Application checks rooted device

Application checks rooted device

Risk: secure

Description

Presence of strings and methods indicating check for Rooted or Jail-broken devices.

The absence of the Jail-broken or Root detection is not a vulnerability, but its presence remediates the impact of certain vulnerability classes or threats.

Recommendation

Root detection on Android can be done using the RootBeer library, can use to a certain extent the SafetyNet API to ensure the device profile is known and approved or can perform manual checks like:

• File presence of common Rooted files like /sbin/su or /system/app/Superuser.apk
• Check su is in the PATH
• Check for supersu in the running processes
• Check installed application against a list of known root apps like eu.chainfire.supersu
• Check for writable partitions and system directories

iOS can apply the same concept to check for Jailbreak presence:

• File presence of common Jailbreak files like /Applications/Cydia.app
• File permissions writing to locations outside the application sandbox
• Protocol handlers added by Cydia

Links

• Root detection & evasion
• OWASP Mobile Security Testing Guide - Reverse Engineering

Standards

• OWASP_RESILIENCE:
  • MSTG_RESILIENCE_1