Today i am releasing the paper which i presented recently at C0C0N conference at ernakulam. this paper outlines where security misconfiguration that can lead to device compromise, data theft and so on.
Hope this helps in secure development and deployment of custom ROM’s.
The link contains download for both my slidepack as well as the complete whitepaper.
also a crude application is created and uploaded on android market which can help in identifying the issue.
7 thoughts on “Whitepaper : Security Issues in Android Custom ROM's”
Nice paper dude…
I liked the perspective and the way you have explained.
The best i liked was the android stack picture 🙂
After i´ve read your white paper i got 2 conclusions:
1. you`re absolutely right and explain it as it should but…
2. If Devs consider all that why develop anything?
As principle i think you´re right but that fact is if any rom will be developed as “closed” almost anyone use it and no matter what make you develop you certain won´t develop for 1/2 guys/gals. For that we have stock ones:)
Now. I can agree with something like a big alert on every rom development section/thread about the potential risk by install an “open” rom but more than that it will kill all development in the end;)
Good work, I think these issues are not emphasized enough. The vulnerability with custom recovery alone is putting people at great risk. Another thing to check for is whether the custom ROM was signed with the test keys that come with the source as some are. It allows an attacker to sign their malware with the same keys and get access to system permissions.
hm good work still you have to work something more
Thanks for taking time to read it.
however can you help me in understanding what exactly were you looking at and didn’t found it satisfactory.
Hi , your article is helpful in understanding the rooting system .. I have these two questions .Would appreciate if you respond
1. can you give us more information about setuid on android OS?
2. I have seen some of the Rooting exploits roots the phone even though the ro.secure is 1 .. How can they do that ?
Point 1 : setuid is simmilar to what it is in GNU/Linux.
Point 2 : rooting exploits are basically exploits, i.e. they find a way through a legitimately running application causing buffer overflow or race condition to acquire root access. ro.secure is just to make sure adb drops its privileges after starting up and adb root command should not work. check rageinthecage which was a specific exploit for adb exploiting a race condition as well as unchecked conditional response.