0

I am developing some enterprise applications which are be restricted to run on Rooted devices.

I was using this piece of code of identifying the root access and it was working fine.

Determine if running on a rooted device

But today I came to know that my security team had broken the root check in the application using Root Cloak.

Root Cloak link: http://galaxy-note-3.wonderhowto.com/how-to/trick-apps-wont-run-if-your-phone-is-rooted-into-thinking-its-not-galaxy-note-3-0150385/

I am planning to restrict the access of my application If Root Cloak application is present on the device. But I doesn't feel it is a good solution because what if a new app will come tomorrow.

Also I was thinking that if Root Cloak can add or remove apps for Hiding root Access can't my application use the only the remove part and when I launch my app first it remove the app from hided root access using some piece of code.

Can anybody have any idea about how Root Cloak is doing the same and what could be the workaround to get rid of this.

Community
  • 1
  • 1
Piyush Agarwal
  • 25,608
  • 8
  • 98
  • 111
  • I am facing the same problem. Did you able to get any solution. – Farhana Haque Aug 10 '14 at 06:40
  • Actually as described there is no such solution, I already had a daily sync-up with device functionality in which I had added feature like blacklisted app, where I can set some black listed apps and presence of those will also consider device as rooted. We can add any such package at run-time. Also encryption is one more solution I am planning to integrate where every data stored in device will be encrypted and send back to device in response of any request and than that encrypted data only will be used for further requests. – Piyush Agarwal Aug 11 '14 at 11:41

3 Answers3

4

Perhaps reevaluate why you are trying to prevent your application from running on rooted devices. I know that preventing rooted devices from using enterprise applications seems like a panacea for enterprise security, but it's not. Consider this: unlocked bootloaders, custom recoveries, and S-OFF can offer possibly undetectable methods for accessing system-level data.

If you can guarantee data security (to the same degree) on a rooted phone, you will have a stronger selling point. Assuming that "unrooted" is equivalent to "secured" is a fallacy to which too many organizations and individuals fall prey.

(Full disclosure: I am the creator of RootCloak)

Matt Joseph
  • 336
  • 1
  • 7
  • ohh.. man, thanks for replying. I know if your device is unrooted doesn't mean you are secure but there are certain policies we have to follow here in Enterprise apps. At-least at some extant we can secure. – Piyush Agarwal Feb 10 '14 at 18:21
0

If the restriction is just because you need certain functionality, then consider checking if that functionality exists on the system.

If it is a security issue, then you will never have perfect security without having control what is installed on the system. With enough time / resources / threats, most things can be broken.

iheggie
  • 2,011
  • 23
  • 23
0

Write the installation manual least states clearly the rooted device is required. In the controlled enterprise environment it is possible to require to follow the documentation you provide.

Simply do with your application that you just must do and need root rights for that. If it works, the device is rooted. If not, in most cases the error state can be captured. Display the error message at this step.

Audrius Meškauskas
  • 20,936
  • 12
  • 75
  • 93