Android detect if rooted

Detecting Root on Android

Mar 13, 2016 · 5 min read

We’ve recently open sourced a new Android library called rootbeer to detect if your app is running on a rooted device. But what is root? and why is potentially dangerous? Read on for more details.

What is root/rooted?

When we talk about rooting a Android device, it’s really just talking about circumventing a system security to allow us to elevate our permissions to be the root user. Think of it as accessing the devi

ce’s administrative permissio n s. The root user can do ‘anything’ on the device so many of the built-in security services can be circumvented. If you’re sensible and have a grasp of the dangers, rooting doesn’t have to be a big security risk. It reminds me of one of our favourite quotes:

“With great power comes great responsibility” — Uncle Ben Parker

Why root your device?

Users tend to root their device for a number of reasons — but a great level of control and customisation is typically the main driver. For example removing preinstalled bloatware, enabling full system backup with apps such as TitaniumBackup, blocking advertisements/banners in all apps, tweaking system UI beyond that supported in Android or in order to flash a custom rom such as Cyanogenmod.

Why is a rooted device potentially dangerous to users/apps?

In a nutshell when an Android device is rooted the system security and safeguards cannot be guaranteed. One of cornerstones of Android security is that each app is assigned a unique user id (or uid) on installation. This is how the system controls and enforces read/write access to each app’s private data folder (or sandbox). With a rooted device a user or malicious program can elevate their permissions to root and circumvent this protection giving them access to other app’s private data. For example, you might grant an application root access for a legitimate reason, such as listing the wifi passwords stored on your device. However you cannot be certain this app isn’t also accessing all of your device filesystem (including any private info) and sending it to their servers.

At Intohand we believe that verifying the integrity of the device is an important part of app hardening and checking if the device is rooted is one of those verifications. But how do we check if the device is rooted?

Enter the tasty root checking library — RootBeer!

Detecting root is a question often raised when I’ve spoken at conferences about Android Security. The Rootbeer library was born out of a conversation between Mat Rollings and myself about how the rootcloak apps work and whether we could write a root checker to beat some of the popular cloakers. We wanted to create a simple to use Android library that other developers could easily integrate and use to check the device for indications of root. Head over to the project’s github page to see the code. As you’ll see from the readme it’s very simple to use.

We’ve also allowed direct access to each of the checks that make up the final `isRooted` decision to allow developers to customise the level of verification performed.

How Rootbeer works

Rootbeer is a culmination of our own checks and those found on stackoverflow and other? forums brought together into a single easy to use library. More info on contributions can be found in the Rootbeer ReadMe. We recommend thinking of these checks as more of an indication of root rather than foolproof evidence the device is rooted (more on this in the closing thoughts).

Java based checks

• CheckRootManagementApps*, CheckPotentiallyDangerousApps* and CheckRootCloakingApps* — Using the PackageManager we look for installed apps that are typically used for managing superuser/root access, known patching apps and/or apps that specifically try to hide root status. Typically Rootcloaking apps will block some of the other tests, however we can still check if the Rootcloaking is installed.
• CheckTestKeys — Typically the platform system image is signed with production keys, if it’s not this could be a sign of being compromised. This check looks at the Build properties (specifically android.os.Build. TAGS) for test keys.
• checkForDangerousProps — This method looks up several system properties that can only been changed when the device is rooted. If the values don’t match an unrooted device it’ll flag as rooted.
• checkForBusyBoxBinary, checkForSuBinary* — su (super user) and Busybox binaries are often present on rooted devices to perform some of the privilege escalation and utility functions. Using file search look we search of presences of these in various which if found in the Android file system could indicate the device is rooted.
• checkSuExists* — slightly different file system check for the su binary.
• checkForRWPaths — The final java check is to interrogate the file system on the device and look for system folders that should be read only but have read/write permissions.

*The static paths and the package names that rootbeer looks for are defined in a single file. This can be easily edited if you were to fork the github project and there is a future enhancement to allow users of the rootbeer library to add their own packages/paths to root checks. This file would be an ideal candidate to use DexGuard’s String/Class encryption in an attempt to hide these definitions from would-be attackers.

Ndk checks

Native checks tend to be harder for an attacker to intercept and hide against therefore we added a single native/NDK check for the su binary.

Call for more root checks

Do you have any other ways to check for root? we’d be very keen on adding them to the library and giving full credit. Please send us a pull request.

Several commercial Obfuscation/protection tools include root checks such as Arxan’s GuardIT and Guard Square’s DexGuard.

Closing thoughts and Disclaimers

Given system security is more at risk on rooted devices it’s certainly worth verifying this in your apps. However we want to be clear that the Rootbeer library is by no means perfect: it only gives a likely indication of root. What you do with that information is up to you. As mentioned above no root detection code can ever been 100% effective as when the user is root they are basically god on the device.

It’s also worth noting that rooting your device can void warranty and in some cases brick your device.

That’s it, enjoy Rootbeer and we’re interested in your feedback and improvements via github.

Thanks to Mat Rollings for co-authoring this article and rootbeer and Elliot Long for proofing the article.

Источник

How to Check if Your Android Phone is Rooted

A lot of people want to root Android smartphones so that they can install various third-party apps or overcome certain system limitations, usually put in place by hardware manufacturers and carriers.

While some phones may come rooted, the majority of them do not. There are a few simple and free ways to check if you have a rooted phone. In this article you’ll find three methods, two of them foolproof, and one that may be situational, depending on the model of your phone.

What is Rooting?

Not to be confused with jailbreaking (on iOS devices), is a method of unlocking an Android device in order to grant the user privileged control, or root access. It’s a lot like having administrator privileges on a Windows or Linux-based OS.

Check through Settings

Note that this method may not work on all Android phones.

1. Go to ‘Settings.’
   
2. Locate and tap ‘About Phone.’
   
3. Go to ‘Status.’
   
4. Check the ‘Device Status.’
   

Most new smartphones should have an Official device status. Official means that the software has not been tampered with and the device is not rooted.

Seeing a Custom tag under device status usually means that your phone is rooted.

The device status tab may be different from one model to another. Therefore, if you do see an Official tag it’s usually best to check the manufacturer’s website and see if the phone comes rooted or not.

Use the Root Checker App

The Root Checker app is a third-party app that you can download for free off Google Play, or pay for a fancier Pro version. Whichever version you choose, you should be able to determine the root access status on your phone.

1. Go to Play Store.
2. Tap on the search bar.
3. Type “root checker.”
   
4. Tap on the simple result (free) or the root checker pro if you want to pay for the app.
5. Tap install and then accept to download and install the app.
6. Go to Settings.
7. Select Apps.
8. Locate and open Root Checker.
9. Tap on the “Get Started” button.
10. Tap on “Verify Root” once the app has determined the model of your phone.

It should only take a few moments for the app to determine the root access status of your phone. Once it knows, a message will be displayed, clearly stating if you have or don’t have root access.

Use the Terminal Emulator

The Terminal Emulator app has been designed to give users a complete Linux terminal emulator on Android devices.

It’s a good way to practice using commands, or to make full use of various commands enabled on rooted phones.

1. Go to Play Store.
2. Tap the search bar and type “Terminal Emulator”
3. Tap Install and Agree.
4. Go to Settings and find the Terminal Emulator app.
5. Tap the icon to open the app.
6. In the terminal window type “su” and then tap either Search or Enter.

The “su” is the super-user command line. If your phone is rooted, you should be able to see the $ turn into an # in the command line. If not, or if you receive an error with “command not found”, it means that your phone is not rooted.

Note that neither the Terminal Emulator nor the Root Checker apps can root an Android device. There are other third-party apps that let you do that.

Advantages of a Rooted Android Phone

There are some dangers involved with rooting an Android phone. Mostly because when users start to poke and prod through various functions of the phone, it’s possible to cause a complete system malfunction or in other words, you could brick your phone if you don’t know what you’re doing.

This usually happens when users try to squeeze too much performance out of their phones, pushing the components past their limitations, or when installing new firmware that may not be fully supported.

That said, there are some considerable benefits too when it comes to having a rooted phone. If you don’t mess with the essential system processes, there’s a lot you can do to customize and improve the performance of the phone from other areas.

More Control

Imagine a rooted Android phone as a desktop PC. You can pretty much configure a desktop however you want, as long as all the components are compatible. Rooting can even give you access to overclocking or underclocking the phone’s CPU and GPU components. You can beef up the performance or tone it down so that your phone will age slower.

More advantages include full application control. This means being able to backup, restore, remove, and add everything you want, including editing applications in batches.

You can also remove certain unwanted and unnecessary system processes that come pre-installed. These are commonly referred to as bloatware. These types of processes are similar to Windows system processes and pre-installed apps that eat up a large chunk of resources without offering anything of value to the user.

More Customization Options

One of the coolest things about having a rooted phone is the level of customization you can get regarding everything from themes to animations and everything else in between, including icons.

Most smartphones come with limited personalization options. For example, you can’t change your loading screen animations on unrooted phones.

Frequently Asked Questions

Can I unroot an Android device?

Absolutely! If you need to perform a system update you’ll need to unroot your device first. Fortunately, it isn’t too difficult. If you want to unroot your device, check out this article.

Can I see if my phone is rooted without an app?

Yes. You can go through the settings as shown above, or you can search the app drawer for a rooting app. These apps are necessary to root the phone in the first place.

Open the app drawer on the Android device and use the search bar to look for ‘SuperSu’ ‘Dr. Fone’ or another rooting app.

Don’t Go too Crazy over Root Access

While it is cool to have a rooted smartphone on which you can theoretically do whatever you want, compared to regular users, it’s best to exercise caution or at least inform yourself of what you should and shouldn’t change.

If you have some tips on how to improve performance by taking advantage of root access, please leave a comment in the comments section below, and don’t forget to specify which model Android smartphone those tips are for.

Источник

Android Root Detection Techniques

Introduction

I have taken a look at a lot of Mobile Device Management (MDM) solutions lately to figure out how they are detecting rooted Android devices. Through some research I have discovered that many of these MDM solutions use similar methods to detect rooted devices. This usually involves looking for specific packages and files, directory permissions, and running certain commands. I won’t be disclosing which MDMs use which methods, but I will provide a list of packages, files, folders, and commands that I have found to be used in root detection. All the commands I will be running are on a stock rooted Nexus 4 running Android 4.2.2.

Default Files & Configurations

The first root detection checks are for default files and configurations that should be present on a non-rooted device. These may also be present in rooted devices with non-custom roms.

1. Checking the BUILD tag for test-keys. By default, stock Android ROMs from Google are built with release-keys tags. If test-keys are present, this can mean that the Android build on the device is either a developer build or an unofficial Google build. My Nexus 4 is running stock Android from Google’s (Android Open Source Project) AOSP. This is why my build tags show release-keys.
2. Checking for Over The Air (OTA) certs. By default, Android is updated OTA using public certs from Google. If the certs are not there, this usually means that there is a custom ROM installed which is updated through other means. My Nexus 4 has no custom ROM and is updated through Google. Updating my device however, will probably break root.

Installed Files & Packages

There are many files and packages that MDMs look for when detecting if a device is rooted. I have compiled a list of ones that I know for sure are being detected.

1. Superuser.apk. This package is most often looked for on rooted devices. Superuser allows the user to authorize applications to run as root on the device.
2. Other packages. The following list of packages are often looked for as well. The last two facilitate in temporarily hiding the su binary and disabling installed applications.
3. The following command lists packages that are currently installed on your device.
4. Any chainfire package. One MDM looks for any package that is developed by chainfire. The most notable one being SuperSU.
5. Cyanogenmod.superuser. If the Cyanogenmod ROM is installed, the cyanogenmod.superuser activity may be in the com.android.settings package. This can be detected by listing the activities within com.android.settings.
6. Su Binaries. The following list of Su binaries are often looked for on rooted devices.

Directory Permissions

Sometimes when a device has root, the permissions are changed on common directories. I have never seen this personally, but it is being checked for.

1. Are the following directories writable.
2. Can we read files in /data. The /data directory contains all the installed application files. By default, /data is not readable.

Commands

A few MDMs execute common commands to detect if a device is rooted.

1. Su. Execute su and then id to check if the current user has a uid of 0 or if it contains (root).
2. Busybox. If a device has been rooted, more often then not Busybox has been installed as well. Busybox is a binary that provides many common linux commands. Running Busybox is a good indication that a device has been rooted.

Источник