Root Detection

Root Detection

In the context of anti-reversing, the goal of root detection is to make running the app on a rooted device a bit more difficult, which in turn blocks some of the tools and techniques reverse engineers like to use. Like most other defenses, root detection is not very effective by itself, but implementing multiple root checks that are scattered throughout the app can improve the effectiveness of the overall anti-tampering scheme.

For Android, MSTG define "root detection" a bit more broadly, including custom ROMs detection, i.e., determining whether the device is a stock Android build or a custom build.

Common Root Detection Methods

SafetyNet is an Android API that provides a set of services and creates profiles of devices according to software and hardware information. This profile is then compared to a list of accepted device models that have passed Android compatibility testing. Google recommends using the feature as "an additional in-depth defense signal as part of an anti-abuse system".

These are the current checks/tricks we are using to give an indication of root.

  • 1. checkRootManagementApps
  • 2. checkPotentiallyDangerousApps
  • 3. checkRootCloakingApps
  • 4. checkTestKeys
  • 5. checkForDangerousProps
  • 6. checkForBusyBoxBinary
  • 7. checkForSuBinary
  • 8. checkSuExists
  • 9. checkForRWSystem