Ask Slashdot: Can I Trust Android Rooting Tools?

Qbertino writes After a long period of evaluation and weighing cons and pros I've gotten myself a brand new Android tablet (10" Lenovo Yoga 2, Android Version) destined to be my prime mobile computing device in the future. As any respectable freedom-loving geek/computer-expert I want to root it to be able to install API spoofing libraries and security tools to give me owners power over the machine and prevent services like Google and others spying on me, my files, photos, calendar and contacts. I also want to install an ad-blocking proxy (desperately needed — I forgot how much the normal web sucks!). I've searched for some rooting advice and tools, and so far have only stumbled on shady looking sites that offer various Windows-based rooting kits for android devices.

What's the gist on all this? How much of this stuff is potential malware? What are your experiences? Can I usually trust rooting strategies to be malware-free? Is there a rule-of-thumb for this? Is there perhaps a more generic way for a FOSS/Linux expert who isn't afraid of the CLI to root any Android 4.4 (Kitkat) device? Advice and own experiences, please.

XDA Forums

[Raxxon]

In general, if you're computer-savvy, hitting the XDA Forums will be your best option (IMO) if you're concerned about security. The SuperSU Package can be sideloaded into the device via manual ADB commands for most devices out there (some of them are considerably more difficult than others eg: Current Samsung devices with KNOX). I've owned multiple devices from several vendors and I have yet to have an issue with the posted information from the XDA forums. I would expect that anyone attempting to pass shit-ware in there would get found rather quickly unless it's a very niche device with few people actually interested in it.

Personally I've yet to use any of the "one click root" kinda options I've seen posted to various sites....

RTFM

RTFM and get ready to build stuff yourself. You will need to do some research for your particular device and then decide for yourself.

When I started using Android, it was a Nexus 4. Since the Nexus 4 came from Google, and was widely used by developers, it was easy to unlock the bootloader and root it using tools that were open source and reputable.

When I purchased a new and less popular phone, I wanted to root it and give it the same treatment. Unfortunately, the only tools I could find for my new device were posted in threads on the XDA forum. Someone posts a recovery + kernel and everyone just downloads and flashes it. Amazing. Well I run a banking app on my phone, how do I know that this thing is only a recovery + kernel and not something extra?

My other problem with the stuff people post on XDA is that some of the contributors don't seem to really know what they are doing. There's one custom kernel for my device that has a whole slew of useless options and the comment "Please do not ask me to add something, I don't know much about kernel ". So I think there is some amount of "recipe following" by some of the people that contribute on XDA: they figure out a recipe that works, and generate kernels or ROMs without really understanding what it is that they are doing.

So, my ultimate solution to the problem was just to build everything myself. This took several days for me to scrape together all the information I needed from Google, my device vendor, and random places on the web. I ran into the same problem: I needed tools to do this (specifically a compiler toolchain and a few other tools for assembling the kernel and recovery the way my particular device needs it), but I'm not going to download some random binary from GitHub.

I'm running Ubuntu 14.04, and the gcc-arm-none-eabi compiler worked fine for building for my Android. I didn't have to download any mystery meat binaries. I rewarded myself by sticking my name into the kernel version, so it says "3.0.4-AnonymousCoward" instead of "3.0.4-SomeAssholeFromXDA"

RE devices: I've only ever purchased devices from vendors who will let you unlock your bootloader. If you have a device that the vendor doesn't want you to have control over, your only option is to wait for an exploit that can get root (something like Towel Root). I will never trust something like that since the source isn't published, but I would never purchase a device that I can't control completely.

Hope this is helpful

Re: Rooting -

[drinkypoo]

Has this actually been tested in court? Seems to me like a root-capable su is compatible software for all intents and purposes and therefore dropping warranty support for users who root should be a violation of the Magnuson-Moss warranty act.