Contact us

BOOK A PRESENTATION

Dev's Perspective on Rooting and Root Detection Techniques

NO NAME
The following paragraphs bring us a developer's perspective on rooting detection tools. Luka Babić, a Solution Architect in ASEE, reveals tools that bypass root detection solutions, explains how hackers leverage those tools and discusses mobile application security solutions that help prevent rooting-based attacks.

What is rooting and rooting detection (Android)?

Root detection refers to the process of identifying whether a mobile device has been rooted or jailbroken. Rooting (on Android devices) or jailbreaking (on iOS devices) is the practice of removing restrictions imposed by the device manufacturer or operating system to gain privileged control over the device's software. This allows users to access system files, customize the device beyond what is typically allowed. Also the user is allowed to install apps that are not available through official app stores.

Why are rooted devices a potential security risk?

Rooting or jailbreaking can pose security risks, as it opens up the device to potential malware, unauthorized access, and other vulnerabilities.

Rooting techniques

Here are some ways attackers might use a rooted or jailbroken device:

  1. Malicious apps: Attackers may create or install malicious applications that exploit the elevated permissions on a rooted device. These apps could steal sensitive information, track user activities, or perform other malicious actions without the user's knowledge.
  2. Privilege escalation attacks: Rooted devices often have vulnerabilities that can be exploited for privilege escalation attacks. Attackers may attempt to exploit these vulnerabilities to gain even higher levels of access, potentially compromising the entire device.
  3. Bypassing security measures: Rooted devices might be able to bypass certain security measures implemented by the operating system or third-party apps. This could include bypassing app permissions, disabling security features, or evading detection mechanisms.
  4. Tampering with system files: Attackers may modify critical system files on a rooted device, leading to instability, crashes, or unauthorized changes to the device's behavior. This can be particularly harmful if the attacker is seeking to disrupt the normal operation of the device.

Some apps and services, especially in the financial and security sectors, may implement root detection mechanisms to identify whether a device is rooted. If a rooted device is detected, certain apps or services may refuse to run or restrict functionality to mitigate potential security concerns.

Root detection is used as a security measure to protect against malicious activities that may occur on rooted or jailbroken devices. Developers often implement root detection in applications to ensure a secure environment for their services.

Dev's perspective on root detection

The following paragraphs bring us a developer's perspective on rooting detection tools. Luka Babić, a Solution Architect in ASEE, reveals tools that bypass root detection solutions, explains how hackers leverage those tools and discusses mobile application security solutions that help prevent rooting-based attacks.

1.     What tools are commonly used to bypass root detection solutions?

Up until recently, Magisk offered MagiskHide functionality which hid the Magisk tool installed on mobile devices from the apps running on the device. From Magisk v24, this functionality was removed, but it was supplemented with various Magisk modules which offered hiding device rooting. Those were Zygisk, Shamiko, and Riru.

2.     Could you explain how these tools manage to bypass rooting detection?

This is an interesting question and the answer would be – there are various techniques being used. The most popular one is to inject malicious code when starting the process related to a particular app on the mobile device and bypass system functions which would, in normal circumstances, enable the mobile application to detect the root being present on a mobile device.

3.     How does ASEE solve this issue? Which mechanisms are used to circumvent bypass tools?

Well, being able to detect rooted devices is a neverending game between hackers and security experts who develop tools for root detection. When possible, one of the options would be to constantly keep up to date on how tools used to root devices work and to catch any breadcrumbs in system behavior which enables us to detect the presence of root on mobile devices. However, sometimes this is not possible because the source code for a particular component that hides the system root is not publicly available. This is the part where it gets quite tricky since the only thing we as security experts are left with is to try to reverse engineer or detect anomalies in system behavior when a particular tool is in action.

4.     Can we beat hackers in this race?

Maybe the right question would be – „Is the possibility of getting there before the hackers even realistic?“. Not sure - because it's up to the hacker's creativity to think of new ways to develop tools that will enable root hiding. The best thing to do is to continuously test and monitor new mechanisms for root hiding, which tend to appear from various channels where hackers usually publish their work related to this topic.

5.     How are we improving our mobile security solutions?

Constant monitoring and PEN test reports are needed for a deep understanding of how a security solution works. We monitor on a quarterly basis new vulnerabilities and new tool versions for bypassing rooting detection. When we find it, we check for a solution on how to detect it and send information to users and clients. Hackers are improving constantly, sometimes new versions are published every week, and sometimes months can pass until the new version.

6.     How can mobile app owners protect their apps and their users?

Vendors of mobile applications always have the option to develop a mechanism for root detection on their own. As good as it sounds at first, it might be a jump to the rabbit hole since this is a neverending endeavor to cover all corner cases that can occur in real life. As already mentioned, there are various ways to detect root and it all needs to be checked on various types of devices which can take up a lot of time and resources and can be costly in the long run.

Wrap up

The dynamic struggle between developers and hackers over root detection underscores a critical cybersecurity battleground. As Luka's insights reveal, the key to safeguarding mobile applications lies in constant monitoring, innovative security strategies, and a deep understanding of both existing and emerging rooting techniques. Developers and app owners must prioritize continuous improvement and collaboration to protect users from the vulnerabilities associated with rooted devices, ensuring a secure and trustworthy digital environment.

Download App Protector SDK

App Protector SDK is a mobile security component built into the application's code enabling runtime protection as well as a variety of mobile application hardening techniques, including jailbreak detection.

To find out more about our App Protector solution, contact us or visit our blog section.  

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram