How to block Android App installation in a Rooted Device

The $158.9 billion fintech industry thrives on mobile apps. Android dominates the mobile app market with a whopping 71.65% market share. Though in demand globally, its open-source nature makes data security a vulnerability in Android apps. Even super apps are no exception. 

Developing and releasing a fully functional and secure Android application is a critical challenge for app developers. Managing app functionality is the easy part; but the real challenge is making the Android application secure and resilient to cyberattacks.  

What’s the best way to do this? 

Our Software Development Engineer, Sundaramanikandan has hands-on experience in developing highly secure Android apps and will take us through every step in mitigating cyberattacks while developing an app.  

First things first, every developer must prioritize security to protect users and their data. The security-first approach will benefit the 6.92 billion smartphone users in the world, who constitute over 86.29% of the global population.  

Remember that the advances in digitization and technology also apply to hackers and cybercriminals. Technology that makes lives easier has increased our exposure to risks. Fraudsters ride on the vulnerabilities by using more sophisticated techniques to exploit loopholes and evade detection while breaking into systems to access sensitive data. 

How to secure Android devices from attackers? 

Developers and organizations need to deploy secure software development lifecycle practices to protect against data breaches or theft. Public Wi-Fi networks and other wireless communication systems should be blocked to prevent man-in-the-middle attacks and other unsecured communication exploits. Attackers can pretend to be real web services, steal data, or listen in on calls and texts by taking over a user’s mobile signal. 

Smartphone rooting to get superuser permissions   

Firstly, the process called rooting is done, i.e., removing the limitations on a mobile or tablet running the Android operating system. It lets you get root access to the code of the Android operating system (the equivalent term for Apple devices is jailbreaking). It gives permission to change the device’s software code or install software that the manufacturer wouldn’t normally let us do. 

Cons of running apps on a rooted device 

Simply put, it opens higher risks like spoofing, cheating, and abuse of core functionalities. A root-level app can easily set up backdoors that let unauthorized users get into the device and then into the secure corporate network. When you “root” your Android device, you give apps unauthorized access to your operating system and sensitive data. It further leads to the theft of user data, finances, intellectual property, and piracy. Some malware apps specifically go after rooted devices to infect system-level files. So, you must be careful what you install. 

Targeted cyberattacks on corporates are on the rise as more and more business transactions are done on mobile devices. Rooted Android devices make it easier to sneak into the corporate network. For a financial app, if an attacker can intercept a network call and change the address, the victim could lose a lot of money, and the company that developed the app will lose its reputation. 

As having a user-friendly mobile app is a key differentiator, banks and financial institutions are in a dilemma to choose between allowing their app, which contains excellent payment functionalities and extremely sensitive data, to run on rooted/jailbroken devices or risk losing their target audience. Or they can opt for the middle ground by mitigating the risks of the app running on rooted devices. This compromise is critical. Or else, risks such as malware, man-in-the-middle attacks, and system API hijacking could lead to user data exfiltration.  

Therefore, Android app installation must be blocked on rooted devices to prevent attacks specifically targeting users who have rooted their smartphones. 

How can app developers block Android installation on a rooted device? 

Every Android app developer should understand the following pointers below to steer clear of the hazards of rooted devices. 

What’s the common way an app can be tampered with? 

1. ByPassing root detection logic implemented  
2. ByPassing the SSL Pinning 

What are the commonly used hacking tools? 

1. Magisk 
2. LSXposed Framework 

Dos and Don’ts – for infosec clearance to block Android app installation 

Don’ts 

❌ Install the app on a rooted device 

❌ Tapjack 

❌ Copy/paste sensitive data 

❌ Take screenshots  

Dos 

Now, the following method will help create the most comprehensive approach: 

✅ Check if the app is running in emulator 

This is the first thing we need to look at when the app is launched. If a hacker extracts the APK and tries to run it in an emulator/simulator, we should stop running the app if it is a production version. This functionality can be built as an extension function and utilized in the application’s base activity.  

val isRunningOnEmulator: Boolean by lazy {
    // Android SDK emulator
    return@lazy ((Build.FINGERPRINT.startsWith(“google/sdk_gphone_”)
            && Build.FINGERPRINT.endsWith(“:user/release-keys”)
            && Build.MANUFACTURER == “Google” && Build.PRODUCT.startsWith(“sdk_gphone_”) && Build.BRAND == “google”
            && Build.MODEL.startsWith(“sdk_gphone_”))
            || Build.HARDWARE.contains(“goldfish”)
            || Build.HARDWARE.contains(“ranchu”)
            || Build.PRODUCT.contains(“sdk_gphone64_arm64”)
            || Build.PRODUCT.contains(“vbox86p”)
            || Build.PRODUCT.contains(“emulator”)
            || Build.PRODUCT.contains(“simulator”)
            || Build.FINGERPRINT.startsWith(“generic”)
            || Build.FINGERPRINT.startsWith(“unknown”)
            || Build.PRODUCT.contains(“sdk_google”)
            || Build.MODEL.contains(“google_sdk”)
            || Build.PRODUCT.contains(“sdk_x86”)
            || Build.MODEL.contains(“Emulator”)
            || Build.MODEL.contains(“Android SDK built for x86”)
            || “QC_Reference_Phone” == Build.BOARD && !“Xiaomi”.equals(
        Build.MANUFACTURER,
        ignoreCase = true
    )
            || Build.MANUFACTURER.contains(“Genymotion”)
            || Build.HOST.startsWith(“Build”) //MSI App Player
            || Build.BRAND.startsWith(“generic”) && Build.DEVICE.startsWith(“generic”)
            || Build.PRODUCT == “google_sdk”)
} 

✅ Check developer options 

Hooking an app is as simple as enabling the developer settings on the device and connecting to the Android SDK tool. Hence, when the app is launched, we must determine whether the developer option is enabled or not by writing an extension function. 

fun isDevMode(context: Context): Boolean { 
    return when { 
        Build.VERSION.SDK_INT > Build.VERSION_CODES.JELLY_BEAN -> { 
            Settings.Secure.getInt( 
                context.contentResolver, 
                Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0 
            ) != 0 
        } 
        Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN -> { 
            @Suppress(“DEPRECATION”) 
            Settings.Secure.getInt( 
                context.contentResolver, 
                Settings.Secure.DEVELOPMENT_SETTINGS_ENABLED, 0 
            ) != 0 
        } 
        else -> false 
    } 
} 

✅ Check if the device is rooted  

The Util class is commonly used to determine whether a device is rooted, or the super user “SU” is enabled. 

private val binaryPaths = arrayOf(
    “/data/local/”,
    “/data/local/bin/”,
    “/data/local/tmp/”,
    “/data/local/xbin/”,
    “/sbin/”,
    “/su/bin/”,
    “/system/bin/”,
    “/system/bin/.ext/”,
    “/system/bin/failsafe/”,
    “/system/sd/xbin/”,
    “/system/usr/we-need-root/”,
    “/system/xbin/”,
    “/system/app/Superuser.apk”,
    “/cache”,
    “/data”,
    “/dev”,

    “/sbin/su”,
    “/system/bin/su”,
    “/system/xbin/su”,
    “/data/local/xbin/su”,
    “/data/local/bin/su”,
    “/system/sd/xbin/su”,
    “/system/bin/failsafe/su”,
    “/data/local/su”,
    “/su/bin/su”,
    “./frida-server”,
    “/data/local/tmp/frida-server”

) 

 When this class is called upon app launch, it checks to see whether any of the aforementioned binaries are present on the device and returns “rooted” if any are. 

✅ Integrate root detection library like RootBear 

RootBear is a popular open-source library that can be utilized in our app to detect root causes. 

implementation ‘com.scottyab:rootbeer-lib:0.1.0′ 

After adding this library in the app build Gradle file, it can be implemented in a base activity like: 

if (!BuildConfig.DEBUG && rootBeer.isRooted) {
    showRootedDeviceDialog(getString(R.string.device_rooted))
    isRootedDeviceBool = true
} else if (!BuildConfig.DEBUG && rootBeer.isRootedWithBusyBoxCheck) {
    showRootedDeviceDialog(getString(R.string.device_rooted))
    isRootedDeviceBool = true
} 

Now, all the steps discussed around a great way to prevent an Android app from being installed or functioning on a rooted device.  

But this is not all. There is more. 

There is another tool called ‘Frida’ that helps bypass all the above logics implemented in an app. 

Want to know how to block Frida? 

Stay tuned to our next blog! 

This article is authored by Sundaramanikandan.

Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.

Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.