Root Detection
| Plan | Platforms | MASVS |
|---|---|---|
| Free | Android | MASVS-RESILIENCE-1 |
Overview
Root Detection identifies Android devices whose security model may have been weakened by root access, modified system images, root-management tooling, or related device changes. Rooted devices can undermine Android's app sandbox, expose local app data, enable runtime manipulation, and make network or integrity controls easier to attack.
When root risk is detected, AppTego applies your configured response. You can log the event, warn the user, restrict sensitive flows, redirect to support guidance, or close the app.
When To Use It
Use this control for apps that handle:
- Financial transactions, wallets, payments, lending, or insurance workflows.
- Healthcare, identity, government, enterprise, or regulated data.
- DRM, paid content, licensing, or anti-cheat protections.
- Authentication or approval flows where local device compromise changes risk.
How It Works
The protected app evaluates multiple categories of Android device-integrity signals during startup. These include system state, installed tooling, device configuration, and environment indicators associated with root or modified operating systems.
AppTego does not publish exact root signatures, file paths, package lists, scoring weights, or inspection order. Those details are protection logic and may change as Android versions, OEM behavior, and root-hiding techniques evolve.
How to Enable the Control
Navigate to Detection & Response from the AppTego portal, and expand the Device Compromise Detection section. Under this section you will find the Root Detection control. Click Enable Configuration, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"RootDetectionResponse": {
"detection": true,
"action": "alert",
"title": "Device Security Warning",
"message": "This device appears to be modified. For your security, some features may be unavailable.",
"buttons": ["OK"],
"actions": ["log"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables or disables root detection. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Response Strategy
| App risk level | Suggested handling |
|---|---|
| Low-risk consumer flows | Log the event or display a warning. |
| Account recovery, login, wallet, payment, or approval flows | Restrict the sensitive action or require additional verification. |
| Regulated or high-value apps | Close the app or block access when root risk is detected. |
Compatibility Notes
- Custom ROMs, enterprise test devices, and power-user devices can create false positives. Review telemetry before enforcing a hard block broadly.
- Root-hiding tools are designed to conceal indicators. No on-device root detection should be treated as a perfect guarantee.
- Detection is strongest when combined with Play Integrity, App Tamper Detection, Debuggable Detection, Hook Detection, certificate pinning, and server-side fraud monitoring.
- Use a development configuration for rooted QA devices so internal testing does not look like a production attack.