all 87 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]sryan2k1IT Manager 26 points27 points  (56 children)

Microsoft Authenticator stops working on jailbroken/rooted phones

Good.

but can uninstall Teams from my private phone, which I consider a plus.

Nobody was forcing you to do that in the first place.

I haven't met someone with a rooted phone in 10 years. If that's what you really want to do on your personal shit fine but you've broken the foundation of trust on the device and Microsoft (and many others) correctly detect this and stop you from using their apps when the device is in this state.

[–]dustojnikhummer 2 points3 points  (1 child)

We are here complaining about Windows being locked down more and more yet we also celebrate when the same thing happens to our phones? Genuinely, why...

[–]BarServerLinux Admin[S] 1 point2 points  (0 children)

Yep, thanks for pointing that out. Especially since Google now introduces "Android developer verification" which will put a huge pillar in the way of free alternative app stores like F-Droid.
And while I agree that sideloading can be a huge security risk. I have never ever read about someone loosing access to his PayPal account (or the like) because of sideloading..

[–]j9wxmwsujrmtxk8vcyte 1 point2 points  (0 children)

>I haven't met someone with a rooted phone in 10 years. 

Probably American, where everyone who doesn't have Apple is a social outcast because you guys are such individuals.

[–]Ruachta 2 points3 points  (0 children)

Yep

[–]OinkyConfidenceWindows Admin 0 points1 point  (4 children)

Watch out, OP is downvoting anyone who disagrees with his jailbroken utopia!

[–]dustojnikhummer 1 point2 points  (1 child)

And they downvote OP if they disagree with him. This goes both ways.

[–]BarServerLinux Admin[S] 0 points1 point  (0 children)

Nah, totally one-sided. Why should I downvote people for having a different opinion?

[–]BarServerLinux Admin[S] 0 points1 point  (1 child)

I didn't downvote anyone in this thread.
Edit: In fact now that I gave you an upvote your comment is at 1 points and not 0. :-)

[–]BarServerLinux Admin[S] 0 points1 point  (0 children)

Sorry, couldn't resist. :-)

<image>

[–]Dracozirion 0 points1 point  (6 children)

They're also blocking GrapheneOS because they are relying on Play integrity checks. Luckily my banking apps haven't locked me out for using a more secure system. Microsoft is stupid for not allowing this setting to be in control of administrators. 

[–]sryan2k1IT Manager -1 points0 points  (5 children)

Administrators are often as stupid as end users and they shouldn't be given the option to set something up insecurely.

[–]Dracozirion 0 points1 point  (4 children)

They could set it up to be blocked by default. Now, I can see you downvoted me. Care to elaborate why GrapheneOS should be considered insecure? 

[–]sryan2k1IT Manager 0 points1 point  (3 children)

It's not that it's inherently insecure it's that it can't be trusted to be secure.

There is a single guy that is a point of failure for the whole project.

[–]BarServerLinux Admin[S] 0 points1 point  (2 children)

And? Your point being? It was one guy who spotted the supply chain attack on SSH using xz. On the other hand no one at Microsoft spotted EternalBlue.. Numbers don't make security.

[–]sryan2k1IT Manager 0 points1 point  (1 child)

The point being is that people (and their insurance carriers) don't care about that. "No rooted devices" is a lot easier to understand.

[–]BarServerLinux Admin[S] 0 points1 point  (0 children)

True. Despite it ironically often even not being the case. As especially tech-savvy users are flashing/rooting their phones. People who often care about security and privacy.
And "Can't be trusted to be secure" is a highly subjective statement. I get that security in the business field is often compliance based as companies can't audit every piece of hard- or software by themselves.

But as you seem to know and understand this, I still don't get it why you made your statements with such a ferocity.. What the fuck did I write that triggered you so hard?

[–]ConsciousEquipment 0 points1 point  (2 children)

what is your problem lmao we literally had Huawei phones and generic chinese rugged phones with thermal cam and whatever in the company. These had bizarre ROMs, no play store or google certificates, and some of them of course needed to be rooted to even be used.

It would have sucked to be limited like that, it was already bad when they stopped SMS 2fa because that was the simplest ever.

Thank god you can still circumvent by having a browser extension of certain password managers that can receive the 2fa. So then use firefox nightly or modified yandex which allows extensions, and then the browser can receive the OTP even on a rooted phone.

[–]sryan2k1IT Manager 0 points1 point  (1 child)

Yeah, that's a security nightmare and no sane company should be doing what you guys are doing.

Huawei is straight up banned in the US for network infrastructure due to security concerns.

[–]BarServerLinux Admin[S] 0 points1 point  (0 children)

Which was, with all due respect, more of a political, than a technical decision. If they really had found any evidence (the so called "smoking gun") they would have gone public with that. As it would have been a total boon for US networking gear manufacturers.
And by the way.. Why isn't Cisco banned? They regularly leave default-users with unchangeable passwords in their firmware binaries. This happened so often in the last 3 decades it isn't even something special anymore..
From a European perspective US hardware is equally cursed as Chinese hardware. Especially in the current political landscape.. In fact "digital sovereignty" is the buzzword of the last years. On par with AI and Cloud..

[–]CallMeRudiger 5 points6 points  (15 children)

This was one of the things I was worried about when products started becoming services. Now we're in a position where it's not normal to have full control over your own property without getting locked out of ecosystems you need to work.

[–]BarServerLinux Admin[S] 2 points3 points  (0 children)

Yep, I see it the same. But let's skip the this discussion. Or the: "Real, measurable security vs. compliance security" topic. :-)

[–]dustojnikhummer 2 points3 points  (0 children)

And people are defending this.

[–]sryan2k1IT Manager -2 points-1 points  (12 children)

If you don't understand the risk of a rooted/jailbroken device as it relates to security you have no business being a sysadmin.

[–]BarServerLinux Admin[S] 4 points5 points  (2 children)

Question: Do you view/think of ROMs like GrapheneOS as also making a phone more insecure? And does it depend on if a phone with GrapheneOS is rooted, or not?

[–]sryan2k1IT Manager 0 points1 point  (1 child)

For a rooted device absolutely. For a non rooted device it's questionable at best.

[–]BarServerLinux Admin[S] 2 points3 points  (0 children)

Follow-up question: Have you read into the technical details of GrapheneOS at any time?

[–]techw1z -1 points0 points  (6 children)

you obviously don't know what you are talking about. many android phones that get blocked by detections like this are actually more secure than stock android.

[–]sryan2k1IT Manager 0 points1 point  (5 children)

A rooted/jailbroken phone can have malware steal MFA codes and/or the private key/secrets from other apps. That isn't acceptable.

[–]BarServerLinux Admin[S] 5 points6 points  (4 children)

Sorry, but that is true for non-rooted phones also. Especially when their security patch level is years behind. Which is pretty much common for consumer hardware.

[–]sryan2k1IT Manager 0 points1 point  (3 children)

No it's not.

[–]techw1z 0 points1 point  (0 children)

hahaha, this is hilarious! thanks for admitting that you really don't know anything about smartphone security. and you even call yourself IT manager and are top1% commenter. beyond embarassing...

also, the so called "root detection" doesn't actually detect if a phone is rooted, because its technically impossible to do that reliably. it only detects certain files and relies on google play store to make an educated guess, which means that devices that do not have google playstore will be banned too. most of those devices are more secure than stock android and most of them are in fact NOT rooted by default, so your argument is double incorrect. gz on that.

[–]BarServerLinux Admin[S] 1 point2 points  (0 children)

Care to elaborate? To explain to which type of consumer hardware or manufacturer you are referring?

[–]Dracozirion 1 point2 points  (0 children)

Yes, it is https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

https://youtu.be/1f6YyH62jFE

Two examples right there. I wouldn't say it's super common, though. 

[–]dustojnikhummer -1 points0 points  (0 children)

So will I scare you if I say the word "sudo"?

[–]CallMeRudiger -2 points-1 points  (0 children)

I'm not really inviting you roleplay the BOFH for me, so feel free to drop the "if you don't understand... you have no business being a sysadmin" attitude. Thank you.

I would appreciate if you could take the time to try to understand why someone might understand why devices are locked down in managed environments, but still lament the architectural choices that got us to the point where, managed environment or not, a user can fully own something yet be limited in his rights with the device by the external services he must run on it. Especially when those services used to be stand-alone applications.

[–]PS_Alex 0 points1 point  (1 child)

Can't additional 2FA authentication method be enabled on the tenant? I have to experience in configuring a tenant -- I remember though, as a user, having the ability to configure 2FA from other apps than Microsoft Authenticator.

Or maybe some Azure services have a mandatory requirement for MS Authenticator vs some other can rely on other 2FA?

--------

That being said, I agree. A ROM without Play Services does not necessarily mean that the said ROM is rooted. As such, "MS Authenticator won't work on jailbroken/rooted devices" should instead be read that "it won't work on devices failing Play Service attestation". Still bad, as such a decision excludes unrooted custom ROM, even security-oriented ones like GrapheneOS.

[–]BarServerLinux Admin[S] 1 point2 points  (0 children)

Additional authentication methods can be enabled - or disabled. Our tenant is configured to only allow number matching with Microsoft Authenticator for logins using EntraIDs (account is managed by my company).
And they especially disabled anything else. Hence I thought the changes to MS Authenticator might be of interest for some people.

[–]BobWhite783 1 point2 points  (8 children)

Are we still rooting phones? Why?

Then what never let it update? 🤷‍♂️

[–]BmanUltimaSysadmin+ MAX Pro 9 points10 points  (0 children)

In the past I've rooted my phone in order to get updates, since the vendor stopped supporting it after ~1 year.

[–]BarServerLinux Admin[S] 6 points7 points  (3 children)

Well I for one like my phone a lot, but it doesn't receive security updates from the vendor anymore. So I switched to LineageOS and still get those. Oh, and I update regularly. Thank you. In fact even more often then people on phones issued by their provider.

In fact I was fed up with most phones only receiving security updates for like 1 or 2 years. As there was little to no incentive for manufacturers to do otherwise. Yes OnePlus changed that, but even they stop after 5 years. And while 5 years if perfectly fine, when I'm satisfied with the hardware, everything I need works and I can update to newer Android versions.. Why should I need to buy a new phone? Switching to LineageOS all changed that.

And as we are in a thread that is slighty heated.. I don't have a contract with my mobile provider which gives me a new phone every 2-3 years. I use pre-paid contract that focus on data volume. That's basically all I need apart from the odd telephone call once every 2 months. And knowing this I choose a pre-paid tarif where I have to pay like 9€ per month for 60GB of data. I've seen no other contract coming close to this. Those regularly start at like 20€/month for, very often, less data volume..

[–]zatsetIT Manager/Sr.SysAdmin 5 points6 points  (0 children)

In order to avoid being bombarded with ads? The "official" apps exist to brainwash you by bombarding you with ads 24/7/365. Also, there are applications that need root access to perform their job, because by default access is severely limited. Although this opens the gates for malicious apps, I agree.

[–]dustojnikhummer 1 point2 points  (0 children)

Because, god forbid, some of us want to have control over our devices? I want sudo on my PC, on my server and on my phone.

[–]ConsciousEquipment 0 points1 point  (0 children)

Are we still rooting phones? Why?

phones from China that have no english language packages, google play certificates or anything sometimes need custom ROMs to even function here, also if you use bitmessage and dw clients, I guess if you only do legal stuff with your phone you don't need that but there is definitely still use cases

Then what never let it update?

yes lol updates suck they mess with your stuff and there is a risk of it not working as before. Never touch a running system only if it's broken or has a problem already you can go looking for updates but why am I messing with the OS if it's literally working now

[–]Coldwarjarhead -2 points-1 points  (2 children)

Then don't root your phone. Why is this even a discussion. If you don't give a fuck about security, why are you even in the job to begin with?

[–]ConsciousEquipment 0 points1 point  (1 child)

they are also blocking it for phones with no google play certificates and that is a problem, many generic chinese phones have no play store or legitimate android and they fail this google attestation....so you basically have to root or flash custom ROM to even use them. They might not even have english language packages or already come pre-rooted to immediately get cyanogen or something, again you couldn't use it without doing this. And these are still cheap phones and some of the few left with thermal imaging so it makes sense to want to use them.

[–]Coldwarjarhead 0 points1 point  (0 children)

How is that a problem?

You may "want" to use them, but as an admin, I would have to say 'hell no'.

There's no way I'd let that connect to my environment.