Skip to main content

Root detection control bypass


It is possible to reverse engineer the application and disable detection of rooted devices.


Avoid the applications detection of rooted devices.


Implement an integrity check on the application so that it cannot be used if it has been modified.


Attacker with access to APK.

Expected Remediation Time

⌚ 450 minutes.


Default score using CVSS 3.1. It may change depending on the context of the src.


  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.7
    • Temporal: 3.7
  • Severity:
    • Base: Low
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0 . It may change depending on the context of the src.

Base 4.0

  • Attack vector: N
  • Attack complexity: H
  • Attack Requirements: N
  • Privileges required: N
  • User interaction: N
  • Confidentiality (VC): N
  • Integrity (VI): L
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit madurity: X

Result 4.0

  • Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X
  • Score:
    • CVSS-BT: 6.3
  • Severity:
    • CVSS-BT: Medium

Compliant code

A function implemented to check if the source code has been altered before running the app. A possible option is to include a MD5 hash within the code, generated at each build, and adding a check to the code to ensure that this hash is the same as the one stored before running the app

public static boolean checkApkSha(){
String apkPath = appExample.getInstance().getPackageCodePath();
MessageDigest msgDigest = null;
try {
msgDigest = MessageDigest.getInstance("SHA-1");
byte[] bytes = new byte[1024];
int byteCount;
FileInputStream fis = new FileInputStream(new File(apkPath));
while ((byteCount = > 0){
msgDigest.update(bytes, 0, byteCount);
BigInteger bi = new BigInteger(1, msgDigest.digest());
String sha = bi.toString(16);
return true;
} catch (Exception e) {
return false;

Non compliant code

Source code could be executed after vulnerable adjustments because of an incorrectly implemented integrity check

public static boolean checkDexCrcValue() {
String apkPath = BaseApplication.getInstance().getPackageCodePath();
Long dexCrc = Long.parseLong(QianJinSuoApplication.getInstance().getString(R.string.classesdex_crc));
try {
ZipFile zipfile = new ZipFile(apkPath);
ZipEntry dexentry = zipfile.getEntry("classes.dex");
# The CRC32 check could be bypassed anyway because of debugging code included in the function
Log.i("checkDexCrcValue", "classes.dexcrc=" + dexentry.getCrc());
if (dexentry.getCrc() == dexCrc) {
return true;
} catch (IOException e) {
return false;



free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.