In this article, we will look at techniques which are being used by various android developers to detect if the device is rooted or not.
What is rooting?
Rooting allows users of the Android Operating System to gain administrative control (known as root access). Rooting can be considered as privilege escalation.
Rooting means of gaining administrative access to operating systems so you can install unapproved/unauthorized apps, remove bloatware, update/change the OS, replace the firmware, customize anything, etc.
Why it is dangerous?
Rooting can run administrative commands on user-installed applications that are unavailable to the devices in the stock configuration. On rooted devices, data kept on these devices will be at risk as there is no guarantee of system security.
With a rooted device, a user can elevate their permissions to root and go around the system protection giving them access to all app’s confidential data.
How to prevent an application getting installed on rooted device?
It’s an important part of application hardening to verify the integrity of the device and to check if the device is rooted or not is one of them.
There are several ways of detecting the rooted device.
Java Checks-
-
checkRootManagementApps –
Using the PackageManager android library, it is possible check for installed apps that are used for managing superuser/root access. - checkPotentiallyDangerousApps –
Specific applications will be there which run only on rooted devices. This check will verify if such applications are installed on the device or not.
- checkRootCloakingApps –
Rootcloaking apps will block some tests, but we can still check if the Rootcloaking apps are installed or not.
- checkTestKeys –
The android system image is signed with production keys, and if it is not signed this could be a sign of custom ROM being installed. This check will look for the Build properties (android.os.Build.TAGS) for test keys. On custom ROMs this tag will be something like test. But on official ROMs, this will be releasing keys.
- checkForDangerousProps –
This check looks up many android system properties which can only be changed when the device is rooted. If the values do not match, it will flag as rooted.
- checkForBusyBoxBinary /checkForSuBinary –
On rooted devices Su (SuperUser) / Busybox binaries are mostly present to perform some of the privilege escalation and utility functions.
- checkSuExists –
Executing “su” and “id” commands and checks if UID is root.
- checkForRWSystem –
This check will look for system folders that should have read only permissions but have read/write permissions.
Above Java checks can be easily implemented in your application using RootBeer Android Library
https://github.com/scottyab/rootbeer
Please note, that the above-mentioned techniques are a few examples of what application can check if the device is rooted or not. But there could be other ways for root detection which are not mentioned in this article.
Conclusion
It’s a good idea from a security perspective to stop the users from running their apps on rooted devise. It is possible to bypass the root validation techniques, and we will highly recommend you should use complex validation techniques to stop attackers from bypassing their validation controls.