Select release
Introduction

Home

Installation

Configuration

Initialization

Common Usage Scenarios

Recommended Responses to Security Issues

Google Play Prominent Disclosure

SafetyNet Google Play Warning

Device Fingerprinting

Troubleshooting

Release Notes

Migration to Version 1.2.x

Migration to Version 1.0.x

Runtime Protection

RASP Features Overview

Debugger Detection

Emulator Detection

Root Detection

Repackaging Detection

Screen Sharing Detection

Blocking Screen Readers

Screenshot Blocking and Detection

Tapjacking Protection

HTTP Proxy Detection

VPN Detection

Screen Lock Usage

Google Play Protect Status

Changing Process Name

Detection of ADB Status

Detection of Developer Options Status

Detection of Biometry Enrollment Status

Detection of Active Call

App Presence Detection

Spoofed Location Detection

Activity protection

RASP Observer

Anti-Malware

Anti-Malware Use-Cases

Anti-Malware Feature Overview

Malware Threat Identification

Malware Threat Mitigation

Listening to App Changes

Installer identification

Smart Protection

Smart Protection UI Customization

Root Detection

View product v1.2.1

Detecting that an app runs on a rooted device is a key RASP feature. An Android device that has been rooted gives users and apps higher privileges and enables them to perform otherwise restricted actions. Such a device does not provide a secure environment for a production app because device users or other apps can affect the application runtime in an unexpected way, potentially compromising its integrity.

Malwarelytics for Android is able to detect that the app is running on a rooted device and can be configured to terminate the app in such a case.

Configuration Anchor link

This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    .root(RootDetectionConfig)
    // configuration of other RASP features
    .build()

Available values of RootDetectionConfig:

Value Description
NoAction indicates that the root will not be automatically detected. A manual check is still possible.
Notify indicates that the root will be automatically detected and observers will be notified.
Exit(
exitUrl:String?,
exitOnRootMinConfidence:Float)		 indicates that the root will be automatically detected and the app will be terminated when the root is automatically detected.

Root detection defaults to RootDetectionConfig.Notify.

List of available parameters for some config values:

Parameter Description
exitUrl:String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to null.
exitOnRootMinConfidence:Float gives the minimum confidence value of a heuristic root detection that triggers app termination. Possible values are between 0.0 (inclusive) and 1.0 (inclusive). The default value is 1.0.

Usage Anchor link

After initialization, the rooted device detection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual root detection check.

Registering an Observer Anchor link

Rooted device detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
    override fun onRootDetected(rootDetection: RootDetection) {
        // handle root detection
    }
    // handle detection of other RASP features
}

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.

raspManager.registerRaspObserver(raspObserver)
raspManager.unregisterRaspObserver(raspObserver)

The RootDetection data class contains the following properties:

Property Description
isRooted: Boolean indicates whether the device is rooted with a non-zero confidence.
rootDetectionConfidence: Float indicates the confidence of the root detection, the value is in the range [0.0, 1.0].
isRootCloaked: Boolean indicates whether there’s an attempt to cloak the root.
rootCloakDetectionConfidence: Float indicates the confidence of the root cloak detection, the value is in the range [0.0, 1.0].
rootDetectionProofs: List<RootDetectionProof> contains troubleshooting information. All the values (from [RootDetectionProof.RDP_01] to [RootDetectionProof.RDP_12]) are used for troubleshooting purposes only and may be changed at any version.

Triggering a Manual Check Anchor link

Rooted device detection check can be triggered manually in RaspManager. Two methods are available – isDeviceRooted() gives a simple boolean answer, whereas getRootDetection() provides more details.

val rootDetection: RootDetection = raspManager.getRootDetection()
val isRooted: Boolean = raspManager.isDeviceRooted()

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Feb 13, 2025 (19:31) View product
On this page:

Introduction

Configuration

Usage

Search

1.2.x

Malwarelytics for Android