Linked by Thom Holwerda on Sat 17th Mar 2012 00:35 UTC
PDAs, Cellphones, Wireless Due to their very nature, custom Android ROMs have root enabled by default. Up until relatively recently, installing custom Android ROMs was a thing geeks did, and as such, this wasn't much of a problem. However, over the past few days, I've found out just how easy installing custom ROMs and modifying them really is (I'm running this one until CyanogenMod 9 is ready for the SII), and it seems like more and more regular users are engaging in the practice as well. Suddenly, having root enabled becomes a security liability.
Order by: Score:
Don't have a problem with this.....
by DREVILl30564 on Sat 17th Mar 2012 04:19 UTC
DREVILl30564
Member since:
2008-04-18

so long as it's easy to re-enable it like they said. ;)

Reply Score: 2

lord_rob Member since:
2005-08-06

I suppose Revolutionary will handle that ;-)
http://www.revolutionary.io

Reply Score: 2

Interesting
by WorknMan on Sat 17th Mar 2012 04:20 UTC
WorknMan
Member since:
2005-11-13

IMO, this is the way you do it, and it's similar to the issue of side-loading and security. Make sure it's 'idiot-proof' out of the box so that people who don't know any better won't hurt themselves, but allow those who want to out of the sandbox / walled garden / whatever.

In the case of Android though, any rooting tool I've ever seen has the 'super user' app built in, so any app that wants root would specifically have to be granted that access by the user.

Reply Score: 5

unknown sources
by stabbyjones on Sat 17th Mar 2012 05:01 UTC
stabbyjones
Member since:
2008-04-15

Sounds similar to the tick box to enable loading apk's outside the market. Why would anyone think having the option is a bad thing?

I use root apps and adb commands semi regularly but being able to flip a switch for when I want access sounds like a great way to keep root secure.

Reply Score: 3

RE: unknown sources
by Soulbender on Sat 17th Mar 2012 08:06 UTC in reply to "unknown sources"
Soulbender Member since:
2005-08-18

but...if it's just a matter of "flipping a switch" what is to prevent a rogue application from flipping that switch?
Am i missing something?

Reply Score: 3

RE[2]: unknown sources
by stabbyjones on Sat 17th Mar 2012 09:49 UTC in reply to "RE: unknown sources"
stabbyjones Member since:
2008-04-15

that application would need root access to enable root access so that situation doesn't really hold water.

Reply Score: 2

RE[3]: unknown sources
by Soulbender on Sat 17th Mar 2012 09:51 UTC in reply to "RE[2]: unknown sources"
Soulbender Member since:
2005-08-18

So how does the user get root access to enable root access?
My point is that somewhere there's a means by which to get root access so that you can enable root access. That mechanism could be exploited by rogue apps.

Reply Score: 3

RE[4]: unknown sources
by No it isnt on Sat 17th Mar 2012 11:24 UTC in reply to "RE[3]: unknown sources"
No it isnt Member since:
2005-11-14

Yes, and this is how you get root to install root (su) to begin with. But keep in mind that Android apps run sandboxed.

Reply Score: 4

RE[4]: unknown sources
by patrix on Sat 17th Mar 2012 13:24 UTC in reply to "RE[3]: unknown sources"
patrix Member since:
2006-05-21

You also can't clear all phone data (aka "factory reset") without root access - or any other similar features that work on phones without root..

... Unless that feature is built-in to the room somehow to do exactly that function without needing root. Aka factory reset. So the switch to enable root probably has the same design, ie it's able to allow general root usage or not, and it's built in to the ROM to do just that.

Reply Score: 1

RE[4]: unknown sources
by WereCatf on Sat 17th Mar 2012 15:49 UTC in reply to "RE[3]: unknown sources"
WereCatf Member since:
2006-02-15

So how does the user get root access to enable root access?
My point is that somewhere there's a means by which to get root access so that you can enable root access. That mechanism could be exploited by rogue apps.


The application that does the switching is running as root, it is not an API or library that can just be used by any application installed. Rogue apps cannot just become root through that application unless they find a system security-hole, and if they do they wouldn't need that application anyways.

Reply Score: 4

Good thing
by Elv13 on Sat 17th Mar 2012 05:28 UTC
Elv13
Member since:
2006-06-12

At some point early in Jailbroken iPhone history (or it is still the case), you could try "ssh root@ip password: alpine" using a custom nmap script and virally take control of all iPhones in the universe. At that time, most were jailbroken (iPhone 1 and 3G).

Having custom roms/mods is cool, but it is also very dangerous.

That said, still waiting for CM9 on my N1!

Reply Score: 2

RE: Good thing
by daveak on Sat 17th Mar 2012 15:16 UTC in reply to "Good thing"
daveak Member since:
2008-12-29

Where universe is the same wifi network you are on, or the same telco (possibly only the same APN?)

Reply Score: 2

RE[2]: Good thing
by Elv13 on Sat 17th Mar 2012 18:36 UTC in reply to "RE: Good thing"
Elv13 Member since:
2006-06-12

You forgot the "viral" part. Once an iPhone is compromised, it become the Trojan and spread. Nmap is available for iPhone ;)

Reply Score: 2

SGS4G user here
by modmans2ndcoming on Sat 17th Mar 2012 16:29 UTC
modmans2ndcoming
Member since:
2005-11-09

Does not bother me at all since Cyanogen does not support my phone.... Am I bitter? yes and no... I assumed that the Galaxy S4G was close enough to the original Galaxy S and the Nexus S that it would be supported....Nice education I had on marketing names vs. technology in the phone....Plus, I should have checked the damn supported device list on their site.

Reply Score: 2

On CM9 now
by Thom_Holwerda on Sat 17th Mar 2012 17:16 UTC
Thom_Holwerda
Member since:
2005-06-29

Installed CM9 nightly today on my SII. Everything works (save for the known lack of video recording, CM needs kernel source for that), and I haven't experienced any crashes or bugs. The thing is lightning fast. It's insane.

It does seem to suck battery faster, but then again, I'm using it more often to play with it, so it probably isn't going into deep sleep as much as when I was still on GB.

Suffice it to say - fcuk Samsung and stock crap. CM all the way from now on.

Reply Score: 3

kcorey
Member since:
2007-11-06

I'm stunned that savvy vendors haven't decided to help CyanogenMod support their old devices.

I mean, most of them are so crap at releasing updated versions of the operating system that Android itself is getting a stigma attached.

Wouldn't it just make *far* more sense for, say, Samsung to give CyanogenMod a little love, and call them the official "support" team. All of a sudden, Samsung is off the hook, and no longer has to continue supporting older devices.

I'd bet this would not cannibalise sales of new devices anyway (anyone willing and smart enough can root most devices now. Those people aren't going to be buying a new phone just because the O/S isn't the newest.

-Ken

Reply Score: 1

BrianH Member since:
2005-07-06

Savvy vendors realize that they don't get a penny from supporting old devices, they only get money for people throwing away their old devices and buying new ones. Will you and 100000 of your closest friends pay $10 each for an OS upgrade? Then it might be worth it to the vendor.

Reply Score: 3

unoengborg Member since:
2005-07-06

Savvy vendors realize that they don't get a penny from supporting old devices, they only get money for people throwing away their old devices and buying new ones. Will you and 100000 of your closest friends pay $10 each for an OS upgrade? Then it might be worth it to the vendor.


Yes, but they only get money if people actually buy a new phone from the same vender. Offering good support and frequent updates increases the chanses that they keep their customer. Frequent upgrades are often mentioned as a reason for buying iPhone, and Apple isn't exactly in the red.

And no, I would not mind to pay $10 for the next version of the OS, at least as long as the old version was supported as far as security fixes for a resonable amount of time. However I don't think $10 would matter much, they could just as well supply it for free, and get happy customers. That would be worth a lot more to them than $10.


However many people flash their phones with new a new ROM, not because the vendor doesn't provide an upgrade, but because the vendor supplied software is full of bloatware and questionable modifications in order to make the experince unique. Just because you like Samsung or HTC hardware doesn't necessarily mean that you like Touch Wiz or Sense

Reply Score: 2

coreyography Member since:
2009-03-06

Probably won't happen. The PHBs at the handset vendors are under a (misguided) perception that they differentiate and innovate with their customizations of Android. And the carriers (at least in the US) dictate a lot of what features (and bloatware) are in the phones as well. I also believe they do use the lure of new Android versions to sell new hardware, whether that actually drives those sales or not (benefits both handset makers as well as US carriers looking to keep people on contract).

I have an HTC Incredible. Sense wasn't that bad, and had a few nice features. But I didn't realize how much it killed the phone's performance until I put first a "de-bloated" ROM on it, and later CM7. I miss a few Sense features (camera, SMS app), but enjoy so many others that I donated to the project. CM7 is dizzyingly customizable, and there are always Market^H^H^H^H^H^HGoogle Play apps if necessary. I also probably wouldn't have Gingerbread on it had I not flashed a custom ROM.

However, you never know what might happen. Didn't one of the lead CM devs take a job with Samsung?

Edited 2012-03-19 01:05 UTC

Reply Score: 2

HTC Sense
by jimmystewpot on Sun 18th Mar 2012 03:51 UTC
jimmystewpot
Member since:
2006-01-19

I agree with the sense comment.. utterly shocking in recent versions of sense. I have so far however been very impressed with the changes that HTC have incorporated into their ICS versions of Sense on the new range of phones (one). It so far beats the SGS2 for ICS + custom skins...

Having said that I run CM9/AOSPX on my handsets...

Reply Score: 1

dsmogor
Member since:
2005-09-01

technically. does it mean launcher runs as root? or that any app installed now run as root? or only Apps that demand this in their mainfests are launched with escalated priviledges?

Reply Score: 2

Comment by deathshadow
by deathshadow on Sun 18th Mar 2012 15:16 UTC
deathshadow
Member since:
2005-07-12

so long as by "security vulnerability" you actually mean "removing vendor lock-out".

Since that's REALLY what we're talking about here, the sleazy monopolistic practice of vendor lock-in.

Though at least we're talking about making it easy enough to re-enable instead of it being the default state... unlike some other phone/pad vendors I could mention who consider it a violation of the EULA to even consider enabling it.

You know EULA's -- using contract law to circumvent real laws or even common sense.

Edited 2012-03-18 15:17 UTC

Reply Score: 1