December 8, 2021
To ensure that your users will be ready to use the SecurID 4.0 for iOS and Android app, make sure your users know that the app does not support devices that are jailbroken or rooted. This situation occurs when the user gains root access to the device operating system to allow installation of unsupported applications or make other unsupported modifications to the device. Jailbreaking or rooting a device bypasses the protections put in place by the operating system and provides a malicious actor with greater access to attack the SecurID app and its security features.
The SecurID 4.0 app protects your organization by automatically disabling itself on jailbroken or rooted devices. This important security feature follows best practices for secure software app deployment and maintains the security posture of the device by limiting malicious actors who might try to attack the device.
Attempting to install the SecurID app on a jailbroken or rooted device has the following impact.
| User Scenario | Consequences |
| User installed the SecurID 3.0 app on a jailbroken or rooted device. | The app displays a message warning that the device is jailbroken or rooted, but allows installation. |
| SecurID 3.0 user on a jailbroken or rooted device upgrading to SecurID 4.0. | User cannot open the app. |
| User with SecurID 4.0 already installed subsequently jailbreaks or roots the device. | The app automatically becomes disabled and the user cannot authenticate. |
You can help users understand that securing their devices is important to ensure the confidentiality, integrity, and availability of company assets. Instruct users to update their devices to an authorized (pre-jailbroken) state before they download the app.
For your reference, here are some of the links to published advisories and documents where we highly recommend not running apps on jailbroken or rooted devices:
- The recent SecurID 4.0 app advisories Get Your Users Ready for the SecurID 4.0 for iOS and Android App! (November 2021) and Prepare Your Help Desk to Support the SecurID 4.0 for iOS and Android App (November 2021) both state the SecurID 4.0 app does not support devices that are jailbroken or rooted.
- The October pre-release advisory Authenticators Unite – SecurID App 4.0 is Coming! (October 2021) includes the same information.
- The SecurID 3.0 app advisories RSA Announces Upcoming SecurID App Upgrade for the RSA SecurID Software Token App (May 2021) and RSA Announces the Release of the SecurID 3.0 App for iOS and Android (June 2021) state that a future release would prevent users from installing the app on jailbroken or rooted devices.
- The SecurID 3.0 app Software Token Administrator’s Guide (June 2021) for Android and iOS users states on page 13 that “Users should not download the SecurID app to a jailbroken or rooted device. The SecurID 3.0 app displays a warning message when a user attempts to do so. A future release will prevent the user from completing the download.”
- The advisory Important Announcement for RSA Authenticate for iOS App Users (January 2020) announced that the app would no longer run on jailbroken devices.
- The RSA Security Overview states that the RSA authenticator app can detect jailbroken devices.
- In March 2015, the RSA SecurID Software Token Security Best Practices Guide for RSA Authentication Manager 8.x was updated to state that “RSA SecurID Software Token products are not supported on rooted or jailbroken mobile devices.”
Users who attempt to install software on a jailbroken or rooted device will see the following app behavior.
|
RSA Authenticate app | Warns that the device is not compliant and prevents installation.
|
|
SecurID 3.0 app |
Displays a warning message. Provides time to prepare for the upcoming SecurID 4.0 app which prevents installation on jailbroken or rooted devices. |
|
Upcoming SecurID 4.0 app |
Warns that the device is not compliant and prevents installation. |
