The Android Kit Kat 4.4 OS has introduced many changes that are making it increasingly difficult for anybody to carry out systemic changes in the OS. Initiatives such as the SELinux, and dm-verity kernel are being used for booting as well as to verify storage of files.
These also help in detecting any modifications that have been done within the device at the block level itself instead of waiting for them to surface at the file level. The dm-verity basically helps in the prevention of any root software carrying out any modification of the file system of the device. The detection is done very early.
How Does It Actually Work?
The SHA-256 hash linked to each of the blocks of the device comes into play in dm-verity. The block is just a physical address for any storage and is not more than 4KB in size on most flash devices. Of the tree of many hashes that are formed on pages, it is only the “top” ones that are required to be trusted for the total file system to be also trusted. If any of the blocks are modified, the hash sequence will break leading to the disorientation of the chain as well.
There is also a public key within the boot partition that the OEMs are expected to verify externally and this is done either through the bootloader or with the help of any of the CPU features. This public key is then made use of to confirm the validity of the signature on the file system.
Now in order to bring down the duration of verification, blocks are verified only when they get accessed and the process of verification is conducted in parallel to the read operation. This is done to do away with any latency during storage access. If there is change in verification such as files changing within the system partition, an error is generated called the “read error”.
Based on which application is accessing data, the system allows it to continue as long as it is not something too dangerous to the health of the device. At the same time, there is a possibility of applications getting declined by the system as well.
Sufficient Deterrent In Place Now
The above suggests that the rooting or modification of devices running the Android Kit Kat 4.4 is no longer an easy task as it used to be. These measures by Google may not be 100% successful each time but serve as sufficient deterrent and OEMs will find it difficult to permit any custom kernel like they could earlier.
Only when you are able to bring about a change within the device kernel, you can bypass this safety guard. Then you can disable the dm-verity and make use of keys to authenticate or carry out system changes on your own. Users who have bought carrier-branded devices with a locked bootloader will do well to heed this warning to prevent their devices from getting bricked.