Login/Register
Root detection methodology in android which cannot be bypassed
Asked Answered
Solved androidsecurityrootsu
G

3

7

I know that running an app which possess sensitive information on a rooted device is not secure at all. So developers usually do root detection in such cases and if the device is found rooted,then that app won't get installed. everything is ok.

The major techniques used by developers in root detection are checking for the superuser.apk file,check for chainfire,busybox,executing su command,etc. But an attacker can simply bypass these checks by several means like renaming the superuser.apk to superuser0.apk.

So what I am looking for is a unique solution for this issue where the root detection checks cannot be bypassed by attacker. Please share your views even if such a solution doesn't exists. Because the solutions from you guys might help in atleast hardening the code of root detection.

Gay answered 4/12, 2014 at 10:30 Comment(0)
P
3

There is not "the single solution" as far as I know but you will need to check for the most common things. The following article is also useful: https://blog.netspi.com/android-root-detection-techniques/

And here are some tips ... also what you should not do: Determine if running on a rooted device

Pily answered 4/12, 2014 at 10:49 Comment(1)
Thanks for the link. :) Am waiting for more answers to populate. If none comes better than this, then I shall accept this as the answer.Gay
M
6

There is an opensource library called rootbeer and a sample app which performs the following checks to detect root.

  • CheckRootManagementApps
  • CheckPotentiallyDangerousAppss
  • CheckRootCloakingApps
  • CheckTestKeys
  • checkForDangerousProps
  • checkForBusyBoxBinary
  • checkForSuBinary
  • checkSuExists
  • checkForRWSystem
Mither answered 12/2, 2017 at 8:21 Comment(1)
Just be careful as the rootbeer library will give off false positives simply because of the existence of some apps on unrooted devices. I've had two apps in particular tell me my unrooted device was rooted, simply because CyanogenMod's ROM Manager License, which does not show up as an icon in the launcher, got installed on the phone in the backup/restore process from my old phone. (Trawl reviews of Transport for London's Oyster app for examples of annoyed users who can't use an app due to getting false 'rooted' positives.)Halie
P
3

There is not "the single solution" as far as I know but you will need to check for the most common things. The following article is also useful: https://blog.netspi.com/android-root-detection-techniques/

And here are some tips ... also what you should not do: Determine if running on a rooted device

Pily answered 4/12, 2014 at 10:49 Comment(1)
Thanks for the link. :) Am waiting for more answers to populate. If none comes better than this, then I shall accept this as the answer.Gay
U
3

Check out Google's SafetyNet service: https://developer.android.com/google/play/safetynet/index.html

It will do some checks to validate the device is secure and produce a result you can validate. The result is returned as a JSON Web Signature that you can read in the app, but to provide extra assurance you can also send this result to a server you manage to have it validate the result directly with Google.

https://developer.android.com/google/play/safetynet/start.html

I don't think this will run on non-Google versions of Android (ex Cyanogen), so something to keep in mind.

Upcast answered 3/5, 2015 at 19:0 Comment(2)
@Bastet somewhat true, this service validates that the OS is trusted by Google (compatibility is one pice of that), it will check if it has been rooted or tampered with. If deploying via Google Play then this should be a solid way to detect a trusted OS. This validates the chain of trust more-so than rooting, but could suffice depending on the use-case. If targeted non-Google-Android devices then you'll need another mechanism.Upcast
I always recommend the use of SafetyNet but in conjunction with other implemented checks, as SafteyNet by itself can be bypassed using Magisk root. However combined with other checks, e.g check for Magisk package exists, but that could be renamed, so obfuscate the hardcoded com.topjohnwu.magisk strings. Defense in depth.Nonchalance

© 2022 - 2024 — McMap. All rights reserved.