Detecting and preventing Jailbreak and Root is a common practice in the art of protecting mobile banking and other Android and iOS apps. On the one hand, cyber security professionals agree that jailbreaking an iOS device or rooting an Android device is not an attack by itself. They caution that jailbreak and rooting allow researchers, pen testers, and hackers to pave the way for attacks. Once an attacker gains access to the mobile operating system, attacking mobile apps, data breaches and other exploits can be a lot more effective. On the other hand, mobile product and business owners don’t want to lose the mobile end users that want to run the legitimate app on a jailbroken or rooted device.
Here at Appdome, we’ve seen all sides of this debate. Most security teams and some regulators around the world recommend (or require) that mobile banking apps must be able to detect and/or prevent jailbreaking and rooting. When detected, the mobile banking app should be capable of blocking the use of the app itself or blocking access to sensitive data or features in the app. No matter what, in order to protect users and data, the mobile banking app should be aware that the operating system has been compromised.
Here are the top 3 reasons why Jailbreak and Root is the old, new thing in protecting mobile banking apps.
#1 The Arms Race in Jailbreak and Rooting is Heating Up
There’s an arms race going on in Jailbreak and Rooting. Hackers build jailbreak and rooting tools, root kits and rooting exploits by finding vulnerabilities in new devices and new versions of popular mobile operating systems. For example, hackers will release new jailbreak tools every time Apple launches a new phone or a new version of their OS. The same is true for Android, just check out this 2022 list of the best 52 Rooting tools. For example, Magisk released version 24.2 in early March, giving hackers and fraudsters a new attack tool that is fully compatible with Android 12. There’s no one way these tools work. And, even if the user uninstalls the rooting tool, residue from the root action can remain on the device for a long time (providing an open door to other malware and exploits).
In addition to the growing number of tools to carry out jailbreak and root of a mobile device, “root hiding,” “jailbreak bypass” and “running as root” have all arisen recently as new twists on the jailbreak and root phenomenon. Magisk offers a root hiding method. Liberty lite offers a jailbreak bypass method. These examples and many others offer hackers, pen testers and others methods to escape detection from jailbreak and root defenses. These tools either mask or cover up the jailbreak or root condition itself, or attach, attack or spoof the detection methods used to determine the state of the operating system. Android Debug Bridge (ADB) also offers a powerful option to run “as rooted,” so a researcher or other hacker can run an app as if rooting a device without actually rooting a device (even more sneaky)!
There are legitimate reasons for mobile banking customers to use Jailbroken and Rooted devices. Check out these 5 legitimate reasons to jailbreak an iOS device. It’s also important that common root scanning tools actually require root access. These tools are used to confirm the jailbreak or root action was done fully, not verify the integrity of the operating system (sneaky, I know). Bottom line, there are myriad ways of jailbreaking and rooting a mobile device, only some of which is intentional.
#2 OS Level Exploits Are on the Rise
As part of our Mobile App Cyber Defense Advisory, we noted that jailbreak and rooting events are on the rise, largely from malware class exploits. In addition, Samsung confirmed that hackers stole the source code for Android operating systems used on Galaxy phones. This breach makes rooting a Galaxy device much easier and, 2+ billion Galaxy devices sold to consumers, will no doubt have lasting implications for the security posture on Samsung Galaxy and related devices. At Appdome, we love pen testers. Pen testers are the guardians of the mobile ecosystem because they strive to stay on pace and ahead of hackers, malware makers and others. In the last months, I worked with a dozen banks who all failed a pen test because their internal or external pen testers started using advanced jailbreak or rooting tools such as jailbreak detection bypass tools like Liberty Lite, Shadow, tsProtector and root detection Bypass tools such as Magisk, MagiskHide, RootCloak, and Fridantiroot. These tools become commonplace, or par for the course, now in DevSecOps security validations.
#3 Jailbreak and Root for Cyber Awareness in Mobile UI/UX
Mobile banking customers have a delicate balance to achieve when considering jailbreak and root prevention. The security teams want to prevent their apps from running on mobile devices that have a compromised Operating System. The business teams on the other hand, want to reach mobile banking customers even if they may use jailbroken and rooted mobile devices. Jailbreak and root detection offer a excellent opportunity for a win-win for the mobile security and mobile business teams.
Instead of simply blocking or allowing jailbreak and root, what if a user with a jailbroken or rooted operating system could be directed to a page inside the mobile app that describes the risks of using the mobile banking app on a compromised OS? What if, the same user (running a mobile banking app on a compromised device) was allowed to do some things in the app but prevented from doing other things (for example limit the amount of transfers or adding of a new payee using the app) until the device was returned to a non-rooted state? Imagine further that the communication of this protection was “on brand” and woven into the value proposition of the app itself. Users would feel protected and respected all at once. This type of integrated enforcement is what Appdome’s Threat Events is all about. Threat Events offers mobile banking customers the flexibility and power to design the detection, notification and enforcement options that suite their specific user base. The possibilities with Threat Events to customize and tailor the threat response to a specific use case are endless.
As discussed, jailbreaking an iOS device or rooting an Android device is not an attack by itself, but it is a way for researchers, pen testers, and hackers to pave the way for attacks. With jailbreak and root, an attacker gains access to the mobile operating system, and it is that access that will make their attacks more effective. On the other hand, there are many legitimate reasons why consumers want to run apps on a jailbroken or rooted device.
Today’s threat landscape is not black and white, and the tools used by hackers and pen testers alike are more complex. This requires a more nuanced approach from the mobile banking business when enforcing jailbreak and root prevention.
Appdome is the trusted and proven partner banks should work with to created the right security model that allows them to build a measured threat response against the old, new jailbreak and root. If you want to see how we can help you, I invite you to request a demo today.