Download App Protector SDK
App Protector SDK is a mobile security component built into the application's code enabling runtime protection as well as a variety of mobile application hardening techniques, including jailbreak detection.
Root detection refers to the process of identifying whether a mobile device has been rooted or jailbroken. Rooting (on Android devices) or jailbreaking (on iOS devices) is the practice of removing restrictions imposed by the device manufacturer or operating system to gain privileged control over the device's software. This allows users to access system files, customize the device beyond what is typically allowed. Also the user is allowed to install apps that are not available through official app stores.
Rooting or jailbreaking can pose security risks, as it opens up the device to potential malware, unauthorized access, and other vulnerabilities.
Here are some ways attackers might use a rooted or jailbroken device:
Some apps and services, especially in the financial and security sectors, may implement root detection mechanisms to identify whether a device is rooted. If a rooted device is detected, certain apps or services may refuse to run or restrict functionality to mitigate potential security concerns.
Root detection is used as a security measure to protect against malicious activities that may occur on rooted or jailbroken devices. Developers often implement root detection in applications to ensure a secure environment for their services.
The following paragraphs bring us a developer's perspective on rooting detection tools. Luka Babić, a Solution Architect in ASEE, reveals tools that bypass root detection solutions, explains how hackers leverage those tools and discusses mobile application security solutions that help prevent rooting-based attacks.
Up until recently, Magisk offered MagiskHide functionality which hid the Magisk tool installed on mobile devices from the apps running on the device. From Magisk v24, this functionality was removed, but it was supplemented with various Magisk modules which offered hiding device rooting. Those were Zygisk, Shamiko, and Riru.
This is an interesting question and the answer would be – there are various techniques being used. The most popular one is to inject malicious code when starting the process related to a particular app on the mobile device and bypass system functions which would, in normal circumstances, enable the mobile application to detect the root being present on a mobile device.
Well, being able to detect rooted devices is a neverending game between hackers and security experts who develop tools for root detection. When possible, one of the options would be to constantly keep up to date on how tools used to root devices work and to catch any breadcrumbs in system behavior which enables us to detect the presence of root on mobile devices. However, sometimes this is not possible because the source code for a particular component that hides the system root is not publicly available. This is the part where it gets quite tricky since the only thing we as security experts are left with is to try to reverse engineer or detect anomalies in system behavior when a particular tool is in action.
Maybe the right question would be – „Is the possibility of getting there before the hackers even realistic?“. Not sure - because it's up to the hacker's creativity to think of new ways to develop tools that will enable root hiding. The best thing to do is to continuously test and monitor new mechanisms for root hiding, which tend to appear from various channels where hackers usually publish their work related to this topic.
Constant monitoring and PEN test reports are needed for a deep understanding of how a security solution works. We monitor on a quarterly basis new vulnerabilities and new tool versions for bypassing rooting detection. When we find it, we check for a solution on how to detect it and send information to users and clients. Hackers are improving constantly, sometimes new versions are published every week, and sometimes months can pass until the new version.
Vendors of mobile applications always have the option to develop a mechanism for root detection on their own. As good as it sounds at first, it might be a jump to the rabbit hole since this is a neverending endeavor to cover all corner cases that can occur in real life. As already mentioned, there are various ways to detect root and it all needs to be checked on various types of devices which can take up a lot of time and resources and can be costly in the long run.
The dynamic struggle between developers and hackers over root detection underscores a critical cybersecurity battleground. As Luka's insights reveal, the key to safeguarding mobile applications lies in constant monitoring, innovative security strategies, and a deep understanding of both existing and emerging rooting techniques. Developers and app owners must prioritize continuous improvement and collaboration to protect users from the vulnerabilities associated with rooted devices, ensuring a secure and trustworthy digital environment.
App Protector SDK is a mobile security component built into the application's code enabling runtime protection as well as a variety of mobile application hardening techniques, including jailbreak detection.
To find out more about our App Protector solution, contact us or visit our blog section.
