Android 4.4+, KitKat, device owners, especially Samsung Galaxy series, Nexus, Sony Xperia and LG on AT&T contract can now root their devices with the help of one app only. The app in question is a result of collaboration of geohot (George Hotz), jailbreak and root veteran, and Pinky Pie, anonymous teenage code reviewer.
Geohot is now officially the winner of XDA $18,000 bounty for rooting Samsung Galaxy S5 on AT&T and Verizon.
You can’t get Towelroot on Google Play, of course, but you can easily download it here. The app comes with perfect timing, when many high-end device owners are getting desperate for root. WonderHowTo gives a detailed walkthrough of the process, with further suggestions on how to control your apps after you’ve rooted your device. Nonetheless, there is an even more important insight published on Geeksided about security implications of the Android kernel exploit, so weighing in on the awesomeness of root tweaks against security is also worth doing.
But first things first, geohot says the app should work with all KitKat devices (on AT&T and Verizon or not), and here is an approximate list of devices that were successfully rooted with Towelroot:
- Samsung Galaxy S4 Active
- Google Nexus 5
- Google Nexus 7
- Samsung Galaxy S5 on AT&T or Verizon
- Sony Xperia Z1 Compact
- Samsung Galaxy Note 3 both AT&T and Verizon
- LG G2
Towelroot did not work on HTC One M8, Moto E, Moto G and HTC One Mini, according to LifeHacker. However, geohot suggests you send him an email with your device’s specs if it did not work for you. So, some updates may be in the works sometime soon for the craving folks.
The rooting process itself is really quick if compared to the old-school rooting: you enable app installation from unknown source in the Settings -> Security; download Towelroot apk; install and run it. Your device will reboot then. You can use Root Checker to verify that your device has been rooted, indeed.
Next, you should install an app that would control root access of apps installed on your device to prevent utter malware from making a mess out of your high-end device. So, SuperSu, a root management app is recommended by many authority resources, although some Google Play users report their devices going into a constant reboot loop after the latest update. WonderHowTo details on the rooting and SuperSu usage for the uninitiated users, while those of you who know what they are doing will most probably head straight to Xposed framework, which is reported to work just fine on devices rooted with Towelroot. XDA Developers Forum has already generated a hefty load of ‘omg omg omg!!!’ user comments in the Towelroot thread. Some users report the Towelroot worked even on devices with locked bootloader. It is also worth mentioning that trying, even if failed, won’t render your devices useless, or bricking.
Now, for the catch. In case you didn’t know, rooting voids your warranty, but most importantly, it will grant any app root access if it should request it. Taking into consideration the recent Google update on Apps Permissions and security repercussions of it, this may pose a real danger to many devices, since developers can now add more access request in the updates, and if you have automatic updates enabled, you won’t even know your apps gained new powers, but with root access they can do basically anything – pull your data, personal and financial, contact lists, take and upload audio and video, or make expensive phone calls, trace your location – well, it’s a Terminator Judgment Day scenario in the scale of mobile devices. So, by all means make sure you know what you are doing, and if it’s your first time, consider if you really need those tweaks, and if you want to take that risk.
As explained by Jacob Long of Geeksided, Towelroot is a security nightmare, and here is why. Rooting gives you access to system files and directories otherwise inaccessible, as well as grants third-party apps installed on the device access to those system directories. Hence, if any developer knowing of the Towelroot exploit may take advantage of it for utterly malicious purposes.
Towelroot exploits the part of Linux kernel that is basic to all Android devices (and Linux distributions). Whereas Linux distributions are being quickly patched, Android devices receive OS updates via a long chain of Google -> Manufacturer -> Wireless Carrier, with older devices left behind. What this means is third-party apps will be able to achieve root access without user permission:
“. . .the app runs some code, the code crashed [sic] android and leave it confused, in its confused state it thinks that the app should be root, then the app installs something to allow other apps to become root,” says Reddit user.
Geohot is a cool trusted white-hat, i.e. honest, guy, but if any malicious developer with an app that has been downloaded by many users achieves this exploit, he can create an update to his app that would run the above-described script and cause a lot of damage. With Towelroot being recent news, we have yet to hear reports of this happening, but it might be just a matter of time.
In conclusion, Geeksided suggests all Android devices that haven’t been updated since June 3, 2014 are vulnerable to the exploit, and disabling apps auto-update, as well as not installing updates for apps you don’t trust is recommended.
SuperSu might solve that problem, provided it works on your device and provided you trust the app is 100% accurate. As usual, by achieving root access, rejoice, but proceed with caution.
You may want to check out:
- How to Root Your Android Device
- Apps Permissions in Android Security Risks
- Towelroot Rooting Video