Android root check java

Detecting Root on Android

Mar 13, 2016 · 5 min read

We’ve recently open sourced a new Android library called rootbeer to detect if your app is running on a rooted device. But what is root? and why is potentially dangerous? Read on for more details.

What is root/rooted?

When we talk about rooting a Android device, it’s really just talking about circumventing a system security to allow us to elevate our permissions to be the root user. Think of it as accessing the devi

ce’s administrative permissio n s. The root user can do ‘anything’ on the device so many of the built-in security services can be circumvented. If you’re sensible and have a grasp of the dangers, rooting doesn’t have to be a big security risk. It reminds me of one of our favourite quotes:

“With great power comes great responsibility” — Uncle Ben Parker

Why root your device?

Users tend to root their device for a number of reasons — but a great level of control and customisation is typically the main driver. For example removing preinstalled bloatware, enabling full system backup with apps such as TitaniumBackup, blocking advertisements/banners in all apps, tweaking system UI beyond that supported in Android or in order to flash a custom rom such as Cyanogenmod.

Why is a rooted device potentially dangerous to users/apps?

In a nutshell when an Android device is rooted the system security and safeguards cannot be guaranteed. One of cornerstones of Android security is that each app is assigned a unique user id (or uid) on installation. This is how the system controls and enforces read/write access to each app’s private data folder (or sandbox). With a rooted device a user or malicious program can elevate their permissions to root and circumvent this protection giving them access to other app’s private data. For example, you might grant an application root access for a legitimate reason, such as listing the wifi passwords stored on your device. However you cannot be certain this app isn’t also accessing all of your device filesystem (including any private info) and sending it to their servers.

At Intohand we believe that verifying the integrity of the device is an important part of app hardening and checking if the device is rooted is one of those verifications. But how do we check if the device is rooted?

Enter the tasty root checking library — RootBeer!

Detecting root is a question often raised when I’ve spoken at conferences about Android Security. The Rootbeer library was born out of a conversation between Mat Rollings and myself about how the rootcloak apps work and whether we could write a root checker to beat some of the popular cloakers. We wanted to create a simple to use Android library that other developers could easily integrate and use to check the device for indications of root. Head over to the project’s github page to see the code. As you’ll see from the readme it’s very simple to use.

We’ve also allowed direct access to each of the checks that make up the final `isRooted` decision to allow developers to customise the level of verification performed.

How Rootbeer works

Rootbeer is a culmination of our own checks and those found on stackoverflow and other? forums brought together into a single easy to use library. More info on contributions can be found in the Rootbeer ReadMe. We recommend thinking of these checks as more of an indication of root rather than foolproof evidence the device is rooted (more on this in the closing thoughts).

Java based checks

• CheckRootManagementApps*, CheckPotentiallyDangerousApps* and CheckRootCloakingApps* — Using the PackageManager we look for installed apps that are typically used for managing superuser/root access, known patching apps and/or apps that specifically try to hide root status. Typically Rootcloaking apps will block some of the other tests, however we can still check if the Rootcloaking is installed.
• CheckTestKeys — Typically the platform system image is signed with production keys, if it’s not this could be a sign of being compromised. This check looks at the Build properties (specifically android.os.Build. TAGS) for test keys.
• checkForDangerousProps — This method looks up several system properties that can only been changed when the device is rooted. If the values don’t match an unrooted device it’ll flag as rooted.
• checkForBusyBoxBinary, checkForSuBinary* — su (super user) and Busybox binaries are often present on rooted devices to perform some of the privilege escalation and utility functions. Using file search look we search of presences of these in various which if found in the Android file system could indicate the device is rooted.
• checkSuExists* — slightly different file system check for the su binary.
• checkForRWPaths — The final java check is to interrogate the file system on the device and look for system folders that should be read only but have read/write permissions.

*The static paths and the package names that rootbeer looks for are defined in a single file. This can be easily edited if you were to fork the github project and there is a future enhancement to allow users of the rootbeer library to add their own packages/paths to root checks. This file would be an ideal candidate to use DexGuard’s String/Class encryption in an attempt to hide these definitions from would-be attackers.

Ndk checks

Native checks tend to be harder for an attacker to intercept and hide against therefore we added a single native/NDK check for the su binary.

Call for more root checks

Do you have any other ways to check for root? we’d be very keen on adding them to the library and giving full credit. Please send us a pull request.

Several commercial Obfuscation/protection tools include root checks such as Arxan’s GuardIT and Guard Square’s DexGuard.

Closing thoughts and Disclaimers

Given system security is more at risk on rooted devices it’s certainly worth verifying this in your apps. However we want to be clear that the Rootbeer library is by no means perfect: it only gives a likely indication of root. What you do with that information is up to you. As mentioned above no root detection code can ever been 100% effective as when the user is root they are basically god on the device.

It’s also worth noting that rooting your device can void warranty and in some cases brick your device.

That’s it, enjoy Rootbeer and we’re interested in your feedback and improvements via github.

Thanks to Mat Rollings for co-authoring this article and rootbeer and Elliot Long for proofing the article.

Источник

Android root check java

RootBeer

A tasty root checker library and sample app. We’ve scoured the internets for different methods of answering that age old question. Has this device got root?

These are the current checks/tricks we are using to give an indication of root.

Java checks

• checkRootManagementApps
• checkPotentiallyDangerousApps
• checkRootCloakingApps
• checkTestKeys
• checkForDangerousProps
• checkForBusyBoxBinary
• checkForSuBinary
• checkSuExists
• checkForRWSystem

Native checks

We call through to our native root checker to run some of its own checks. Native checks are typically harder to cloak, so some root cloak apps just block the loading of native libraries that contain certain keywords.

Disclaimer and limitations!

We love root! both Scott and Mat (the creators) own and use rooted devices (albeit not as daily driver). However we appreciate it can be useful to have an indication your app is running on a rooted device. Plus as hackday style project we wanted to see if we could beat the root cloakers at the time in 2015.

Remember root==god, so there’s no 100% guaranteed way to check for root! treat this as an indication of root.

In 2015 we successfully tested Rootbeer and it flagged an indication of root when testing with the following root cloak apps. However Rootbeer was defeated when using a combination of the root cloakers activated at the same time.

You can also call each of the checks individually as the sample app does. It is advisable to call isRooted() from a background thread as it involves disk I/O.

Manufacturers often leave the busybox binary in production builds and this doesn’t always mean that a device is root. We have removed the busybox check we used to include as standard in the isRooted() method to avoid these false positives.

If you want to detect the busybox binary in your app you can use checkForBinary(BINARY_BUSYBOX) to detect it alone, or as part of the complete root detection method:

The following devices are known the have the busybox binary present on the stock rom:

• All OnePlus Devices
• Moto E
• OPPO R9m (ColorOS 3.0,Android 5.1,Android security patch January 5, 2018 )

Available on maven central, to include using Gradle just add the following:

The native library in this application will now be built via Gradle and the latest Android Studio without having to resort to the command line. However the .so files are also distributed in this repository for those who cannot compile using the NDK for some reason.

The sample app is published on Google play to allow you to quickly and easier test the library. Enjoy! And please do feedback to us if your tests produce different results.

There must be more root checks to make this more complete. If you have one please do send us a pull request.

• Kevin Kowalewski and others from this popular StackOverflow post
• Eric Gruber’s — Android Root Detection Techniques article

If you dig this, you might like:

• Tim Strazzere’s Anti emulator checks project
• Scott Alexander-Bown’s SafetyNet Helper library — coupled with server side validation this is one of the best root detection approaches. See the Google SafetyNet helper docs.

Источник

Android how to check phone rooted or not ?

Hi, Developer in this Android example we have toking abut check phone is rooted or not. Today for security ist very importation to check your application run on the rooted phone on not. Because Android is a Linex base show hacker collects user data after boot phone and runs Android Application.

A show we make an Android solution for check program moile phone rooted or not. If the phone is not rooted App is running else App not run.

We are sharing Two ways how to check the phone is rooted or not in android programmatically.How to determine if running on a rooted device or not in Android?

1. Using Third-party Library you can used it.
2. Self writes custom code for root deduction.

So, Lets Start on Topic

1. First Way Using Third-party Library RootBeer you can use.

Use Follow Two simple steps and Implication these.

Root checks

These are the current checks/tricks we are using to give an indication of the root.

Java checks

• checkRootManagementApps
• checkPotentiallyDangerousApps
• checkRootCloakingApps
• checkTestKeys
• checkForDangerousProps
• checkForBusyBoxBinary
• checkForSuBinary
• checkSuExists
• checkForRWSystem

Step 1: Add rootBeer third-party library in your App girdle file.

Step 2: And add this Method to check.

2. Second Way For Implication with custom code.

In a second way you can write code for a check, the phone is rooted or not show you can just follow these simple step and write self code.

Add this method in our Activity class.

And check in OnCreate phone is rooted or not with if and else like these.

Источник

Simple to use root checking Android library and sample app

Category: Android / Android Studio Plug-insWatchers: 74Star: 1.6kFork: 319Last update: Dec 3, 2021

RootBeer

A tasty root checker library and sample app. We’ve scoured the internets for different methods of answering that age old question. Has this device got root?

These are the current checks/tricks we are using to give an indication of root.

Java checks

• checkRootManagementApps
• checkPotentiallyDangerousApps
• checkRootCloakingApps
• checkTestKeys
• checkForDangerousProps
• checkForBusyBoxBinary
• checkForSuBinary
• checkSuExists
• checkForRWSystem

Native checks

We call through to our native root checker to run some of its own checks. Native checks are typically harder to cloak, so some root cloak apps just block the loading of native libraries that contain certain keywords.

Disclaimer and limitations!

We love root! both Scott and Mat (the main contributors) use rooted devices. But we appreciate sometimes you might want to have a indication your app is running on a rooted handset. Plus we wanted to see if we could beat the root cloakers. So that’s what this library gives you, an indication of root.

Remember root==god, so there’s no 100% way to check for root.

We’ve tested the Rootbeer lib and it shows an indication of root when testing with the following root cloak apps. However Rootbeer is defeated when using a combination of the root cloakers activated at the same time.

You can also call each of the checks individually as the sample app does.

Manufacturers often leave the busybox binary in production builds and this doesn’t always mean that a device is root. We have removed the busybox check we used to include as standard in the isRooted() method to avoid these false positives.

If you want to detect the busybox binary in your app you can use checkForBinary(BINARY_BUSYBOX) to detect it alone, or as part of the complete root detection method:

The following devices are known the have the busybox binary present on the stock rom:

• All OnePlus Devices
• Moto E
• OPPO R9m (ColorOS 3.0,Android 5.1,Android security patch January 5, 2018 )

Available on maven central, to include using Gradle just add the following:

The native library in this application will now be built via Gradle and the latest Android Studio without having to resort to the command line. However the .so files are also distributed in this repository for those who cannot compile using the NDK for some reason.

The sample app is published on Google play to allow you to quickly and easier test the library. Enjoy! And please do feedback to us if your tests produce different results.

There must be more root checks to make this more complete. If you have one please do send us a pull request.

• Kevin Kowalewski and others from this popular StackOverflow post
• Eric Gruber’s — Android Root Detection Techniques article

If you dig this, you might like:

• Tim Strazzere’s Anti emulator checks project
• Scott Alexander-Bown’s SafetyNet Helper library — coupled with server side validation this is one of the best root detection approaches. See the Google SafetyNet helper docs.

Apache License, Version 2.0

Magisk UDS(Unix Domain Socket) detection added

Detects roots by searching for any 32-digit Unix Domain Socket name used by the Magisk daemon. I would appreciate your review. Thank you.

ELF built without PIE & Stack Protection

We have a client whose Infosec team have run a vulnerability scanning tool on our app and found that libtool-checker.so from RootBeer is compiled without -pie and -fstack-protector flags.

Is there a reason not to use these flags? If not, could you please add them?

Nullpointer Exception in checkForRWPaths

String[] lines = mountReader(); is returning null in some devices.

Need to add a null check before for loop.

Migrate to Cmake and ensure `-fstack-protector-all` is being applied

• Migrate to Cmake and use the correct -fstack-protector-all flag, Thanks @stealthcopter for investigating the correct flag and verifying with checksec
• Remove the compiled binaries and gradle config that used to allow optional NDK — this is now required if anyone is building the library as I felt these potentially risk old binaries being used and not fresh ones

Error Android NDK: Application targets deprecated ABI(s): armeabi

Hi I am getting following error after integration of Rootbeer lib in my app Error:(XX) Android NDK: Application targets deprecated ABI(s): armeabi
Error:(XX) Android NDK: Support for these ABIs will be removed in a future NDK release. Although app is compiling and running as it is. What could be the possible solution for this error?

Xiaomi series evaluated as rooted

I ran the ‘RootBeer Sample’ app downloaded by google play on some xiaomi devices. and I found a problem that the devices are evaluated as rooted.

I’m not sure whether the devices are actually rooted or not. But as far as I know the devices are not rooted because I got the devices from where some kind of public institutions.

Is that issues for xiaomi devices? Or is that rooted actually? How can I deal with it?

Is selinux flag giving a false positive?

Hi. I have a Samsung note 20 ultra. I am not sure why rootbeer sample app indicates that my phone is rooted. My phone is not rooted.

I have used other apps like root checker, advanced root checker and root beer fresh and all indicate my phone is not rooted.

May I know if there are ways to check if there is a bug or there are something that is causing the false positive? Some screenshots below for your reference.

Thank you very much.

False positive — Dangerous props

I have a fairphone 3+ with a custom rom (lineageOS microG), but I don’t have, and have never, had root. Your test app triggers on ‘dangerous props’, but I’m not really sure what that check does, so even though it looks like a false positive, it might be due to my custom rom!

Let me know if I can test anything for you guys

Fix insecure binary file

Fixed the Position Independent Executable (PIE) The shared object is built without Position Independent Code flag. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, Address space layout randomization (ASLR) randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack,heap and libraries. Use compiler option -fPIC to enable Position Independent Code.

Источник