Is Your Android Digital Signage Player Rooted?
December 16, 2014 by guest author, Alan Brawn
Guest Post: Mark Hemphill, ScreenScape
If you operate a digital signage network, chances are you’ve been hearing about new Internet-connected devices. They are transforming the way digital signage networks are built and managed. New Android-powered solutions are being lauded by software vendors and pundits as simpler and cheaper alternatives to the PC as a digital signage player.
This guest post by ScreenScape founder Mark Hemphill weighs in on some of the pros and cons of this new class of devices. In particular, it focuses on a key requirement for most professional digital signage operators, and a primary concern of all network administrators: device security. Is the new class of Android device safe to use in a corporate environment?
It starts with security
Device security has become an important topic among IT administrators in the wake of a series of high profile cyber attacks that resulted in damaging security breaches. Companies scrambling to seal up their systems from hackers are having to look in the unlikeliest of places for vulnerabilities.
In the recent Target payment card breach, hackers gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used vending machines, printers, thermostats and videoconferencing equipment. How long before hackers start looking at digital signage media players? If it were to happen, and a high profile security breach was traced back to poor security practices by a digital signage technology vendor, the entire industry could be in for a setback.
Device security questions aside, the rationale for using Android-powered Internet-connected devices as digital signage media players has many strong points.
Arguments that they are simpler, cheaper, and more functional as a single purpose appliance are compelling. ScreenScape, for the record, is a big believer. The new class of Internet-connected devices have the potential to help network operators achieve greater cost-efficiency and greater scale. By helping to deploy more screens and reach more people with engaging content, they can help to accelerate the return-on-investment in digital signage projects.
So the new devices are potentially very good, but poor device security is most certainly very bad. The key question is: Can we deploy them in a manner that is safe and secure? In fact this was the critical question the engineers at ScreenScape asked themselves when they began designing an Android-based solution in collaboration with Dell, called ScreenScape Connect.
Based on our findings, the problems associated with poor device security don’t lie with the Android operating system itself. When it is used as designed, Android has a security model that has been well thought-through. Millions of devices, many of which are relied on for mission critical applications, run the Android operating system, and they do so safely and securely.
The hazards of rooting
When it comes to device security, too often the problem is actually in the way these devices are being used by software vendors to deploy their applications.
Based on the feedback we are getting from customers, systems integrators, and industry onlookers, it seems that many digital signage software vendors are choosing to ignore security best practices for developing their applications. For example, it’s not an uncommon practice for a software vendor, in the digital signage space, to deploy their technology on devices which have been rooted.
Rooting is the process of allowing applications to attain privileged control (known as “root access“) within the operating sub-system. Here’s what the Android Open Source project has to say on the subject: Users that change the permissions on an Android device to grant root access to applications increase the security exposure to malicious applications and potential application flaws.
It couldn’t be much clearer. There is no good reason, that we can think of, to deploy a digital signage application on a rooted device and, if security is even remotely a concern, it is certainly not advisable. Operating systems like Android provide for secure methods for building and deploying applications. An unseasoned vendor may choose to use a rooted device as a shortcut method of porting their application to a particular device.
While rooting a device may help to quickly get an application running on a new, low-cost device, the increased exposure to malicious attacks should discourage such corner-cutting.
This is not to say that using a proper, non-rooted device is the only measure you need to take to be fully secure, but it’s a fundamentally important one. Rooting allows an application to bypass the Android security model resulting in a less-than-secure device that is much more susceptible to malware and cyber attack. For example, if your device is rooted, then it is wide open for somebody to install an app, and do all sorts of things to it. A lot of bad stuff can happen.
The recent spate of high profile cyber attacks should be more than enough to deter any security-conscious IT manager from using a technology solution that doesn’t respect the Android security model. If you happen to be engaged in digital signage, whatever software partner you might be working with, whichever devices might power your digital signs, here’s a simple question you should ask your technology provider to help avoid your own damaging security breach: Are you using a rooted device?
The story behind ScreenScape Connect
ScreenScape began working on the software that would eventually power ScreenScape Connect back in the summer of 2012. One of the key hurdles we knew we had to climb was finding a true engineering partnership with a brand-name hardware provider. Device security was top of mind from the outset. We knew in order to develop a smart and secure device for digital signage, we needed a solution that was a happy marriage of software and hardware. We began scouring the globe and evaluated many of the new Android-powered devices that were first to arrive on the market.
Wherever we looked, we found the same problems. Many of the vendors were pushing consumer-grade devices that were designed for home entertainment purposes; they were intended as Youtube and Netflix players for the living room. Most of the vendors didn’t really have engineering teams. They were interested in retailing cheap devices in massive quantities, not in working with industry partners to develop security-conscious technology solutions to solve a specific business problem.
It was unsettling to learn that many providers of the new generation of Android-powered devices were either ready to “look the other way” or actually sanction the practice of rooting. This practice said everything we needed to know about their approach to serving the professional digital signage industry. Device security wasn’t their concern. As tempting as it was to cut corners and be first to market with a low-cost Android-powered device, we weren’t about to get started down the path with a partner that was OK with us deploying our solution on a rooted device.
Our search continued for over a year, until we found Dell Wyse and their device, the Android-powered Cloud Connect (which was code-named Project Ophelia at the time). That’s when it started to come together.
Of course, Dell is a name-brand hardware manufacturer with a global support network. Dell has made a name for itself selling to the enterprise. We also knew that Wyse had made a name for itself building quality routers, and didn’t cut corners when it came to device security. We discovered that the folks at Dell Wyse had a strong engineering team that was as interested in working with ScreenScape, as we were in working with a reputable provider of Android-based devices.
We began to collaborate, in earnest, on what would eventually become ScreenScape Connect. The goal was to deliver a new kind of smart device, purpose-built to perform as a simple yet secure digital signage appliance.
Just taking Cloud Connect off the shelf and rooting it would have defeated the goal of the project. Instead, we worked with the engineers of Wyse to develop secure APIs that would allow ScreenScape software to integrate seamlessly with the device’s firmware. We co-engineered a solution that would allow ScreenScape users to remotely control and manage the device, while encrypting the transmission of data between the device and our servers.
As a result, the device software is properly signed by the manufacturer and virtually tamper-proof. Going through this process also got us “closer to the metal” and helped develop a higher-performing, more reliable solution.
The takeaway
We like to think that others in the space can learn from our experience. Place-based media is certainly a new and exciting industry. New entrants are joining the industry at a quickening pace. Naturally, we’d like to encourage all vendors, new and old, NOT to cut corners. There ARE reputable hardware providers out there that are willing to work with you on implementing your software on their device in a secure manner. We application developers should hold ourselves to a high standard when it comes to device security.
For the industry to avoid a setback and continue to gain in credibility as a professional marketing channel, and one day achieve web scale, it’s important that we set the bar high when it comes to the rigours of software quality.
While it wasn’t easy for us to find the engineers at Dell Wyse, and it took time to work with them to develop a secure, purpose-built device, it’s something any professional software vendor can achieve if they are willing to accept the challenge of doing it right.
For what it’s worth, our advice is this:
- Use commercial grade devices from reputable hardware vendors;
- Work with professional vendors that know and support B2B channels and stand behind products that are intended to be used in a commercial setting;
- Gain privileged access to functionality within the Android software stack correctly, through secure APIs. Digitally sign your apps in a secure fashion;
- Don’t use rooted devices.
Let’s all strive to build reliable software that’s been implemented securely. After all, if an application vendor is trying to cut corners when it comes to device security, where else are they taking shortcuts?
Gotta love the fear mongering.. sure hope this drums up some business! The real security lies in the network, not on an individual appliance. Besides, a compromise of your signed app would result in root privileges anyway so not sure what the difference would be.
Nearly all rooted devices still require approval of apps individually before they gain root access. With no input mechanism, privilege escalation of an another app on a rooted device is unlikely.
As Ray points out, you have introduced the same attack vector by granting your signed app root privileges anyway. Was this really necessary?
The key problem, as I see it, is the possibility of getting out of the digital signage app and into Android system settings or the launcher. However, you don’t need a rooted device or app with root privileges to prevent this…
Mark, thank you for the article. You do highlight some of the strengths of the Dell Cloud Connect as a digital signage player for enterprise deployments. While I would not agree fully with your assessment that rooting an Android device makes it inherently unsecure, any more than a PC or Mac (which have file system level access by default) would be categorized as inherently unsecure, understanding device security is important for digital signage providers. Security is a holistic approach including how you secure your network, what security features you build into your software and how you configure on the OS level that lead to a secure environment. There are solid best practices for all of these areas. That said, working with a strong, business minded partner like Dell to create well thought out, secure, digital signage solutions allows for better, faster and lower cost deployments. Nanonation, a 7+ year Dell partner, has been deeply involved with Dell in the “co-engineered” API development you referenced and we use the exact same API/loading process on Cloud Connect as you do; also without root access. We agree it’s a great platform, but it is only one piece of the security puzzle.
Mike and Ray, naturally our app doesn’t have root access. That’s the point.
Zachary, well put. Like I say using a non-rooted device is not the only measure you need to take to be secure, but it’s an important one.