Root detection: What is it and how it works

With data privacy regulations making root detection less effective, it’s time to find out how it really works and where it fits in your app security.

Rooting and jailbreaking come up in a lot of our conversations. When they do, the conversation generally looks a little bit like this:

“We’re worried about the security implications of running our apps on rooted devices, so root detection is an absolute must.”

Rooted or jailbroken devices certainly pose a security threat—and app vendors are right to be wary of the risks—but we don’t necessarily classify root detection as a “must-have.”

Of course, we’ll explain why. But first, let’s recap what rooting is, why it’s dangerous, and how root detection techniques try to defend against it.

What is rooting/jailbreaking?

Rooting or jailbreaking describes the process of unlocking a smartphone to gain elevated privileges. Generally, ‘rooting’ is done to an Android device and ‘jailbreaking’ to iOS. In both cases, the end user gets unrestricted rights over the device and the apps and information stored on it.

There is a whole range of commonly available tools that allow users to root or jailbreak their smartphones. This makes the process relatively straightforward for even non-technical users to perform.

Rooting and jailbreaking occur for a diverse range of different reasons. You might, for instance, want to remove bloatware or amuse yourself by changing the default font to Comic Sans. If you’re a developer or security researcher, you may also require root access to customize the operating system, access restricted apps and APIs, and perform security research.

Needless to say, some of these reasons are better than others…

The challenge of rooted devices

“As an end user, rooting allows you to target your own device and the apps on it, to break the defenses that have been built in. You then have the privileges to analyze entry points that can be used to break those apps on other devices. 

It also means malware and other tools have more power on rooted devices. This means they can do more damage than they would if downloaded via the Play Store onto a non-rooted device.”

- Morten Ruud, Product Manager at Promon

Whether the goal is superficial or sensible, rooting (or jailbreaking) creates a whole range of security risks. 

But it’s not just about smartphone users. There are also several risks to organizations whose apps are downloaded onto jailbroken devices. These include: 

• End user misuse: Jailbreaking and rooting lets end users circumvent rules and restrictions that you’ve built into your apps. This can include installing cheats and mods (e.g. a gaming app), or bypassing regional restrictions (e.g., streaming). If these workarounds involve in-app purchases, they can have a direct impact on revenue.
• Loss of intellectual property: Technically-savvy app users can also use rooted devices to understand how an app works by statically analyzing the underlying code or through runtime analysis. This can mean losing critical secrets and proprietary information to malicious actors.
• Data breaches: Android and iOS devices include increasingly tight sandboxes to prevent sensitive data from leaving apps. These can be circumvented on rooted devices, increasing the risk of a critical data breach.
• Malware: Rooting also disables several key anti-malware defenses. This makes it much easier for hackers to install malicious software that can steal data, log activity, analyze user’s app behavior, and more.
• Reverse engineering and repackaging: Hackers can use rooted devices to analyze the underlying code or logic of an app to reverse engineer it for malicious purposes like identifying vulnerabilities, or to create their own decoy app using repackaging.

Put simply, the risks of jailbroken devices are high. If you want to protect the security, intellectual property, and business model of your app, you’ll need to find a robust solution to keep your app safe.

But that’s easier said than done…

A potential solution: How root detection works 

“Root detection tools have to manage with the limited information that apps have access to on the rest of the device. Nonetheless, there are certain common traces we can look out for. This includes basic checks for su executables and more advanced detection mechanisms that might be used to hide traces of rooting.

But root detection isn’t a guarantee, since modern tools can hide evidence of rooting/jailbreaking. For this reason, it has to be used in combination with other app protection techniques.”

- Morten Ruud, Product Manager at Promon

Rooting/jailbreaking is not a new phenomenon. End users have been finding their way around smartphone restrictions for just about as long as manufacturers have been implementing them.

Over the years, this has created something of a cat-and-mouse game between those trying to simplify jailbreaking and those trying to protect their apps. But app vendors haven’t been sitting on their hands. With the risk being so high, several common root detection methods have evolved over the years to help defend against it.

There are both pros and cons of root detection tools, and they’re far from foolproof. But they can provide an important first line of defense, so it’s important to be aware of the options.

Generally, root detection tools scan the device that the app has been installed on, aiming to identify telltale signs of rooting/jailbroking. These include:

• Root management apps: This may include apps like BusyBox, SuperSU, or Magisk Manager, which are commonly used by non-technical users to root or jailbreak their devices. If these apps are present on the end user’s device, there’s a good chance the device is at risk.
• Altered files or directories: Certain system files and directories are commonly altered during the rooting process. Root detection tools can identify some of the most common examples, like the Superuser.apk or directories like /system/xbin/su. If these exist, the device is likely rooted.
• SU binary: The superuser binary ‘/system/bin/su binary‘ is often also present in rooted and jailbroken devices. This essentially gives users the ability to execute admin-level commands. Root detection solutions can identify these using a fairly straightforward command.
• Hooks: Tools like Magisk Hide and Frida can mask many of the rooting indicators above. This is why advanced root detection tools aim to detect deeper system changes, like evidence of hooking being used in the app’s runtime environment.

• Root detection bypass apps: At the same time, specific toolkits exist to detect the presence of Magisk Hide, Frida, and similar tools on smartphones. These include AntiFrida, DetectMagiskHide, and others.

Root detection tools use a combination of these methods because no single approach is foolproof. The products themselves can generally be built into apps, so the defenses kick into gear when they’re installed on smartphone devices.

App vendors generally have several customizable options for how they respond to rooted devices, including programmatic blocking (reducing access to certain features) or terminating the app entirely.

But root detection isn’t a silver bullet…

The cat-and-mouse nature of root detection means it’s impossible to be 100% sure whether or not a device is rooted. There are several important reasons for this:

• Rooting and jailbreaking tools are getting more sophisticated and are often able to hide their presence and activity.
• By definition, rooting and jailbreaking gives the end user elevated privileges, which can in turn be used to disable or bypass root detection technology.
• Root detection tools can create false positives. At the same time, the variability of device vendors and models on Android means there’s no 100% effective way of distinguishing between rooted and non-rooted devices.
• Apple & Google have made sandboxes increasingly tight over time for data privacy reasons. This limits the app vendor’s ability to monitor activity and other apps on the device.

Most of the root detection approaches we discussed above rely on the app detecting suspicious risk signals on the end users’ devices. This is increasingly difficult to do over time because restricting apps’ ability to do this is a fundamental feature of data privacy.

In the post-GDPR world, privacy restrictions increasingly restrict the amount and type of data that apps can access on a user’s device without their consent. Because the regulations are becoming more stringent by the day, root detection is likely to get less effective over time—not more.

To keep our apps safe, we therefore need a fundamentally different approach.

The Promon view: Root detection is a nice-to-have

Root detection is certainly a valuable tool and an important part of your app’s security posture. But at Promon, our view is that it’s best thought of as a filter rather than a barrier. Since it can’t reliably protect against the risk of rooted or jailbroken devices, we have to combine it with more fundamental security tools.

So how do we do this? Our approach is to always assume that devices are rooted or jailbroken—and then protect them from the risks. This is why we say that root detection technology is a nice-to-have.

There are a number of additional protections we use to substantially reduce the risk of running your app on an insecure device: 

• App integrity checks
• Code obfuscation
• Hooking framework detection
• Runtime protection
• Code injection prevention

While root detection adds a valuable layer of security, you cannot rely on it alone. To deal with complex risks, you need a robust strategy that goes beyond detection by integrating advanced measures to build resilience against threats, even on compromised devices. A multi-layered approach that treats root detection as one piece of a comprehensive security puzzle is essential to protect your apps and data.