One of the new security features in Android 4.4 KitKat is verified boot which is designed to detect persistent rootkits that can hold onto root privileges and compromise a device’s security. At the moment the feature is experimental and optional which means it is unlikely that many manufacturers will use it now, however it could become popular in the future.
A rootkit is a clever piece of malware which because it has root access can hide itself from the host operating system and can even trick any security software installed because its systems privileges allow it to “lie” to any detection methods. One way to check that a device hasn’t been infected by a rootkit is to check the integrity of the system files. On a normal Android device apps are installed in the user space part of the OS and each app is self-contained and runs in what is known as a sandbox. The app performs unhindered in its own sandbox, but it has no authority to change files in other parts of the system or in the sandbox of another app.
If an app does manage to get root access (due to a security vulnerability in the underlying OS) then its root access is often temporary as once the device is rebooted the app won’t necessarily be running or be in a position to enable its root access again. However once a rootkit manages to gain root access it attempts to modify the system area of Android so that its root access is persistent.
Clever malware with root privileges can hide from detection programs and otherwise mask themselves. The rooting software can do this because it is often more privileged than the detectors, enabling the software to 'lie' to to the detection programs.
To detect these changes to the system area Google has implemented dm-verity a feature that looks at the individual blocks of data on the Android file system to see if they are in the expected configuration. It does this using hashes to check that the data hasn’t been modified.
This is all great when it is applied to rootkits, but here is the problem: many of the techniques used by modders to root a device, gain system privileges and install custom ROMs or kernels are very similar to the techniques used by rootkits. Therefore trying to root a device with dm-verity enabled becomes a whole lot harder, maybe even impossible.
End of custom firmware?
Pulser_G2 has written an article over at xdadevelopers called “Google Taking Aim at Device Modders in Android 4.4 KitKat.” The title is a little inflammatory as Google aren’t specifically targeting modders but rather malware, however the consequences of Google’s actions will affect modders.
One aspect of the Android eco-system that appeals to some is its open source nature and the freedom that open source gives. There are several popular alternative Android ROMs including Cyanogenmod which recently went commercial and has partnered with Oppo to release a smartphone with Cyanogenmod installed by default. These custom firmware builds often rely on the user gaining root access before installing the new ROM. Manufacturers who ship devices with locked bootloaders and with dm-verity enabled will be effectively closing the door on custom firmware installations.
However all is not lost, first there aren’t actually any devices yet shipping in this configuration so it is too early to tell how prominent this will become. Second, since companies like Samsung and HTC are happy to ship “Google Play Editions” of their devices and while others ship Developer editions with unlocked bootloaders it seems that they aren’t closed to the idea of handsets made specifically for those who want to tweak their phones.
The happiest outcome to this would be if manufacturers ship handsets with locked bootloaders and with dm-verity enabled for those who want to ensure that their devices aren’t infected by rootkits (specially those using their phones for business purposes), while at the same time offering open models for those who want the freedom to load other firmwares.
What do you think, does dm-verity signal the end of custom ROMs?