Rooted Android

Rooted Devices: It’s Not the Device That’s the Problem

The E-Commerce & Financial Services Conundrum

If you’re an online merchant or a bank and a customer shows up to your website with a rooted device, this is the equivalent of ringing a huge alarm bell for fraud management teams, and as a result, most sane fraud/risk managers will decline that transaction without hesitation.

However, as the saying goes, where there is a risk, there is an opportunity. Putting the concepts of mobile phones and rooting together is not something customers and risk managers would have considered before behavioral biometrics came along. Rooted mobile devices, and particularly Android smartphones, are deemed to be compromised endpoints that are easily subject to malware infection and should be avoided.

As much as North American fraud teams and risk departments might shudder to think of it, rooted Android devices are the norm in countries outside of North America. Tencent research shows that 80% of Chinese users had a rooted device. Even though this data pre-dates the rapid growth of mobile devices (they were still replacing existing desktop interfaces), much of the information is still relevant today if the ubiquity of rooting services available online is any indication.

The reasons why a user would voluntarily root (reset) their phone is because in many markets end users aren’t allowed access to the latest and greatest hardware. The Tencent study shows that many Asian users go through equipment fatigue because the manufacturers and phone companies do not allow them to update the operating systems on their devices at will, instead, forcing them to buy new phones. Stuffed with unneeded apps and services (‘bloatware‘) that are next to impossible to remove, most smartphones in China are blocked from any customization. Users can’t adapt their devices to their tastes and must live with the supplied configuration in much the same way as an appliance, like a fridge or a toaster.

Consequently, many Asian users are finding creative solutions to maintain the functionality of their phones and ‘game’ some control over their devices by rooting. Given that the younger generation in Asia has grown up with technology, rooting and modding a phone is not unusual or particularly troubling.

The Tencent study comes from a leading provider of Internet value-added services in China. It lends weight to the argument around how risk associated with rooting a device may need to be re-evaluated based on the geographic markets served. This idea poses an interesting dilemma for banks and merchants.

Is the risk valid? Are Android devices the target of hackers and malware? Many studies have shown how rooted devices are often infected with malware and much of this malware comes from Chinese sources. However, there is the now the ability to evaluate and manage this risk in real-time by moving from a hardware-centric approach to validating a user holistically. The fact that a large consumer market like China has 80% of their Android devices rooted means there are many missed business opportunities if the merchant or bank is only using hardware as a single data point to validate the user behind the device. This means many legitimate Chinese customers and their transactions are falsely declined on this basis.

Using holistic non-hardware-centric multi-factor approaches, rather than focusing on a single point of data, can help allow companies and banks understand who is a living and breathing client versus a bot. With the typical mobile user, it’s common to have up to three devices in various forms. The users behind these devices have money to spend, and a focusing on the hardware device eliminates a large potential customer base.

In this age of mobility during customer discussions, it’s increasingly apparent that hardware or device information is the only data point that many banks or e-commerce companies have in their existing toolbox. Focusing on the device has had its time, and does not work well in a mobile-centric world. How a car looks tells you very little about who is behind the wheel.

Being able to tell whether a device is rooted is useful in some locations, but isn’t a relevant indication of risk in some geographies. A far better way to manage risk is to be able to determine and predict a user’s behavioral interaction with the site. If you want to know more about a user and whether you are interacting with automation, an aggregator for example, or a ‘human farm,’ it’s better to study the interaction they have with the device and the mobile application. View this relationship in the context of their geography, settings, and behavioral interaction between them, the device, and the sites they are visiting.

Rooting phones is a practice that is giving Asian smartphone users some control over their devices. It’s an interesting consideration. Not only could review teams take a more nuanced approach to declining rooted devices, but it’s a reminder that the entire online identity verification framework desperately needs to move beyond endpoint and single point into a more complex multi-factor paradigm that offers a more complete and holistic understanding of users.

Want to read more posts like this? See our full blog here.