Detecting Root on Android

5 min readMar 13, 2016

We’ve recently open sourced a new Android library called rootbeer to detect if your app is running on a rooted device. But what is root? and why is potentially dangerous? Read on for more details.

What is root/rooted?

When we talk about rooting a Android device, it’s really just talking about circumventing a system security to allow us to elevate our permissions to be the root user. Think of it as accessing the devi

ce’s administrative permissions. The root user can do ‘anything’ on the device so many of the built-in security services can be circumvented. If you’re sensible and have a grasp of the dangers, rooting doesn’t have to be a big security risk. It reminds me of one of our favourite quotes:

“With great power comes great responsibility” — Uncle Ben Parker

Why root your device?

Users tend to root their device for a number of reasons — but a great level of control and customisation is typically the main driver. For example removing preinstalled bloatware, enabling full system backup with apps such as TitaniumBackup, blocking advertisements/banners in all apps, tweaking system UI beyond that supported in Android or in order to flash a custom rom such as Cyanogenmod.

Why is a rooted device potentially dangerous to users/apps?

In a nutshell when an Android device is rooted the system security and safeguards cannot be guaranteed. One of cornerstones of Android security is that each app is assigned a unique user id (or uid) on installation. This is how the system controls and enforces read/write access to each app’s private data folder (or sandbox). With a rooted device a user or malicious program can elevate their permissions to root and circumvent this protection giving them access to other app’s private data. For example, you might grant an application root access for a legitimate reason, such as listing the wifi passwords stored on your device. However you cannot be certain this app isn’t also accessing all of your device filesystem (including any private info) and sending it to their servers.

At Intohand we believe that verifying the integrity of the device is an important part of app hardening and checking if the device is rooted is one of those verifications. But how do we check if the device is rooted?

Enter the tasty root checking library — RootBeer!

Detecting root is a question often raised when I’ve spoken at conferences about Android Security. The Rootbeer library was born out of a conversation between Mat Rollings and myself about how the rootcloak apps work and whether we could write a root checker to beat some of the popular cloakers. We wanted to create a simple to use Android library that other developers could easily integrate and use to check the device for indications of root. Head over to the project’s github page to see the code. As you’ll see from the readme it’s very simple to use.

We’ve also allowed direct access to each of the checks that make up the final `isRooted` decision to allow developers to customise the level of verification performed.

How Rootbeer works

Rootbeer is a culmination of our own checks and those found on stackoverflow and other? forums brought together into a single easy to use library. More info on contributions can be found in the Rootbeer ReadMe. We recommend thinking of these checks as more of an indication of root rather than foolproof evidence the device is rooted (more on this in the closing thoughts).

Java based checks

CheckRootManagementApps*, CheckPotentiallyDangerousApps* and CheckRootCloakingApps* — Using the PackageManager we look for installed apps that are typically used for managing superuser/root access, known patching apps and/or apps that specifically try to hide root status. Typically Rootcloaking apps will block some of the other tests, however we can still check if the Rootcloaking is installed.
CheckTestKeys — Typically the platform system image is signed with production keys, if it’s not this could be a sign of being compromised. This check looks at the Build properties (specifically android.os.Build.TAGS) for test keys.
checkForDangerousProps — This method looks up several system properties that can only been changed when the device is rooted. If the values don’t match an unrooted device it’ll flag as rooted.
checkForBusyBoxBinary, checkForSuBinary* — su (super user) and Busybox binaries are often present on rooted devices to perform some of the privilege escalation and utility functions. Using file search look we search of presences of these in various which if found in the Android file system could indicate the device is rooted.
checkSuExists* — slightly different file system check for the su binary.
checkForRWPaths — The final java check is to interrogate the file system on the device and look for system folders that should be read only but have read/write permissions.

*The static paths and the package names that rootbeer looks for are defined in a single file. This can be easily edited if you were to fork the github project and there is a future enhancement to allow users of the rootbeer library to add their own packages/paths to root checks. This file would be an ideal candidate to use DexGuard’s String/Class encryption in an attempt to hide these definitions from would-be attackers.

Ndk checks

Native checks tend to be harder for an attacker to intercept and hide against therefore we added a single native/NDK check for the su binary.

Call for more root checks

Do you have any other ways to check for root? we’d be very keen on adding them to the library and giving full credit. Please send us a pull request.

Several commercial Obfuscation/protection tools include root checks such as Arxan’s GuardIT and Guard Square’s DexGuard.

Closing thoughts and Disclaimers

Given system security is more at risk on rooted devices it’s certainly worth verifying this in your apps. However we want to be clear that the Rootbeer library is by no means perfect: it only gives a likely indication of root. What you do with that information is up to you. As mentioned above no root detection code can ever been 100% effective as when the user is root they are basically god on the device.