48

Possible Duplicate:
Determine if running on a rooted device

How do you determine (programmatically) if an Android device is: rooted Running a cracked copy of your software or rom.

I have some sensitive information in my database, and I would like to encrypt it when the phone is rooted aka the user has access to the database. How do I detect that?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Pentium10
  • 204,586
  • 122
  • 423
  • 502
  • There is Safety Net Attestation API of Google play services by which we can assess the device and determine if it is rooted/tampered. Please go through my answer to deal with rooted devices: https://stackoverflow.com/a/58304556/3908895 – Kalpesh Wadekar Oct 10 '19 at 07:25

3 Answers3

45

Rooting detection is a cat and mouse game and it is hard to make rooting detection that will work on all devices for all cases.

See Android Root Beer https://github.com/scottyab/rootbeer for advanced root detection which also uses JNI and native CPP code compiled into .so native library.

If you need some simple and basic rooting detection check the code below:

  /**
   * Checks if the device is rooted.
   *
   * @return <code>true</code> if the device is rooted, <code>false</code> otherwise.
   */
  public static boolean isRooted() {

    // get from build info
    String buildTags = android.os.Build.TAGS;
    if (buildTags != null && buildTags.contains("test-keys")) {
      return true;
    }

    // check if /system/app/Superuser.apk is present
    try {
      File file = new File("/system/app/Superuser.apk");
      if (file.exists()) {
        return true;
      }
    } catch (Exception e1) {
      // ignore
    }

    // try executing commands
    return canExecuteCommand("/system/xbin/which su")
        || canExecuteCommand("/system/bin/which su") || canExecuteCommand("which su");
  }

  // executes a command on the system
  private static boolean canExecuteCommand(String command) {
    boolean executedSuccesfully;
    try {
      Runtime.getRuntime().exec(command);
      executedSuccesfully = true;
    } catch (Exception e) {
      executedSuccesfully = false;
    }

    return executedSuccesfully;
  }

Probably not always correct. Tested on ~10 devices in 2014.

peceps
  • 17,370
  • 11
  • 72
  • 79
  • 5
    You mean rooted with a specific tool that adds Superuser.apk ? There isn't a guaranteed programmatic way to determine if a device is rooted as most checks could be circumvented. – dljava Apr 04 '13 at 11:56
  • 1
    I've been using this check in my product, but recently the Nexus 7.1 is reporting false for all of these (no `which` command installed) and SuperSu is not installing in the /system/app folder. – Graeme Apr 07 '14 at 09:59
  • May be you should also have a look at http://stackoverflow.com/questions/1101380/determine-if-running-on-a-rooted-device – Shridutt Kothari Jan 22 '16 at 14:24
  • when i implement this code i have this error: java.io.IOException: Error running exec(). Command: [/system/xbin/which, su] Working Directory: null Environment: null catching in exec At (Line: 320) – khouloud mejdoub Feb 03 '17 at 10:02
  • not working in my phone LeEco 2 – Vineesh TP May 09 '17 at 05:55
  • Not working on Galaxy S7 edge – Joubert Vasconcelos May 27 '17 at 14:53
  • doesnt work for Redmi 3s prime, executes which su command in that case – Kartik Shah Sep 10 '17 at 06:35
5

If the information is sensitive you should probably just encrypt it for all users. Otherwise a user could install your app unrooted, then root and read your database once the data's been written.

oli
  • 4,894
  • 1
  • 17
  • 11
  • 1
    Problem is that if your content is media content (mp3, mp4), even encrypted originally, and you want to playback in the media player, you need to use a temporary decrypted file at some point, which could be accessed on a rooted device. – Mathias Conradt Oct 11 '11 at 03:33
2

The official licensing guide says:

A limitation of the legacy copy-protection mechanism on Android Market is that applications using it can be installed only on compatible devices that provide a secure internal storage environment. For example, a copy-protected application cannot be downloaded from Market to a device that provides root access, and the application cannot be installed to a device's SD card.

It seems that you would benefit from using that legacy cop-protection to prevent your application from being installed on rooted devices.

You might release a separate version that can be installed on rooted devices with an encrypted database.

Christian
  • 25,249
  • 40
  • 134
  • 225
  • But how can they detect whether the device is rooted or not? As hackbod (Android developer) mentioned, it's not possible to detect. http://stackoverflow.com/questions/3576989/how-can-you-detect-if-the-device-is-rooted-in-the-app – Mathias Conradt Oct 11 '11 at 03:34