Slashdot Mirror
Ask Slashdot: Can I Trust Android Rooting Tools?
Qbertino writes After a long period of evaluation and weighing cons and pros I've gotten myself a brand new Android tablet (10" Lenovo Yoga 2, Android Version) destined to be my prime mobile computing device in the future. As any respectable freedom-loving geek/computer-expert I want to root it to be able to install API spoofing libraries and security tools to give me owners power over the machine and prevent services like Google and others spying on me, my files, photos, calendar and contacts. I also want to install an ad-blocking proxy (desperately needed — I forgot how much the normal web sucks!). I've searched for some rooting advice and tools, and so far have only stumbled on shady looking sites that offer various Windows-based rooting kits for android devices.
What's the gist on all this? How much of this stuff is potential malware? What are your experiences? Can I usually trust rooting strategies to be malware-free? Is there a rule-of-thumb for this? Is there perhaps a more generic way for a FOSS/Linux expert who isn't afraid of the CLI to root any Android 4.4 (Kitkat) device? Advice and own experiences, please.
What's the gist on all this? How much of this stuff is potential malware? What are your experiences? Can I usually trust rooting strategies to be malware-free? Is there a rule-of-thumb for this? Is there perhaps a more generic way for a FOSS/Linux expert who isn't afraid of the CLI to root any Android 4.4 (Kitkat) device? Advice and own experiences, please.
My phone exploded, and I had to have one of my hands amputated.
Learn from my mistake. Don't do it. Your hands are too important.
Is the hardware and firmware free of backdoors?
The truth is out there.
http://forum.xda-developers.co...
A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
I have had Android devices from Cupcake onward and have always rooted them. That being said, I don't presume that rooting will work and I always presume that I may end up with a bricked device. A reminder that as soon as you start rooting, you have voided your warranty. I have also bricked devices. I learned how to make a jtag that way.
Your milage may vary.
That's a good question. I don't think many of the tools and ROMs have been analyzed for security by qualified people. As someone else mentioned, http://forum.xda-developers.co... is the most popular source. You'd hope that if there were major issues with the tools used there someone would notice.
You can extract a rooted ROM and compare the contents to the stock ROM.
Will that meet your needs, or do you need a stock, rooted Android?
"Computer expert" is a broad, broad definition. Nobody's a "computer expert", except in their narrow field.
So ease off with the smug. One might be an expert in their field and totally suck at another, both computer-related.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
In general, if you're computer-savvy, hitting the XDA Forums will be your best option (IMO) if you're concerned about security. The SuperSU Package can be sideloaded into the device via manual ADB commands for most devices out there (some of them are considerably more difficult than others eg: Current Samsung devices with KNOX). I've owned multiple devices from several vendors and I have yet to have an issue with the posted information from the XDA forums. I would expect that anyone attempting to pass shit-ware in there would get found rather quickly unless it's a very niche device with few people actually interested in it.
Personally I've yet to use any of the "one click root" kinda options I've seen posted to various sites....
My advice: don't rely on specialized tools that claim to do the work for you, but learn how to do it by hand with adb and fastboot.
I've been running rooted for about 4 years on various phones.
There are quite a lot of tools that you can run while rooted that are impossible otherwise.
This includes the ROMs themselves which don't usually come with the normal Google tools at all.
Then you can leverage tools like AppOps (integrated into many of the custom ROMs) to control granularly what info apps can get.
You can run things like AdAway, which basically block ads systemwide (including in apps).
The F-droid app repository has quite a lot of open-source software, and you can build a perfectly functional phone without Google apps.
As already mentioned, XDA-developers is a good place to start, even just to find info about your specific device, and guides for rooting, etc.
On balance, my opinion is that, if you do your diligence and set things up correctly, a rooted phone can absolutely be more secure than not.
As a small suggestion, if you decide to jump in, I highly recommend using ClockworkMod (Koush) superuser manager, because it's open-source and let's you set a pin for SU without paying for an upgrade.
On the PC, typically Odin is the only Windows executable involved with rooting an Android phone. Standard security best-practices should keep you "safe" here. Obtain Odin from trustworthy sites such as XDA. Use a bi-directional firewall package that tells you when your PC tries to make an outbound connection. Odin shouldn't.
On the phone, if you're just rooting, you're trusting the manufacturer of your phone, which isn't necessarily wise, but I see that's WHY you're rooting. So, you can get the XPosed Framework and XPrivacy, and set permissions for the various packages on your phone. Both are open-source.
If you don't actually read the code, then by definition you're trusting, period. So what's the issue?
"Oh no... he found the
The last phone I rooted only had rooting tools available in Chinese. It seems to have worked, but ...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Most root exploits I've seen have two components to them: the attack vector, and the payload.
The attack vector is usually a series of commands that have to be run to get the payload onto the device. This part is fully auditable and usually "open source" in the sense that you can perform these commands yourself. If someone sends you a .bat script with a bunch of adb commands, you can always open up the script and read it and make sure nothing is malicious in there.
The real problem is that 99% of the root exploits out there have to upload some kind of a binary file to the device, which is then executed. In MOST cases, the source code to this binary is not disclosed, perhaps to make it harder for the manufacturers to fix the exploit, or to keep their attack methods secret, in case the code might expose some more general pattern of attack that would enable the manufacturers to close a whole series of root exploits.
So basically you are trusting someone who compiled a Linux binary *whose job is to obtain escalated privileges on your device* to then not use those privileges to install some kind of tracking malware, data siphon, or cookie exfiltrating software, or even just a rootkit providing them a backdoor, which initially does nothing but can be activated at any time when the author feels they need something from your device (like participating in a botnet, perhaps?).
I'm a little surprised that the comments so far haven't really tackled the crux of your question, which was NOT "how do I find root exploits", but "are they trustworthy". Remember, folks, just because it's posted on XDA, doesn't mean it's trustworthy. Anyone can register an account on XDA; absolutely anyone.
I've read statements from root exploit authors who've said in plain language that they have no motivation to bundle malware in their root exploits and thus don't ever do so, but that's like the NSA saying they don't spy on Americans. We have no way of verifying the statement, and several reasons to suspect the contrary.
If you are in doubt, I would suggest that you forego root exploits altogether. Instead, you should simply refuse to buy any Android device where the manufacturer does not provide you a means to unlock the bootloader. Once you have a (legit) unlocked bootloader using official tools from the manufacturer, you can then proceed to install any ROM you want -- even an open source ROM that you could audit yourself -- which then gives you root access. Remember, on an Android device, root is far less powerful than an unlocked bootloader, so that's really what you should be aiming for anyway, to have a truly "open" device as an enthusiast.
Yes, nobody would really say "I'm a computer expert" so these articles are probably trolls by slashdot editors, adopting a persona ("What if I was a guy who wanted to know how to root an Android phone.") But it's an interesting question.
We neither know where you take your tools from nor the actual version you're using. And even if we did, by the time such a through analysis is done, the next version rolls about and we can restart rolling that boulder uphill. And even if we did, why should you believe us? There are too many corporations who have a vested interest in you not rooting that device and thinking that any and all rooting tools are malware. Misinformation would most likely dominate such an examination effort.
The best one can tell you is that most likely there are no deliberate malware hooks in rooting kits. Provided that you get those kits from the usual sources and don't download them from some odd corners of the 'net or torrent.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1) Most of the important functionality (including the WebKit/Blink browser engine) are now embedded in Google Play Services, which you can't manage.
2) Total ownership of a device with a proprietary radio isn't realistic - even if you managed to install straight Linux on the thing (unlikely) the underlying firmware is in the bag.
3) Better to return that machine and go with a Yoga 2 Pro honestly. You'll have the ability to install Linux on it and have far greater control over your data.
4) A rooting tool is inherently untrustworthy as it exploits flaws in the target system. How can you truly know whether an oft-used method is trustworthy?
If you're not interested in the above, you don't really care about your data and shouldn't bother rooting it.
// -- http://www.BRAD-X.com/ --
RTFM and get ready to build stuff yourself. You will need to do some research for your particular device and then decide for yourself.
When I started using Android, it was a Nexus 4. Since the Nexus 4 came from Google, and was widely used by developers, it was easy to unlock the bootloader and root it using tools that were open source and reputable.
When I purchased a new and less popular phone, I wanted to root it and give it the same treatment. Unfortunately, the only tools I could find for my new device were posted in threads on the XDA forum. Someone posts a recovery + kernel and everyone just downloads and flashes it. Amazing. Well I run a banking app on my phone, how do I know that this thing is only a recovery + kernel and not something extra?
My other problem with the stuff people post on XDA is that some of the contributors don't seem to really know what they are doing. There's one custom kernel for my device that has a whole slew of useless options and the comment "Please do not ask me to add something, I don't know much about kernel ". So I think there is some amount of "recipe following" by some of the people that contribute on XDA: they figure out a recipe that works, and generate kernels or ROMs without really understanding what it is that they are doing.
So, my ultimate solution to the problem was just to build everything myself. This took several days for me to scrape together all the information I needed from Google, my device vendor, and random places on the web. I ran into the same problem: I needed tools to do this (specifically a compiler toolchain and a few other tools for assembling the kernel and recovery the way my particular device needs it), but I'm not going to download some random binary from GitHub.
I'm running Ubuntu 14.04, and the gcc-arm-none-eabi compiler worked fine for building for my Android. I didn't have to download any mystery meat binaries. I rewarded myself by sticking my name into the kernel version, so it says "3.0.4-AnonymousCoward" instead of "3.0.4-SomeAssholeFromXDA"
RE devices: I've only ever purchased devices from vendors who will let you unlock your bootloader. If you have a device that the vendor doesn't want you to have control over, your only option is to wait for an exploit that can get root (something like Towel Root). I will never trust something like that since the source isn't published, but I would never purchase a device that I can't control completely.
Hope this is helpful
Ad block and ad block plus are available for Google Chrome and Firefox on Android.
The relevant question is: could you trust the devices firmware in the first place? The las tfew year put a solid upper bound to my trust in this respect?
If you can't even begin to vet the source there is no accounting for the bugs and potential back doors. We don't know what the adversaries intentions might be. While it could be profit driven as is the case with most malware it could also be espionage, spying on dissidents, or something else. Of which there maybe no acting on the bug/backdoor. That would make it significantly more difficult to detect in a closed source application.
I should also point out that the source code being available isn't really sufficient to say its secure/safe. We should all be demanding deterministic (the resulting sources compiled by me should result in the same binary thats being released by you) builds, signing, and "open" development. If development is based on a closed model (ie as TrueCrypt was even though sources were released) even if the code is released (even as "free software") it comes with risks attached. Such closed model development model make it difficult for the public to keep tabs on the changes. That makes it harder to spot insertions of back doors and generally monitor what changes the core developers are making.
The fact woz exists shows that isn't the case. There are other similar people.
Android is the antithesis of privacy. You might as well be looking for GNU/OS X.
Androids entire existence is to gather your private info for Google. There is literally no other reason ite exists. If your not ok with that, you should probably start looking for alternatives.
You'll be more likely to use lava to chill your drinks than get privacy from Android.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I had the same thoughts when I tried installing CM on an old Android device. In the end, the platform was never meant to be secure or really open to user scrutiny. I suppose with a considerable amount of effort you could achieve some sense of security by inspecting all major components, but if you are inclined to invest a considerable amount of effort, then you probably want much better security and are looking at the wrong place. Phones/tablets are fundamentally insecure, and this is probably by design.
Using CynogenMod version (android 4.4.4) on HP touchpad ... Haven't noticed anything very different than on Linux Mint on Asus laptop
spying on me" Well, you've completed Step 1: Buy some Google ecosystem. Step 2: ???? Step 3: Profit!
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Especially if you get them from XDA-Developers, where people have reputations.
Let someone else test the tools for you.
At least some of the tools actually let you patch the hole they got in through, this is true of the exploit for Asus Cube.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Here's an idea. If you are uncomfortable with Google and such, eyeing them as a big brother of some sorts and do not want any Google Play Services or anything Google touching the device... you should return that tablet. Buy a Nexus 9, or a used Nexus 10 or Nexus 7 (2013). This may look counter intuitive, however Nexus devices have pretty much some of the strongest following and modding community behind them and since Google releases the full source for these devices, they are the first to get AOSP variant roms such as CyanogenMod, SlimROM, and Paranoid Android. Once you get them, you can easily follow guides on XDA Developers ( http://www.xda-developers.com/ ) to Unlock the bootloader (Via Google released ADB/Fastboot tools), install a custom recovery (I recommend TWRP which is open source as well so you know what you're getting). Then, depending on your level of paranoid, you can sync the AOSP tree from Google itself and build the entire ROM from scratch yourself, or build or download a flashable zip file of any custom ROM such as CyanogenMod, SlimROM, Paranoid Android etc, and then load it onto the device. AOSP based roms such as these DO NOT have Google's Proprietary API's and Google Play Services. Straight Android. Plus, will full open source, you know what's in it. You will still have to deal with the proprietary blobs left in for display, modem, wifi, etc, however it's as close to full control as you can get for Android with a 100% fully functional Android device.
Basically, all you need is adb and fastboot, both available in the Andorid SDK, which runs on Linux, and the the rooting zip files or images that you upload to the phone/tablet.
Easiest way to root the tablet is to install a rooted image.
This Sig does not Exist.
When you root, you almost always neuter Android security model. So goodbye to any security.
You can always do the flashing properly, with signing and stuff, but the procedure is major PITA: http://mjg59.dreamwidth.org/31...
:wq
What are *your* experiences.
Imagine if Windows PC manufacturers supplied PCs lacking Administrator access in Windows. People would quite rightly complain, and many would sue their respective PC manufacturers in order to gain full control over their own legal possession. But what if Administrator access were not being supplied because Microsoft did not provide it in Windows in the first place? In that situation, the many lawsuits would rapidly collapse into a single class action against Microsoft.
That is exactly the situation we have today in respect of Google as developers of Android. Google has not provided any means for owners of Android tablets to gain root access to their own property and hence full ownership of it. This is not the fault of the equipment manufacturers at all but that of Google, and so Google should be legally actioned for it by Android equipment owners as a class.
Have you seen any of the customer reviews on tech store sites?
"Tech level: 5/5 - I bought this RAM for my daughter's laptop, but the instructions weren't clear on how to open the case, and she still has a virus. 1/5 stars."
Would mainly be Pris.
But I'd also be pretty keen on rooting Zhora and/or Rachael as well.
Do you buy the device that's 95% of what you wanted and try to modify it for the other 5%? Or do you buy nothing and go without the functionality you want. The vast majority of the time buying the item that's perfect for your needs isn't possible because it simply doesn't exist.
I'm all for voting with your wallet, but you have to be realistic, get the best option, don't hold out for the perfect option or you'll usually spend your life with nothing.
I have a galaxy note 4. I don't have it because I like the locked bootloader or the knox e-fuse, I have it because I live the device itself and all the functionality it provides, and while the security on it sucks, I know I can still get past it to get root. For my purposes there is no better hardware out there, and the ridiculous restrictions they put on it can be bypassed. If they stepped up their security game further and prevented me from getting root the equation would change and I'd vote with my wallet and get a different device.
We just don't live in an ideal world, sometimes perfect just isn't an option.
The same way we noticed teh SSL vulns....?
- http://www.milkme.co.uk
You get used to saying "I'm a computer expert" when you talk to the people who believe in pixie dust. It's just that sometimes you have to tell them that their problem lies in a different field and they have to talk to someone else. If you are wondering why, just try telling them something like "I'm highly trained and experienced in removal of viruses and various other types of malware". You know what they'll do? They'll try to get you to install windows for them, or fix their corrupted MSWord documents. They don't understand a thing you've said, so they assume you can and will do anything, or worse yet, they'll ask you to explain all those words they don't even know the vaguest thing about, understand none of it, then still ask you to fix their corrupted word doc because they don't want to pay microsoft to do it.
It saves everyone a lot of time to just say "I'm a computer expert", and when it's not something you know about, send them to someone who does know that particular area.
I'm the one that had the call where the user kept typing "right click" every time the instructions told him to right-click on something. And you know, that's not even the worst call. (And I'm not even going to detail the numerous people that think scheduled events will work when the desktops have no power. Or the callers than want you to help them when the computer doesn't have a monitor or a keyboard, and the user can't get into the locked room, which wouldn't matter because they don't have the password either.)
That's an interesting thought. I imagine Google would have two responses to that. First, an Android user can install applications, set security policies such as requiring a PIN or pattern lock, encrypt the data storage - mostly the same things a Windows administrator can do. To say, completely wipe the disk and install a different OS, one does that via the bootloader, not in the OS. That can be done on many (most?) Android devices and is outside of Google's control anyway.
Secondly, contrary to your claims, device manufacturers could include sudo in their ROMs if they wanted to. Cyanogenmod AMD others include root; there's nothing stopping Samsung from doing the same with their mods. That's Samsung's decision.
Lastly, they could point out that for the relatively small percentage of users technically knowledgeable enough to modify the OS without breaking it, there are in fact simple ways for them to enable such access. For the majority of users, who don't knsow what "root" is, enabling it by default would reduce the security and reliability of the device. It would make it less good for the vast majority of consumers.
Can you trust the factory installed software?
Can you trust the modded ROM you want to install?
Why should it be different with the rooting tool, the modded recovery or any other thing?
Which ever pill you'll take, you won't ever know!
Welcome in the real world!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
And I'm not even going to detail the numerous people that think scheduled events will work when the desktops have no power.
Don't desktop PCs have a wake-on-RTC feature that will end suspend mode at a given time, analogous to wake-on-LAN but without the network? Or by "no power" did you mean unplugged from AC? In that case, perhaps they think missed scheduled tasks will run at next boot.
It's strange to me that there aren't many options to buy phones pre-rooted. Considering how much I value my free time and how little I want to risk bricking my new device, I would easily pay an extra $50-100 for a phone that was both rooted and under warranty. I imagine even less tech-savvy people could be sold on the idea by just demonstrating the new "features" that you gain.
You don't trust the Android that came with the device, and you don't trust the tools for your to get root access so you can change that.
Maybe this is the tablet you should be looking for.
No.
And you cannot trust the ROM. And you cannot trust google. And you cannot trust debian.
Go, realize that you're always trusting someone, as long as you're not flipping bits to code your own OS. And then you're trusting the hardware.
Step 1) Doesn't want Google observing them.
Step 2) buys Android tablet, wholly controlled by Google.
If you were going to root it anyway why not buy an iPad and jailbreak it? Nothing preinstalled even talks to Google without you setting it up, so you're already off to a better start.
Every Android update is going to fight to collect information about you. I don't see why you would buy into a system that by default will do exactly what you do not want.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yep, if you have any qualms about doing stuff on Android, feel free to get a cheap Android tablet to experiment on, like the old $200 Nexus 7. Then you can feel free to fill that one with games and crapware and wipe and reload it regularly like a Windows gaming box. This lets you play without too much risk without compromising your primary Android device. If you use the same google Play account, you don't even have to buy your paid apps twice (though of course then you're exposing your google account that you use to pay for Google apps, but if you're like me, that's separate from your personal gmail account)
My primary Android device is my phone, and I just keep a bare minimum of essential apps on it so it runs fast and lean. After the Android 5 update, haven't even felt compelled to root it.
I rooted my Nexus 4 and my Kindle Fire HDX using Towelroot (on the Nexus 4 it is extremely easy to apply - just allow non-store apps and install tr.apk; on the Kindle, I had to install HDXposed, the Xposed framework and Google Apps before I could do that). IIRC it worked fine on Android 4.4 (despite scary warnings issued by Google, which can be safely ignored). But it doesn't work on Android 5. Last time I looked into it (a couple of months ago), there was not an easy way to root Lollipop - you had to back up your data and settings and re-flash.
I had an Android phone which I eventually was able to root/mod; here's some advice, for what it's worth:
- Get a device which has a supported root/mod path via XDA. Some devices are more rootable than others.
- Be careful about updates; most root tools only work for specific versions, and patches regularly break rooting methods/scripts.
- If you want to preserve root, you'll want to run a cusom ROM, so find a device which has a supported mainstream ROM for it.
- Unless you are an expert, it will take a while. Plan on spending at least a week of off/on time messing with it, and be prepared if you brick it.
- If you want full control of the device, plan to make this your full-time job. Nobody really offers this, and you'll need to do it yourself.
- If you just want something with reasonable privacy controls which just works, get an IOS device; that's what I did eventually.
Also, as a side note:
- The regular web does suck, and browsing without an ad blocker these days is pretty horrible. Mainly posting to say that.
Apps like AdFree block adservers on hosts level, removing most ads from apps as well.
So if you root, does that mean you can get an APK to add a layer of security the APK way?
... reload it regularly like a Windows gaming box.
Wow! The Windows install/update/drivers process is so painful that I am extremely careful in selecting what I install on my gaming machine. I can upgrade to a new version of Fedora in 15 minutes, give or take a minute or two, though. When it comes to my Windows installation, the ONLY thing I install is games I intend to play. Now if I need to experiment in a Windows environment I don't care about, I use VirtualBox and turn on snapshots.
Is that a roll of dimes in your pocket or are you happy to see me?
I did find some malicious software in an older link to a rooting tool, posted in the comments of a rooting thread for my device. But it was Windows malware... and it smelled funny to begin with, with a bunch of redirects and hoops to jump through. Fortunately, I run windows on a virtual machine and it was picked up by antivirus anyways. And I wouldn't have installed it anyways, as it didn't take me long to figure out that it wasn't what I was looking for - you shouldn't ever have to install shady third party software on your computer to obtain root. A few phone tools like USB drivers, odin (for Samsung phones), and perhaps ADB and the android develipment environment are all that's really needed on the host computer, but even these are becoming less comonly needed as more advanced tools becone available. Be sure to get these from reputable sources.
My rule of thumb is to only click links from the OP on a thread, and read through the thread to see what people have discovered.
None of the precautions here or posted otherwise really cover state-level threats, but it doesn't sound like that's your concern.
You write:
A non-root user can install only the "user" subset of applications, and not those which give him full control over the equipment that he legally owns. Crucial abilities like installing firewalls, monitoring network traffic, detecting malicious activity and restricting or blacklisting sites are not available to the user.
But the crucial issue isn't which applications can be installed and which cannot, but the very right of the user to control these choices on the equipment he owns. The equipment does not belong to Google and they do not have the moral right to impede the user from gaining root access on his own equipment in a secure manner. The owner most definitely has the right to have it on his own system, and he should not have to resort to risky procedures to obtain it.
The parent did not claim that the manufacturers cannot include root access, but only that they do not supply it because Google does not provide it in the Android system. The analogy with Microsoft not providing Administrator access for Windows is extremely strong and direct. It would make no sense whatsoever to sue all the thousands of manufacturers separately when every single lawsuit would be identical and stemming from the same omission by Google. That's why a class action would be both logical and legally efficient, tying up only one court instead of thousands.
You appear not to have noticed the entire point of this Slashdot story. There is no approved, validated and hence safe mechanism for rooting an Android device proviced in the standard system and hence available on all devices, and that is the entire reason why risky procedures from untrusted sources have to be considered. That deliberate omission is pushing users who wish to raise their security towards untrusted sources which can compromise that security. A proportion of those untrusted sources are probably malicious.
Whether it is only a few or many users who would wish to benefit from root access if it were available as standard is not knowable in advance by anyone. Note that technical knowledge by the user is not a requirement, since root access may be enabled only long enough to install an application which requires root privileges to run and which provides great benefit to non-technical users. This could easily create very widespread interest.
Smartphones really aren't viewed the same way that PCs are. If a user is given root access and then deletes/corrupts important system files then there is an additional burden on carrier and OEMs for support calls, not to mention giving applications root access is never a good idea. We already know from the experience of Windows that people will grant root access to any application if it claims that it needs it, as a result viruses and malware run rampant.
You make some good points, except I think you're confusing "rooting" a device which the OEM locked you out vs what an OEM would do to provide root access. Google DOES provide su, which is the file you use to provide root. OEMs could ship phone with su included. They could get it from the Google code URL below.
What's tricky and risky on some devices, but not others, is getting access to install su if the OEM has not provided it. In other words, su (root) is just like the hotspot feature or any other system-level feature. OEMs can include the standard code to allow it, or they can leave that out of their copy.
Here's su:
http://code.google.com/p/super...
The XDA-Developers forum is full of tinkerers and developers themselves. They get a lot of traffic so proposed roots and mods will have quite a bit of feedback allowing you to judge the quality before you attempt to do something.
Additionally the XDA guys have a known history of calling out other people's shit. They are the ones who find questionable security practices, back to base datalogging and basically nearly everything negative or questionable you have heard about an Android manufacturer you'll have heard it on XDA first.
I wouldn't trust any shady site for any kind of root exploit, just links from the XDA-Developers forum.
Sorry, but merely being acquainted with the CLI does not make you a "FOSS expert", nor does it provide any degree of security assurance when running tools compiled from code you are unable to reason about. Unless you can actually read and reason about code at a level that enables you to discover vulnerabilities, backdoors, etc., you do not have the expertise necessary to stay safe, and you should be careful about saying things that imply otherwise.
"Well, the way I see it, I'll trust a random XDA developer pushing closed-source hacks way more than I trust my carrier and/or handset manufacturer."
That's just plain silly.
Unless your random XDA developer also manufactured the phone and supplied the stock firmware, then you need to trust two parties: that random XDA developer AND your carrier. Remember just because the phone is rooted doesn't mean it also isn't running the manufacturer's (if any) malware.
So a phone which can be unlocked using a manufactured supplied tool is still safer than a phone that needs to be rooted. Safest of course is the phone you assembled yourself, right down to the circuit board level.
Eh, with Windows 7 it hasn't been that bad, or even with Win98 before that. Every six months or so when it starts having problems, just reinstall from scratch, walk away and let it reboot a few times to finish updates, then install the nVidia updater and Steam and anything else from ninite.com . Just a few more steps than setting up a fresh Linux Mint box.
That said, the last time my C:\ drive failed, I restored my AppData dir from backups into the new system but still couldn't get some of my games to find their settings / savegame states. Probably need to dink with something in the registry, but haven't been motivated enough, since most of my current games save state to the cloud.
I'm not certain, but I think there is, CTS you need that and comply with ACD (Android Compatibility Definition) to be even considered for a license to ship the Google apps.
You left the part out where this may take three hours, during which browsing for drivers and programs may be a great security risk.
There's even the bug where the SP1 of Windows 7 refuses to install (mine does, googled answers suggest it's a boot due to using dual boot/multiboot causing the damn thing to not recognize the 100MB "system partition" ; there is no solution besides grabbing a Windows 7 + SP1 warez iso and reinstalling)
There's keeping up with antiviruses to know which "free" one is not pseudo-ransomware (deactivated after one year), my aforementioned borked Windows 7 install has AVG Free from 2011 which stays really free but I'd have to switch to another.
I guess you have fast CPU, SSD, iso with built-in SP1 and fast internet access to wired ethernet or strong wifi.
Windows 98 was much faster to reinstall but back then you didn't really need updates and antivirus.. I was sure as hell ready for it too ( \WIN98 directory from the CD on the hard drive, Windows key known by heart, all drivers and programs ready on the hard drive and for good measure I loaded smartdrv.exe before running the installer from DOS, whether or not that was needed)
or that they will delete all those files they "don't need" in c:\windows\system for that matter.
...works on sooooo many levels ðYf
Lots of reasons
1) Do you trust some unheard of developer more than the devs working for, say, Sony or HTC?
2) Once rooted, you cannot (mostly) go back
3) You lose OTA unless the ROM supports it
4) The whole point of rooting is destroyed: I rooted one of my phones to get the latest and greatest Android before the manufacturer released it. It was fine for some time. But when the next version of Android came out, I couldn't get my hands on it since those "devs" at XDA require the drivers, etc. from the manufacturer's ROM! So, I have to not only wait for the manufacturer's ROM to get released, now I have to wait for those devs at XDA who are probably short on time since they have exams, or some such crap to be able to update the ROM on my phone.
5) God alone knows what crap they put into those ROMs - I for one have never tried to verify the source code since most of the devs won't release it to you.
Lesson learned. Don't root. Be happy with what you have. Build apps of your own to do the things you want to do.
Not to buy products of a company that has policies that you don't agree with?
I work for one of many of the chip vendors that provide Android based BSPs to OEMs.
The answer to your question is: Yes. if the rooting tools are open source.
But you cannot trust Android. Buried deep is all sorts of madness added by vendors and by Google. Theoretically updates can be pushed that are not audited by anyone except the signer and Google. Neither of which can be trusted to protect you from commercialization of your information or from government spying programs.
You should not trust any tool that isn't open sourced. Consider the folks peddling closed solutions to be doing so with nefarious intent. Even without nefarious intent you would not want to hand your device over to some tool constructed by a kid who gleaned the information to write the tool from instructions cobbled together from their various sources. You can also avoid the problem altogether and choose to carry a real phone instead of a "smart phone".
It's official: We as a consumer are very willing to spend a ton of time and effort researching and implementing ways to actually own something we already spent money for, then will use it to access things like Lifehacker to be more "efficient" since "there's not enough time in a day".
On the surface, we're essentially buying a problem we need to solve for the "convenience" of having mobile access to our data. A tech treadmill that only ends when we do.
There is absolutely no reason to get a "warez" windows iso. A windows iso can be obtained from official sources without any problem. Microsoft doesn't give a shit if you download them, there useless without a key or crack. Just grab a shiny iso from the digital river source and you have a clean copy provided by an official source.
1) Google provides easy unlock for all its devices from day 0.
2) Just goo to Google Play and type "sudo". There are a lot of them available. Not provided by Google, but not forbidden either.
3) If manufacturers lock their devices, Google can't do anything about it.
One trick I learned is to format the machine completely (using the clean all command under disk part), install the OS of choice, load needed drivers and updates, and once it is in a place where everything is stable... then activate it, and save off a couple wbadmin backups.
Now, if I need to reload a physical Windows box, I boot the Windows media, format, then reload the image, and reboot. Back to how it was. I can always get fancier by having a USB flash drive with Offline WSUS [1] images so I can get all patches installed if I so chose.
[1]: This isn't a MS product; use at your own risk. However, it is useful for updating a machine with a limited or no Internet connectivity.
Because very few users of rooted phones use rooted apps in exclusivity.
I still don't understand - neither to jailbrake owners, you can still use the Apple App Store.
If you have the full set of jailbrake + normal apps, the world of apps is not limited.
Correct me if I'm wrong, but you need an Apple account to use an iPhone, right?
No. It's useful because they provide free backup and other things, but you can use the iPhone without an AppleID.
You do need an AppleID to use the App Store. But that login is independent from the rest of the system, and is only used by the App Store app.
You can create an AppleID just for the purposes of using the App Store (and for enabling device backup), it doesn't have to have a credit card tied to it until you need to purchase something.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's strange to me that there aren't many options to buy phones pre-rooted. Considering how much I value my free time and how little I want to risk bricking my new device, I would easily pay an extra $50-100 for a phone that was both rooted and under warranty. I imagine even less tech-savvy people could be sold on the idea by just demonstrating the new "features" that you gain.
My understanding is that licensing restrictions prevent o e from shipping an android device that includes any of the useful proprietary bits from google, unless you are an "approved" manufacturer. I believe this is why Cyanogen mod had to make some concessions in order to ship a product that can be sold outside the grey market.
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
IMHO, I think developer editions are good enough for this, even if all it takes to get root is to run "fastboot oem unlock", load a recovery rom, and push the superuser app and binary onto the device.
The reason is that someone buying a "developer edition" device pre-rooted, then getting the device nailed to the wall because they downloaded some dodgy app that was allowed to get root and full control of the device, would result in insanely bad press, as well as lawsuits and calls for more stuff like eFuses, Knox, and other user-hostile hardware DRM mechanics.
At least it is patently obvious when someone gets the "one does not simply walk into Mordor" screen when unlocking the bootloader, that they are on their own.
I do agree with the parent. It would be nice to have a device with a completely open bootloader, as well as a way to download complete official firmware updates, so a soft-brick can be returned to stock easily. As for root, I'd want at least a quite clear warning dialog before the user gets full access. Not lock them out, but at least get them to either click past it, as they know what they are doing, or maybe hit the Web and check their favorite search engine of what root gives them.
HTC allows you to root a device for example. You just have to submit your device serial number to invalidate your warranty.
...found anything that REQUIRES root that I wasn't able to workaround or do in another way and, hence, have NOT rooted any of my Android devices in 2 or 3 years, nor do I miss NOT having root. OTOH I've been running nexus phones(and so am more or less happy with stock android and not playing fw of this half hour on it, never really did TBH except cyanogen in a few cases of severe craptacularness prior to nexii).
Tablets: I've given up on them as utterly useless for anything other than reading PDFs, backup ebook reader(when all eink/mono LCDs are down), and maybe emergency web browser. They're just big phones with the same shitacular input methods all of which equally suck if you didn't figure that out yet, BUT at least the general UI is NOT the shitacular Metro.
IF I had an iphone or windows* phone(or blackberry) I'd be rooting those in a picosecond or attempting to(blackberry, never looked at them, but given rep I'd expect them to be difficult).
* nah I'd just chuck it on the nearest brick wall or slab of concrete...