This article nails it. Myself and the other folks who make up the Unrevoked team are basically searching for security exploits on the devices we support. We can't reveal these to the carriers, the phone manufacturers or the Android team because they'll be fixed in the next release and we'll invest the time to find another one.* Each additional exploit is marginally more difficult than the last to find.
We'd much prefer to abandon our rooting efforts entirely and have the market flooded with phones that have the equivalent of "fastboot oem unlock", or have easy ways to flash custom ROMs like the Dell Streak (no signature required), the original Droid and some of Samsung's devices. The energy we spend working on root could be better applied in finding and fixing the security holes that exist on the Android platform.
Until then we'll keep poking holes in the security of HTC devices (our focus) and make them work as hard as possible to figure out which holes we've exploited to keep the rooting window open as long as possible. We'll also keep recommending that people put their money on open devices like the Nexus One and the Nexus S.
* The exception to this was the skyagent hole, where HTC and Sprint shipped a suid-root program that would give any program you installed full control of your device. We notified them of the problem, then shipped a root based on it shortly after:
In a more perfect world, the general public would understand the important distinction between malicious "hackers" and you guys. Keep up the good work.
What do you tell your laymen friends and family that you do? Do you call it hacking? Security analysis? Something else?
This is the best kind of security research. Sometimes people think security research is unethical, but there is no ethical question here: should a user sitting in front of his own device be able to use it for anything he wants? The answer is "of course".
As a user of an unlocked Evo, I want to thank you for doing this work. It makes my life more enjoyable!
There's absolutely nothing illegal about downloading the SSH source code, finding a buffer overflow, and releasing code that demonstrates that that buffer overflow gets you root. The downside is that a lot of kiddies will use this information to cause mayhem.
When you do the same to the phone, there is much less mayhem. But there's absolutely nothing illegal about the first scenario.
Thank you so much for your work guys.
you facilitated turning my "nice" htc incredible device, to a rooted awesome custom rom souped up droid phone that is truly incredible.
This is the same thing that the iPhone jailbreakers do: look for security holes to open up the window to "root" (or install another OS: http://www.idroidproject.org/) on the iPhone.
The sad part is that Android is supposed to solve this problem, but (for many of the devices) it doesn't seem to change it at all.
I'm not as familiar with jailbreaking the iPhone as I am with rooting Android phones, so feel free to correct me.
Android is much more difficult to exploit for us because most processes don't run with the equivalent of root. Even through we're able to exploit the browser occasionally, we can't normally use that to escalate to root (there are some exceptions to this that I won't go into :)). There are system processes, but generally these important processes run as "system" rather than root. Generally, only the processes that need to setuid() to another user run as root.
I believe (but I'm not sure) that the iPhone has two users: one at a root level for system processes/applications and another for installed applications. This allows the iPhone dev team to attack the browser and use that to quickly gain control of the entire device.
The nice part on Android for us is having access to the adb shell, which occasionally lets us poke into things we shouldn't normally be able to poke at. Most Android root attempts happen through this shell user which is generally inaccessible to installed applications. You can see the additional groups granted to the shell user here:
That was true for iPhone OS 1.x, but since 2.0 they moved everything to 'mobile' except a few (very heavily sandboxed) daemons. For example, the 'JailbreakMe' jailbreak exploited FreeType running in the browser (Safari), but it still was sandboxed and running as 'mobile', so it had to the exploit the kernel itself -- from userland -- to get full access to the system. (It also installed itself to run at startup, using yet another exploit to evade the code signing requirements.)
However, if, on an iOS device, you do find an exploit in a root process, you still don't have a way to do much. Because of the code signing requirements and the W^X protection, you can't run your own binary or even execute shellcode: ROP is the only method possible to run code. So you still have to exploit the kernel to disable those, making root code execution is only slightly more useful than 'mobile' code execution for that purpose.
But that's not even really relevant, since only a few (JailbreakMe, Spirit, the on-bootup component of limera1n and greenpois0n) of the "jailbreaks" (a really misleading term, since they are more of "injected kernel patches to remove code signing requirements") are even done from a booted device at all! Most of the exploitation happens in the lower-level bootloaders, over USB (using the protocols intended for restoring the device if the higher-level components fail). Once you get access there, you can pretty much do anything you want (run a different OS, remove restrictions from the kernel), but only for this one boot cycle. After a reboot, you need to apply these patches again, leading to what's known as a "tethered jailbreak": you have to exploit the bootloaders each reboot to start up the device. This can be avoided with yet another exploit, which breaks the chain of trust at boot time to apply the patches without user intervention.
Edit: some clarification.
Edit 2: I should turn this into a blog post ;P.
Thanks for the clarification! My iPhone knowledge is horribly dated. It sounds like the iPhone security model has advanced beyond Android: there is still no sandboxing outside of uid/gid perms on Android.
Much of the work we do on Android involves some of the lower-level bootloaders well. Because each of the different Android manufacturers has implemented their own bootloaders, we tend to find lots of potential exploits at that level.
The work you guys do on the iPhone side is impressive.
iOS actually has a full implementation of Scheme (TinyScheme) running inside the kernel, that manages the (often very complex) permission schemes -- one for each type of pre-installed app or daemon, and then one for the third-party apps as well.
Edit: Unrelated: I just realized you made the Treo 650 Linux version -- that was awesome!
Aren't most unbranded HTC Android phones already sold unlocked? E.g., on my HTC Wildfire there was an engineering bootloader preinstalled, so shouldn't this bootloader provide me with the same features as an "oem unlock'ed" Nexus?
> Unfortunately, until carriers and manufacturers provide an easy method to legitimately unlock devices, there will be a natural tension between the rooting and security communities. We can only hope that carriers and manufacturers will recognize this, and not force users to choose between device openness and security.
I don’t see that as likely. In fact, Android’s “openness” can lead to maliciousness on the part of carriers and phone makers against their users. I cite Android phones that come from carriers with unremovable junkware & phones that have hardware encryption that prevents user rooting.
That practice is being offset by the sheer number and variety of Android devices, consumers are buying the more ‘open’ handsets and thus signaling the demand for them.
I imagine the quantity is small but there is some percentage of buyers, such as myself, that make sure there is an root exploit available before I buy a phone.
I know it's not fashionable nowadays, but I, for my part stick to Nokia phones.
"Rootability" is not an accident there, but part of the design.
This, of course is unless your (subsidized) phone is locked down to hell and then some. This is much less a problem in Europe, since you can always buy the unlocked phone and as a matter of fact, with the exception of pre-paid phones, even subsidized phones are not SIM-locked (you sign a contract anyway) and I never had one loaded with un- removable crap-ware.
Absolutely. I wanted to buy an EVO 4G and because root was easily available, I had no trouble paying the ETF and switching to Sprint. If I had to use the phone as I bought it from them, I would not be a customer.
One would imagine buyers get influenced by reviews and those tend to favor the more consumer friendly choices. Also there was an incident with Vodafone where people complained about their bloatware on twitter and they soon pushed an update to remove it.
To be fair, they never released a CDMA Nexus. I could've personally moved half a dozen if they had. Instead, Motorola sold 3 Droid 1s and 3 locked-BL Droids.
compare the nexus one with the closed version from htc... the nexus lost to any of them. to the point of google dropping sales.
a company, that can dump money on every kind of crap, discontinued sales of something. how much worse do you want it to get until you accept it was a joke for sales?
..funny thing is that people are paying now in ebay MORE than the original price to have the device.
Most people just walk into a store and get a phone that they think is cool. The Nexus One was not available anywhere except Google's website.
When I went in to the T-Mobile store, I came out with a G1 because the T-Mobile lady was explaining all of the hoops one must jump through to use a Nexus One. They don't carry them so you have to order online and wait 4-7 days for the phone to arrive (my old phone was broken, so this alone made it not an option for me), you can't use T-Mobile's normal plans on them, I wouldn't have been able to buy with subsidy because my previous contract had one month left and therefore manager override was necessary to grant the discount on the phone, and I didn't have $500-$600 cash sitting around to spend on a phone, and so on.
If the N1 got the same kind of carrier marketing and buy-in that the other phones got, I'm sure it would have done well. Carriers, however, did not want to provide that marketing or support because doing so would minimize their death grip on the end-user and count as a success for something not loaded with carrier crapware, which they don't want either.
The carriers know, of course, that nobody really _likes_ having a permanent, unremovable Blockbuster app on their phone. But since people will tolerate it, and the carrier gets a lot of money from Blockbuster (or NASCAR or whatever) for doing that, they want to keep phones that are free from this crapware as far away as possible; if they didn't, people would prefer phones that are without crapware, and this would impede the carrier's ability to sell contracts to include crapware.
FYI the t-mobile people told me that too, but I went ahead and ordered it and it was just fine. Of course this was right before they retired the online sales... I got it for $199 + a regular contract...
Maybe it was so they could get their commission. I once had a roommate who sold phones. He used to talk about the tricks he'd use to get more commission out of a sale.
People always say this, but in the United States, T-Mobile is the only carrier that even has any alternate options. Everyone else doesn't discount your rate; you pay the same whether you buy a phone outright or buy on subsidy. Buying outright simply prevents a two-year contract (where the early termination fee is usually cheaper than the sticker price for the phone). There's no reason not to buy without subsidy unless you use T-Mobile.
T-Mobile offers a couple of different options, one of which is a $10-$20 discount on the monthly plan for non-contract phones, or a zero-interest amortized 24-month payment plan that allows you to still get the subsidy and the discounted plan. To me, not having to drop $500 to get a phone when I don't have $500 is worth $10-$20/mo (which, over two years, depending on the phone you get and the price you pay with contract, is usually pretty close to the sticker price for the phone anyway, maybe +$100-$200 than buying outright, a reasonable finance charge), and I didn't know about the payment plan when I signed up, though it's generally been agreed that that turns out to be the best option.
It was perhaps a little ambitious for Google to expect to sell more Nexus Ones (with easy sign-up/subsidy by T-Mobile) versus Verizon selling Droids (with easy sign-up/subsidy by Verizon). It's a great device and I love mine, but that doesn't mean Google is equipped to be able to sell it.
Actually, paying more on eBay for a device that is scarce is just called economics. Though, it would be surprising to learn that the price was much higher than the original unlocked price + $30 - since you can still purchase one if you have registered yourself as a developer with an Android Market account.
Nice to see a clear statement from Google that they believe all manufacturers should ship a way to unlock their phones. It's largely symbolic since it is out of Google's hands but at least Google is making their view heard for what it is worth.
An engineer on the Android Security Team objects to people claiming they've "rooted the Nexus S" by installing a custom ROM on it when all they've done is taken advantage of a feature named "fastboot_oem_unlock" which allows you to install a custom ROM.
given the lengths microsoft work with hardware manufacturers and computer assemblers such as Dell, being able to install anything and have the drivers working is indeed a breach of microsoft market security :)
The irony being that Dell laptops made even this year won't accept clean Windows 7 (well, it will, but the Display won't work correctly and the Wifi didn't work until I went and downloaded them from Dell which was a challenge considering I didn't have ethernet. Luckily, my Droid 1 can tether, thanks to a custom rom. What a coincidence.
Of course the Ubuntu live disc worked fine and offered to install a better display and wifi driver for me automatically when I had wifi or an internet connection next.
Well, he was more directly annoyed by commenters then more or less claiming "Android is easily rooted; ergo Android's security is bad; ergo (by implication) you shouldn't use it" - a bit more there than pure semantics.
What is Google's position on phones being rooted for the sole purpose of acquiring pirated apps? From where I'm sitting it seems Google is not doing anything to discourage this and is implicitly saying that the ad-driven revenue model is the way to go, natch.
I wonder how many Home Depot customers go on to kill people with wrenches compared to how many iPhone & Android rooters/jailbreakers go on to pirate apps? And no, I'm not talking about the average HN'er - rather every Uncle Dick in my family who doesn't know sh*t about tech but is only too happy to tell me about all the 'free' apps he's downloaded now that he jailbreaked his crummy iPhone.
Sorry - it's a question that's worth asking. If everyone was assaulting each other with wrenches, we'd declare martial law - the constitution isn't a suicide pact. If Android is the hottest smartphone OS in the US right now (and it is), why are the app attachment rates so low?
As a console game developer whose friends have developed iOS and Android apps that have seen huge download and play numbers (as measured by leaderboard submissions) but have seen almost no purchases, I have zero interest in developing for either platform.
I'm a developer with a paid app in the Android Market. If my only choices were to accept rampant piracy or to prohibit users from having control over their own hardware, I'd take the first without hesitation.
Of course that's a false dilemma; my app is earning several hundred dollars a month with zero marketing and zero copy protection. The vast majority of apps are not going to be Angry Birds-scale hits, and that's true with or without piracy.
We'd much prefer to abandon our rooting efforts entirely and have the market flooded with phones that have the equivalent of "fastboot oem unlock", or have easy ways to flash custom ROMs like the Dell Streak (no signature required), the original Droid and some of Samsung's devices. The energy we spend working on root could be better applied in finding and fixing the security holes that exist on the Android platform.
Until then we'll keep poking holes in the security of HTC devices (our focus) and make them work as hard as possible to figure out which holes we've exploited to keep the rooting window open as long as possible. We'll also keep recommending that people put their money on open devices like the Nexus One and the Nexus S.
* The exception to this was the skyagent hole, where HTC and Sprint shipped a suid-root program that would give any program you installed full control of your device. We notified them of the problem, then shipped a root based on it shortly after:
http://www.scribd.com/doc/34024714/Skyagent-Protocol-Descrip...
http://unrevoked.com/rootwiki/doku.php/public/unrevoked1_dis...