • NeedName

        Yeah, till Google decides all moders are harming their ad revenue with adblockers and the like. . .

      • freedomspopular

        Yep, Google doesn’t care what you do with your device…unless it’s a Chromecast…

      • Purloinedrabbit

        do you have that link that you referenced?

    • http://forum.xda-developers.com/member.php?u=2926289 Jasonwsc

      I don’t see the issue if your device can be bootloader unlocked, since you will always be able to root it by flashing a custom kernel. However, those buying carrier-branded devices should take note, as this might remove the possibility of root once and for all.

      If you live in the U.S. and want to mod your phone, just get a Nexus. It’s cheap, it’s good and it’s open. Not to mention the constant updates.

  • James Silva

    This is smart… But then for the modders, you should be able to use your own dm-verify command. What I mean is you should have the ability to provide your own hashes that include your proper root modifications.

    • Ivan Myring

      Yes, can anyone verify if this would work?
      Also would there be any way to flash a rooted version of the software (I.e. root de la Vega) and modify from there?

  • adam evans

    Isnt cyanogen aiming for a way to achieve everything you want without root access? ending root access would make systems alot more secure.

    Also correct me if im wrong but i have never had to root before installing a custom rom for any of my devices.

    • emanuele_zanetti

      well.. I think this is impossible, you need root access to modify parts of the system (for example, to set the quick settings to act like toggles).

      • adam evans

        in a manufacturers rom yes. But the functionality could be included without permissions could be build right into the rom

        you need root permissions to edit an existing system. But if the system is built to allow for the flexibility then no permissions are required.

        Its possible just requires making more dramatic changes to the ASOP code than before

      • ger adriaans

        Not realy, most customs roms are pre-rooted so flashing this rom with a custom recovery will be enough to root the device and install busybox.

  • TONY ALDO

    As someone who works in IT this is great. Phones now contain so much sensitive material that any added sec would be beneficial. What Google should do is some how let you do this virtually. Maybe some type of dual boot virtualized partition. But in any case this could be a good thing.

  • DarxideGarrison

    I’ve been using Cyanogenmod on my rooted Epic 4G and GS3 because I like the hardware combined with the “stock like” Android experience. However I’ve had the Nexus 7 (2013) for a while now and haven’t felt need to root it. I’ll probably not root my Nexus 5 on Friday either. But rooting is still a very important part of the Android community and should not be hindered for developers.

  • Troy Leonard

    Honestly I think it is a great idea. With the ever accelerating death of BlackBerry businesses need a secure option, I for one would rather that be android based not ios. I have no doubt that develops editions will continue to be available and most devices probably won’t ship with this enabled. Security is important and it is good that Google is looking to advance security on its platform.

  • Magnetic1

    Only people who seems to hack on other people’s devices these days, already have a backdoor built into the design; because they got the guy who knows the guy. Didn’t the PC industry learn their lesson from UEFI? The people who develop custom ROMs are not the enemy.

  • MSmith79

    Google’s not worried because there isn’t any security restriction that could be put in place that would stop modding. Modders will always find a way around it, often within days. It’s smart of Google to tighten the security where they can, and they can do so without worrying that they lose their modding community.

  • hoggleboggle

    I don’t see any reason why this security feature shouldn’t come as standard on every phone providing it gives the user the option to manually override it if they want to mod their device.

  • Androphoner
  • Purloinedrabbit

    Having been a member of that elite community that had the woeful experience of being an actual TARGET to multiple sustained attacks, lost I don’t know how many computers, pc’s, laptops, tablets, smartphones and even a kindle. I lost thousands of dollars thanks to the ease of entry into Froyo, Gingerbread, and ICS. At any point there, when I knew nothing about shutting down a hacker, I would have appreciated a device that was specced NOT to allow zRoot or InstaRoot to so easily give up control of operations. Tablets were brand new, I was selling them on Ebay, making a bundle, but once our phones were compromised, we were doomed. I can’t emphasize enough how important it is to have a lock for the Nurse-hack. That movement can be controlled by hardware. It needs to be, in an environment where learning how to program is as accessible and free as it is today.

    The newest upper class are the computer science geeks and there is just free education. At this point if you can’t build your own website, you’re out of the game, because it is not just to hack that coding is learned, it’s a necessary skillset in today’s economy.

  • Purloinedrabbit

    And let’s not forget the spillage of personal information by htc, att, sprint verizon, a couple years back. If they had security “switches” back then, I’d still have 4 tablets (brand new) and 2 macintoshes and one pc. Oh allll of those phones. And the kindle. Sorry to blather on.