Different Types of Root Detection Techniques In Android.

Sarang Khilare
3 min readJan 3, 2020

--

In this article we will discuss the various known techniques use to detect a device is rooted or not. Most of the techniques requires root permissions to install and executes the different tools. Nowadays most of the banking and financial related application do not run on rooted devices for security purpose.
So today we will see what are those different techniques used by the developers to detect device is rooted or not.

So lets start with the most common techniques i have always face.

  1. Check by executing commands:

When we root any android devices, some new files are placed into the device. So what developers do they check the these files and packages installed on the device. Some times developers executes some commands which are permissible only to the root privilege user and also check for the default directories with super permissions.

Ex: Superuser.apk is the most known application package many apps check in root detection. So lets check using getting shell of the device.

This technique can be bypass using Xposed Framework with RootCloak module.

This RootCloak app allows us to run apps that detect root without disabling root. You select from a list of your installed apps (or add a custom entry), and using a variety of methods, it will completely hide root from that app. This includes hiding the su binary, superuser/supersu apks, processes run by root, and more.

RootCloak Application in Xposed Framework

2. Check for Package names:

Many developers search for specific package names related to the rooting of android devices. Many applications search for chainfire supersu application is running on device or not.

Supersu application running on device.

3. Check for know apps only running on rooted device.

There are many apps in over the internet which are specifically build for the rooted devices. So developers can search for sych apps like busybox, RootBeer, Xposed Framework, RootCloak, Trustmealready, Substrates, Many different kinds of Root File Explorers, SuperSU etc.

Busybox

4. Sometimes developers executes su and id commands to check the UID if its root or not.

UID is Root

5. Checking the BUILD tags for test-keys:

This techniques know to check if the device is flashed with any custom ROM or its defaults. Google distributes release-keys tags for every stock ROM’s.

If we check in shell and if its other that release-keys then it will be considered as Custom ROM.

Build Tags

In the above screenshot we can see build tag is release-key as i have not flashed my device with any custom ROM.

So thats it, this is what we usually faced while performing android pentesting with rooted device. There are many more techniques out on the internet. So we will definately release part II for it.

I suggest to the developers use any very unique technique other than mentioned above to detect the root check. Because these are very well known techniques now and can be bypass easily.

Thanks for reading…..many more articles to come….keep supporting…and Happy Pentesting..

--

--