Once widespread for facilitating deeper customization and removing OS limitations on mobile devices, rooting and jailbreaking, are becoming primarily the domain of power users, as manufacturers have made giant leaps to limit this practice via two different approaches.
Firstly, by adding additional customization options to prevent users from feeling restricted, and secondly, by introducing more stringent security protocols into stock Android and iOS versions.
However, despite a drop in the number of rooted and jailbroken devices in general, they still represent a very dire security threat, not to the user alone, but to entities who allow staff members to access confidential corporate apps and data from their devices.
Recent data from Zimperium shows that rooted devices are over 3.5 times more likely to be targeted by mobile malware. These vulnerabilities could lead to a company-wide breach, either accidentally or as part of a highly organized attack.
Insights from the data revealed that tooted devices make up 0.1% of Zimperium’s total customer base, with the breakdown as follows:
- Android: 1 in 400 devices (0.25%) is rooted
- iOS: 1 in 2,500 devices (0.04%) is jailbroken
Although the US and Malaysia are the main culprits when it comes to finding rooted devices, they are widespread everywhere. According to the research, the exposure of rooted devices compared to stock devices ranges from 3x to 3,000x, showing that rooted devices are infinitely more vulnerable to threats, specifically:
- Malware attacks are 3.5 times more frequent
- Compromised app detections are 12 times higher
- System compromise incidents are 250 times more common
- Filesystem compromise events increase by 3,000 times
- Security-Enhanced Linux (SELinux) being disabled happens 90 times more often
The Cat-and-Mouse Game
Rooting tools have been around since Android debuted in 2008, evolving to give users more control, and by 2016, manufacturers and security vendors began actively working to detect these tools. Tools like Magisk, which allow “systemless rooting,” became popular as they could fly under the security checks radar and remain effective even after system updates.
In this way, rooting shifted from a means of gaining control to winning a battle of stealth, with tools evolving to slip through security nets while keeping control over the device.
Running Everything at Admin Permission Level
Erich Kron, Security Awareness Advocate at KnowBe4, says: “Rooting devices has historically been a method to unlock features or install software that may be created outside of the official app stores. Unfortunately, when a device is jailbroken or rooted, the security that is put in place by default is bypassed and the user of the device is now running everything at an admin permission level. Because the security built into the operating system will often restrict unknown apps from running, you can’t simply restore the device to a secure state after installing the application. This bypass of security will remain in place in most situations, making it much easier for malware to exploit the device.
Those who are considering rooting or jailbreaking their devices need to be very aware of the additional risk it puts them at, particularly if these devices are being used every day, Kron adds. “The device not only becomes vulnerable to malware being installed by the user, but can also become a threat to the network it is connected to. Bad actors will often scan networks for potentially exploitable devices upon initial network intrusion.”
Extraction of Biometric Information
Past research of mobile devices for financial entities discovered that one of the more common risks is the extraction of biometric information from the trusted execution environment on the device, adds Adam Brown, Managing Consultant at Black Duck. “For each assessment it is assumed the device could be and would be rooted and that a nefarious third-party app would be present. Typically, weaknesses were found in architecture and code implementations, however, over the years there have been improvements made by the major device producers in the architecture and software implementations of these devices and ultimately their resilience and security against such attacks.”
Brown says while improved device resilience and security against malware is very positive, app producers and organizations that rely on mobile devices must understand the risk of the software architecture and code implementation on these devices and take action. Otherwise, the weaknesses introduced at that stage result in vulnerabilities and therefore breaches. “Some questions to ask of your organization to assess your own risk include: Do you run high risk transactions on mobile apps? Do you allow your users / customers to use that app on all devices? Do you know what weaknesses and therefore risks are present on those devices? How do you mitigate against them?”
Sideloading Apps
One reason some like to root their Android device or jailbreak their iOS device is to have the ability to sideload applications, adds Jason Soroko, Senior Fellow at Sectigo. “Sideloading bypasses the official app store’s rigorous vetting process, leaving devices exposed to malware, unauthorized code, and other security risks. With Apple now forced in Europe to allow sideloading, the safety net of curated applications is eroded, increasing the potential for compromised apps and systemic vulnerabilities that attackers can exploit to access sensitive data and undermine device integrity.”
Spyware on iOS and Android often hinges on jailbreaking or rooting to breach core security measures, says Soroko. “By circumventing built-in OS restrictions, attackers secure elevated privileges that allow them to install and conceal spyware. This malicious procedure typically starts with exploiting a device’s vulnerability or tricking users into compromising their own systems, ultimately enabling the spyware to operate undetected, monitor activities, and extract sensitive data.”
Advanced Threat Detection
Mobile device security is a critical concern that’s often overlooked in corporate planning, comments J Stephen Kowski, Field CTO at SlashNext. “Rather than implementing an all-or-nothing approach to personal devices, companies should consider deploying advanced threat detection that can identify compromised devices, block phishing attempts, and prevent lateral movement within networks without disrupting employee workflows. The real solution requires both technical controls and financial planning – recognizing that secure mobile access is now as essential to knowledge workers as computers were decades ago, and budgeting accordingly for proper protection.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
