Mobile Root Detection (Android)
What is Mobile Root Detection (Android)?
Mobile Root Detection (Android)Defensive checks an Android app runs to determine whether it is executing on a rooted device — typically by probing for su binaries, Magisk files, busybox, dangerous build properties, or hardware-attested integrity verdicts.
Mobile root detection is the AppSec practice of checking, at runtime, whether the current Android device has been rooted — meaning a user or attacker can obtain superuser privileges and therefore inspect or modify app state. Detection techniques include filesystem checks for `/system/xbin/su`, `/system/bin/su`, `/sbin/su`, `magisk`, `superuser.apk`; mount-options checks (looking for `rw` on partitions that should be read-only); build-property checks (`ro.debuggable=1`, test-keys); installed-package checks (`com.topjohnwu.magisk`, `com.koushikdutta.superuser`); and process-list / loaded-library checks for Frida and Xposed. Because all of these can be defeated by sufficiently determined attackers using Magisk DenyList or Zygisk hooks, modern best practice is to combine local heuristics with server-side hardware attestation (Play Integrity API STRONG verdicts) and to treat root detection as a signal in an anti-fraud score rather than as a hard gate that blocks legitimate users with custom ROMs they trust. OWASP MASVS controls MSTG-RESILIENCE-1 through 4 codify this layered approach.
● Examples
- 01
A mobile banking app combines several local root indicators with a Play Integrity STRONG-verdict server-side check and only blocks transactions when both fail.
- 02
An anti-cheat library hooks the linker to detect Frida-server presence and reports the finding to the game's backend rather than aborting locally.
● Frequently asked questions
What is Mobile Root Detection (Android)?
Defensive checks an Android app runs to determine whether it is executing on a rooted device — typically by probing for su binaries, Magisk files, busybox, dangerous build properties, or hardware-attested integrity verdicts. It belongs to the Mobile Security category of cybersecurity.
What does Mobile Root Detection (Android) mean?
Defensive checks an Android app runs to determine whether it is executing on a rooted device — typically by probing for su binaries, Magisk files, busybox, dangerous build properties, or hardware-attested integrity verdicts.
How does Mobile Root Detection (Android) work?
Mobile root detection is the AppSec practice of checking, at runtime, whether the current Android device has been rooted — meaning a user or attacker can obtain superuser privileges and therefore inspect or modify app state. Detection techniques include filesystem checks for `/system/xbin/su`, `/system/bin/su`, `/sbin/su`, `magisk`, `superuser.apk`; mount-options checks (looking for `rw` on partitions that should be read-only); build-property checks (`ro.debuggable=1`, test-keys); installed-package checks (`com.topjohnwu.magisk`, `com.koushikdutta.superuser`); and process-list / loaded-library checks for Frida and Xposed. Because all of these can be defeated by sufficiently determined attackers using Magisk DenyList or Zygisk hooks, modern best practice is to combine local heuristics with server-side hardware attestation (Play Integrity API STRONG verdicts) and to treat root detection as a signal in an anti-fraud score rather than as a hard gate that blocks legitimate users with custom ROMs they trust. OWASP MASVS controls MSTG-RESILIENCE-1 through 4 codify this layered approach.
How do you defend against Mobile Root Detection (Android)?
Defences for Mobile Root Detection (Android) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mobile Root Detection (Android)?
Common alternative names include: Root detection, Android root check.
● Related terms
- mobile-security№ 1056
Rooting (Android)
Gaining unrestricted superuser (root) privileges on an Android device, bypassing the protections enforced by the Linux kernel, SELinux, and the Android verified boot chain.
- mobile-security№ 777
Mobile Jailbreak Detection (iOS)
Runtime checks an iOS app performs to determine whether the device has been jailbroken — looking for Cydia/Sileo/Zebra files, suspicious URL schemes, write access outside the sandbox, or App Attest disagreement.
- mobile-security№ 499
Google Play Integrity API
Google's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary.
- mobile-security№ 772
Mobile App Security
The practice of designing, building, and testing iOS and Android applications to protect user data, prevent reverse engineering, and resist runtime tampering.
- mobile-security№ 481
Frida Dynamic Instrumentation
An open-source dynamic instrumentation toolkit by Ole André Vadla Ravnås that lets researchers hook, trace, and rewrite functions inside running processes on Android, iOS, Windows, macOS, and Linux — the de facto tool for mobile app reverse engineering and bypass research.
- compliance№ 871
OWASP MASVS
The OWASP Mobile Application Security Verification Standard, a baseline of testable security requirements for iOS and Android mobile applications.