[Blog Post] Whether to Support Rooted Device in WSO2 EMM

EMM stands for Enterprise Mobility Management, i.e., a set of tools and policies, which is used to manage the mobile devices within an organization. This can be classified into three parts, namely:

Mobile Device Management (MDM):

This is used by the administration to deploy, monitor, secure and manage mobile devices such smartphones, tablets and laptops within an organization. The main purpose of MDM is to protect the organization network.

Mobile Application Management (MAM)

MAM is used for provisioning and controlling access to internally developed and public applications to personal devices and company-owned smartphones, tablets and laptops.

Mobile Information Management (MIM)

MIM is to ensure that the sensitive data in the devices are encrypted and can be access by certain applications.

Rooted (Jailbroken) devices gives the user full system level privileges and also will be able to access the file system. Since the device as root access permission, if someone gets hold of the device then he/she can bypass the passlock and access the phone.

WSO2 EMM allows organization to enrol both BYOD (Bring Your Own Device) and COPE (Company Owned Personal Enabled) devices. This allows the employees to store the organization data (if the organization permits) in the devices. This can be both sensitive and non-sensitive data and should be stored securely in the device so that it cannot be accessed by other applications (other than the organization’s applications).

The way a device is root/jailbroken is by exploiting a security flaw in the OS and installing an application to get elevated permission. By exploiting the security flaw, the device is now more vulnerable. One of the main concerns in root/jailbroken devices is that the OS level protection is lost. By default, mobile OS has an inbuilt security which protects the data in the devices. I have taken the two most popular mobile OS and explained what the security risk is when the device is root/jail-broken. Once it is rooted/jailbroken, other applications gain system level permission.

• iOS

  In iOS, data protection is implemented at the software and works with the hardware and firmware encryption to provide better security [1]. In simple terms, when the data protection is enabled, the data get encrypted using a complex key hierarchy. Therefore when a device is locked, the data are all encrypted and gets decrypted when the mobile is unlocked. This is lost when the device is jail-broken. The user can bypass the lock screen and access the phone.

• Android

  As explained above, when a device is rooted, it provides system level privileges to applications. Most of the end-users do not know about permissions and when installing an app, do not bother to check what permission they are giving access to the app. This provides the app to gain user data (credit card details, bank details, etc…) and send it to someone else.

  Rooted devices lead to data leaks,hardware failures and so on. According to Android Security Overview [2], encrypting data with a device key-store or with a key-store at the server side does not protect it from a root device since at some point it needs to be provided to the application which is then accessible to the root user. Also the user will have access to the file system, thereby accessing the data inside the Container [3].

Apart from the security concern, the phone also losses it warranty it is rooted/jailbroken. So if there are any hardware failures after the phone is rooted / jailbroken, then the manufacturer will not cover the damages.

[1] https://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf

[2] https://source.android.com/devices/tech/security/index.html

[3] https://www.gartner.com/doc/2315415/technology-overview-mobile-application-containers