Meet Jon, Root Exploit Seeker & Creator Of TimePIN
If you have been a long-time Android user who is not afraid of jumping into the world of custom ROMs and kernels, you’ve probably come across the work of “jcase.” He has released rooting procedures for a bunch of HTC devices — and more recently, Motorola, too — that work using various exploits in the firmware.
Recently, he released a very unique security app for Android devices — TimePIN — that automatically changes the lockscreen PIN depending on the time.
Today, we sit down for an interview with jcase, a.k.a Justin Case (his name on Twitter), and talk to him about the process of finding exploit-based root procedures, the idea behind TimePIN and the level of security in today’s mobile OSes.
Cult Of Android: Hi Justin! Before we start with the interview, please tell us a bit about yourself — what do you do full-time?.
Jon: Well, my real name is Jon. I’m in my 30s. A father of four kids: 3, 8, 13 and 15. And I have a lovely wife. I work in mobile security full-time, and have for the last few years.
I actually prefer my Android to be as secure as possible, which is one reason I like to advocate the purchase of an unlockable device instead of waiting for the next exploit. I research vulnerabilities, help design fixes and analyze malware as part of my day to day activities.
CoA: How did you gain interest in Android? How did the journey begin for you?
J: I purchased a phone, the Verizon HTC Eris, and was unhappy with the performance impact that the bloatware had. Back on Android 1.5 it was quite bad, especially with HTC. I couldn’t use the phone how I wanted, and no one published a root exploit for it.
CoA: You have found and released exploit-based root procedures for many Android devices. How exactly do you find them?
J: Vulnerabilities are found based on research; exploits are developed based off that research. The whole process is outside the scope of an interview. I am teaching a training session along with saurik, p0sixninja and some other incredible guys this summer.
CoA: According to you, which is the best OEM out there in terms of security and patching exploits? Also the worse?
J: The answer here is mostly whoever updates the quickest. So, we are primarily looking at Google Nexus devices — but Samsung and Sony have become excellent at patching vulnerabilities lately, especially back porting security patches to older versions of Android. Samsung’s SELinux implementation is likely the strongest. I do respect HTC and Motorola’s write protection implementations, but again all things are a matter of time.
I have no comment on who is the worst, pick whoever is releasing budget devices with out of date Android versions.
CoA: You recently released a new app on the Play Store — TimePIN — that sets your lock-screen code to the current time. How did you come up with the idea? What inspired you to create the app?
J: On reddit.com/r/jailbreak (yeah I know iOS), someone asked for a jailbreak tweak to do it. I thought I could do it on Android without root.
CoA: I see that you are very liberal in giving away premium licenses of your app, unlike so many other developers. Don’t you want to make any money off it considering all the hard work that you have put into it?
J: No! I have no care about the money in the long run, it was just a fun project. I’m going to open source it once time allows me to clean it up. At that point, anyone can build a copy with all the premium features and release it as they see fit.
CoA: Are you working on any other app? Or any new features for TimePIN?
J: The rare free time I have now is split between a rewrite of TimePIN, and a book on Android reverse engineering that I hope to see published late this year or early next. Hopefully, open sourcing TimePIN will free up more time.
CoA: Which Android devices do you use on a daily basis? And which one is your favorite?
J: I use a Nexus 5, but prefer the Galaxy S4. I just do not have the time to migrate back to it. I will soon, one day. Galaxy Nexus (GSM) is probably my all time favorite.
CoA: Galaxy S5 vs. HTC One (M8) vs. Sony Xperia Z2 — Which one would you buy and why?
J: I’m going to likely go with the Galaxy S5. My favorite feature of Sony was the waster resistance and now the S5 has it as well. I also like TouchWiz, yeah don’t shoot me please. I am not a Sense fan at all, so HTC is off the table.
CoA: According to you, which mobile OS is more secure? Android, iOS, Windows Phone, or BlackBerry? Is Android really as bad as analysts depict them them as?
J: I don’t know! I’ve seen people argue about how secure iOS is, but just like Android, it is a matter of time and every version gets jailbroken/rooted. WP and BlackBerry do not have the user base to attract the same amount of attention from researchers, they don’t belong in this question. The analysts want the same thing — attention at no cost; they don’t often care about integrity but page views.
CoA: Before we sign off, any tips for young Android security and mobile developers?
J: Read and watch.
And that’s it folks! Got any messages for Jon? Want to appreciate him for his hard work? Drop in a comment and do let him know!