Google used its Android Developers blog yesterday to deny a correlation between rooting a handset and perceived poor security measures on the operating system.
In the blog, Android engineer Nick Kralevich pointed to comments on an Engadget post that characterized the Nexus S’ security as “crap.” Not suprisingly, Kralevich disagreed.
“Legitimately gaining root access to your device is a far cry from most rooting exploits,” he wrote. “Traditional rooting attacks are typically performed by exploiting an unpatched security hole on the device. Android has a strong security strategy, backed by a solid implementation.”
Though such assumptions spread like wildfire every time a security company or development team talks about Android’s exploits and vulnerabilities, Google argues that rooting a phone should be the beginning of an experience. “It should be no surprise that modifying the operating system can give you root access to your phone,” Kralevich wrote.
Common reasons for rooting a phone include letting users decide which apps should be loaded or operating the handset on a different carrier’s network. Most often, it’s simply done to install custom operating systems such as Cyanogenmod.
Kralevich also discussed two types of rooting. Root access, which gives users root level access to the device, opens the door to custom boot images and ROMs. Though hackers and modders are quick to take advantage of access whenever a new phone enters the market, they don’t have to bypass much security to do so.
The second, and scarier, type of rooting is accomplished by exploiting the OS, but Android’s nature makes it a fairly difficult task. As all apps and games are sandboxed from each other, exploiting one app should not affect the next. Also, all applications are required to declare the permissions they use.
Though hackers love to find weak spots in mobile Web browsers and sneak onto phones through the back door, the Android team moves quickly to patch documented holes and releases fixes as needed. And thanks to the open-source community, anyone and everyone is welcome to contribute to platform.
If Google does see a problem to rooting, it appears to be the wireless carriers. According to the blog, until carriers and manufacturers make it easier for users to unlock devices, “there will be a natural tension between the rooting and security communities.”
“It’s possible to design unlocking techniques that protect the integrity of the mobile network, the rights of content providers, and the rights of application developers, while at the same time giving users choice,” Kralech wrote. “Users should demand no less.” Unfortunately, there doesn’t seem to be much wiggle room in the current system.