Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Oreo's Rollback Protection Will Block OS Downgrades (androidpolice.com)

Posted by BeauHD on from the feature-spotlight dept.

jbernardo writes: Google is using the boiling frog method to exclude power users and custom ROMs from android. A new feature in Android 8.0 Oreo, called "Rollback Protection" and included in the "Verified Boot" changes, will prevent a device from booting should it be rolled back to an earlier firmware. The detailed information is here. As it rejects an image if its "rollback index" is inferior than the one in "tamper evident storage," any attempts to install a previous version of the official, signed ROM will make the device unbootable. Much like iOS (without the rollback grace period) or the extinct Lumias. It is explained in the recommended boot workflow and notes below, together with some other "smart" ideas.

Now, this might seem like a good idea at first, but let's just just imagine this on a PC. It would mean no easy rollback from windows 10 to 7 after a forced installation, and doing that or installing linux would mean a unreasonably complex bootloader unlocking, with all your data wiped. Add safetynet to the mix, and you would also be blocked from watching Netflix or accessing your banking sites if you dared to install linux or rollback windows. To add insult to injury, unlocked devices will stop booting for at least 10 seconds to show some paternalist message on how unlocking is bad for your health: "If the device has a screen and buttons (for example if it's a phone) the warning is to be shown for at least 10 seconds before the boot process continues." Now, and knowing that most if not all android bootloaders have vulnerabilities/backdoors, how can this be defended, even with the "security/think of the children" approach? This has no advantages other than making it hard for users to install ROMs or to revert to a previous official ROM to restore missing functionality.

22 of 119 comments (clear)

  1. not evil by rogoshen1 · · Score: 5, Funny

    No really guys, just look at our motto!

    1. Re:not evil by cjjjer · · Score: 3, Informative

      When Alphabet took over they removed that motto from their code of conduct in 2015 so they are free from "doing no evil" for 2 years now...

    2. Re:not evil by Anonymous Coward · · Score: 2, Funny

      That's their OLD motto. The new one is "We build robots for the government."

    3. Re:not evil by Tough+Love · · Score: 2

      Alphabet never "took over". It is still the Larry, Segey and (to a lesser extent) Eric show, nothing changed. This always was who they were.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  2. One question, Google by Opportunist · · Score: 3

    Care to inform me why the fuck me, or anyone who has at least parts of his mental health remaining, would want to buy such a device?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:One question, Google by hawguy · · Score: 2, Informative

      Care to inform me why the fuck me, or anyone who has at least parts of his mental health remaining, would want to buy such a device?

      Probably because nearly all consumers have no interest at all in rooting their phone, installing a custom ROM, or even rolling back to a previous release. It's a very tiny subset of users that care about such things, not enough for most companies to care about serving them.

  3. So by fermion · · Score: 4, Interesting
    Wasn't there just a security alert about phines being rolled back without the users knowledge on phones?

    On a PC if you are going to 'roll back' the best thing to do it start from a clean hard disk. The only reason to this is if there are problems, in which case the safetest thing to do is to wipe the machine.

    Does the Android phone have forced installation, if so then Antoine buying it is an idiot. If not, then why bring it up.

    And as always data is only lost if you don't back it up. Now, on upgrade data can also be migrated so you may not be able to use it one an old system, but again, if this is not a forced upgrade, why didnt you back up data.

    What is this, the day /. lets the children run the front page so they can whine about the fact the candy store charges momey?

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  4. I like this. by poptix · · Score: 4, Informative

    I don't want *my* device stolen, downgraded, then rooted. I want it secure.

    I buy devices that can be OEM unlocked and rooted though, (currently the Pixel XL) in case I want a custom ROM or root.

    As long as I can buy a device capable of being OEM unlocked and/or rooted I don't see the problem. If you have an issue with rev XYZ of a ROM you can always install a derivative with a fix from XDA, or a straight up copy of a prior version with a different name/version, just not a *signed* copy of a prior version.

    tldr; All this does is prevent thieves from backtracking to an exploitable ROM. If you have authorized access you can still OEM unlock and do whatever you want.

    --
    Just because you disagree doesn't mean it's not true.
  5. Splash screen by kaoshin · · Score: 3

    http://www.nouveaugallery.com/...

  6. Can malware use this to prevent patching? by dacut · · Score: 4, Interesting

    One potential flaw in this mechanism: I think a malware image can prevent rolling back to a known-good image by setting the rollback indexes to ridiculously high value, say 2147483647 (2**31-1).

    This diagram shows how the workflow is supposed to proceed. If Mallory gets her verification key onto your device (either by social engineering or another flaw), then her custom malware image can be booted by the device in locked mode. The user will get a warning about this being a custom OS (good!), but then the rollback index values in Mallory's image are written to the stored rollback index values (bad!). If I then attempt to go back to Oreo 8.0, it won't let me.

    A better mechanism would be to have a set of stored rollback index values per verification key, not a global set per device. Then I could roll back to the stock factory image from a Mallory's malware image.

  7. "No advantages" by 93+Escort+Wagon · · Score: 4, Informative

    This has no advantages other than making it hard for users to install ROMs or to revert to a previous official ROM to restore missing functionality.

    No advantages - except enforcing security, whether you want it or not. And the story link provided even says Rollback Protection can be disabled.

    Now you may not want it - you may think you're smart enough to not need it - but let's not pretend there's no reason for this.

    The summary's proffered example of "no easy rollback from windows 10 to 7" is technically true, but overstating things quite a bit for dramatic purposes. More relevant analogs would be "no easy removal of Windows security patches you've previously applied" and "no easy rollback from your current Linux kernel to the previous one which contained a remote root exploit".

    --
    #DeleteChrome
  8. Reset-persistent malware; Google Play Movies by tepples · · Score: 3, Interesting

    If you're buying an Android device used, you want to know whether the previous owner hasn't installed malware that persists across an apparent factory reset. Popping up a "This device runs a custom operating system" notice while the bootloader is loading the kernel is an unobtrusive way of doing this.

    If you're buying an Android device, and you watch movies, you want a wide selection of movies. Google can do one of two things. It can keep its license from major movie and television studios to offer their works through Google Play by continuing to improve the digital restrictions management that deters copying a rented stream. Or it can lose its license and pull the works from Google Play, and end users will end up having to buy an iPod touch, iPhone, or iPad in order to continue to watch notable movies and television series once the licensed apps become iOS-exclusive.

  9. Baaah Baaaaah. by CrashNBrn · · Score: 4, Informative

    What ClickBait, This has nothing to do with customROMs.

    "RollBack Protection", prevents the device from booting from an earlier major version of Android. So as to prevent would-be thieves from easily wiping the device and obviating Android Oreo's security mechanisms.

    Android 8.0 Oreo Review

    No more OS downgrades—If an attacker steals your phone, Android has several security features in place that will make it more difficult to access your device. It doesn't help matters much if the attacker can just downgrade the operating system to a version that didn't have those protections in place, so with that in mind Android 8.0 introduces "rollback protection" into the Verified Boot process. With rollback protection, Verified Boot will no longer start up an OS that it detects has been downgraded to an earlier version.

    Developers (or Android-obsessed journalists) that need to downgrade their device to an older version for testing or checking something can disable this feature, which will trigger the usual slew of boot-up warning messages. Google also says it has "hardened the bootloader unlocking process," which should make it harder for bugs or malicious apps to unlock the bootloader without user approval.

  10. Hobson's choice: the feature or no device by tepples · · Score: 2

    For any device that is sold with the feature, you're knowingly purchasing a device that performs this check. That means you don't care enough to check, don't mind it, or want the feature.

    Or you have checked, the result being that all devices available to the public include the feature, and you begrudgingly accept the feature. This, for example, is true of the "Windows 10 preinstalled, no other OSes warranted" feature of every non-Apple laptop PC shown in a U.S. retail chain's showrooms. Technically, one might argue that this falls under "don't mind it" but I felt that this sort of Hobson's choice was worth mentoining.

  11. This does not prevent custom ROMs! by Namarrgon · · Score: 5, Informative

    As is made clear further down, the rollback index does not prevent custom ROMs, old versions, or anything else from being installed IF the device's bootloader is unlocked - as has always been the case when installing custom ROMs.

    All it does is prevent locked devices from being downgraded (to a presumably less-secure version that could be exploited). Locked devices are locked for security, so this is entirely expected behaviour. If you would rather take control and manage your own security, you can unlock the bootloader at any time (at least on Google's own devices; YMMV with other vendors). Then you can install anything you want.

    --
    Why would anyone engrave "Elbereth"?
    1. Re:This does not prevent custom ROMs! by Sark666 · · Score: 2

      Good to hear. But regarding root, if I have a device that has a root procedure, I'll then be excluded from future ota updates. Worse still, it tries to install and fails and have a non booting device. To get the update you have to disable root, which causes other issues.

      I like having a device with root access but they make it a pain in the ass to actually maintain the device if you still want official updates. This doesn't apply if you have a custom rom.

    2. Re:This does not prevent custom ROMs! by AmiMoJo · · Score: 3, Informative

      Root users can manually download and install OTA updates. I do it all the time.

      Having said that, my primary phone is unrooted and the bootloader locked. The only reasons I had to root have all become moot now - granular permission control and ad blocking. Both are available without root, and the extra security provided by a locked bootloader and fully encrypted phone is extremely valuable.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  12. iOS has more paid app and IAP revenue per user by tepples · · Score: 2

    You mean after the major movie and television studios see a mysterious 80-90% drop in revenue

    How so? Last I checked, revenue from paid apps and IAPs per user is nine times as large on iOS compared to Android. This gap is so big that it more than offsets Android's larger user base.

    1. Re:iOS has more paid app and IAP revenue per user by AmiMoJo · · Score: 2

      The methodology in that article is flawed.

      They measure the revenue from Google Play vs. the Apple Store. However, Apple requires all payments to go through Apple. The Amazon app on iOS can't process any payments, it takes you to the Amazon web site instead. Everything has to go through Apple, including all in-app purchases.

      Google is far less restrictive. You can install entire alternative apps stores (and they are very popular in China and India). You can have your own payment systems, e.g. Amazon or Netflix directly. Netflix used to charge more on iOS to cover the Apple tax, I don't know if they still do.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  13. DRM requirement for 4K streaming by tepples · · Score: 4, Interesting

    Or Google can ask the providers why Windows gets a pass.

    Probably because it's easier to upgrade a random PC to the latest build of Windows 10 than to upgrade a random phone to the latest build of Android. This allows app developers to exclusively target a new feature update (such as Anniversary, Creators, or Fall Creators) where known holes in Protected Media Path and other digital restrictions management technologies in Windows 10 have been plugged.

    And no, Windows doesn't necessarily get a pass. No app (legally) plays UHD Blu-ray movies on Windows on a PC with a CPU older than Kaby Lake or an operating system other than Windows 10. You may also need to replace your motherboard with one that supports Intel SGX and your video card with one that supports AACS 2.0 and HDCP 2.2. (Source) Movie studios have put similar requirements on 4K streaming. (Source)

  14. Re:Been there with Secure Boot by Anonymous Coward · · Score: 2, Informative

    You realise you can still turn this "secure boot" system off completely with fastboot oem unlock and install anything you like, just like always?

  15. Re:not evil, just dumb by currently_awake · · Score: 2

    If the next version of the OS is found to have a massive security bug after you install it, with no work-around in sight, the logical temp fix is to roll back to the prior version. Or if the new version blocks "Install other OS" or some other useful feature without prior warning, you might choose to reverse the install.