AH Android Pay-2

Systemless Rooted Devices Now Fail Android Pay Security

February 1, 2016 - Written By David Steele

The concept of rooting an Android device means to grant yourself, and any applications you also allow, access to the whole device. Rooting a device is a means of opening up Android as it allows users to adjust all sorts of things above and beyond what standard Android will allow, but this also means we could damage the software of our device. There are many legitimate reasons why we might wish to root our device; for advanced users it’s the way to finely tune our handsets and tablets, incorporating features that the manufacturer or Google omitted, but for malicious applications it’s a way to circumvent ordinary device security systems and gain access deep within the operating system. From here, malware can either propagate itself, access personal information, or perhaps both. For this reason, many higher risk applications do not run on a rooted device. This is also the reason why many security-aware applications, such as online banking and savings, use their own keyboard design rather than risking a third party keyboard collecting keystrokes.

Until very recently, the Android Pay application would work on a device that had systemless root applied. Systemless root is a method of rooting a device that did not interfere with the contents of the system partition on the device. It’s seen as a safer way of hacking an Android 6.0 Marshmallow device as applying the root with the incorrect device kernel does not soft brick the device, but instead results in the root access not being applied. Systemless root was developed by long time Android developer, Chainfire, and when announced towards the end of last year it was discovered that Android Pay still worked with the systemless root applied. Chainfire explained that this was not by design and he expected Android Pay to be updated such that it would no longer work on a systemless rooted device.

Today’s news is that this has now happened, as when an Android Pay transaction calls upon the SafetyNet check , devices with systemless root are failing the check and are unable to process a transaction. The Android Pay application will still open but cannot operate as designed. It appears that there is a workaround for systemless devices; users can either downgrade the Google Play Services or Android Pay applications to restore a working app, but otherwise the system needs to be unrooted for Android Pay to work. We’ve also seen that the corporate MolileIron safety check system is also detecting systemless roots, meaning that systemless rooted devices will fail certain BYOD (bring your own device) Enterprise checks before being allowed to access corporate data.