Detecting if device is rooted systemlessly

Question

As systemless root is avaible for few years it became "harder" to detect if a device is rooted or not. I started looking for a possible solution to detect if a device is rooted systemlessly or not and I still can't figure out the solution. Checking if the file exists in given paths (in /system) has no point as it can't be there if a device is rooted systemlessly. Also looking for applications that manage root access may have no sense, as user may not have them installed / or just using other, not as popular as Magisk, SuperSu etc.

So, what I thought, is executing "su" command and then checking if the shell is running in root mode ("#") or not("$"). But how can I check in which mode it runs? As far as I know, after simply executing command:

       Runtime.getRuntime().exec("su");

Process is being killed because "SU user" is no longer used (?).

Simple view what I mean with adb usage:

user@user:~$ adb shell
device:/ $ su

if after executing this command it becomes:

device:/ #

would know if the device is rooted, if gave back "permission denied" would know that the device is not rooted. Can I achieve something like that in Android application?

Answer 1

There's no real way to tell for sure that a device isn't rooted. Even your test to see if su exists- they could always just rename the app to "super" instead of su. Or "foobar". Or use a custom version of the AOSP that hides whatever it is you're looking for. What you're trying to do is run in an untrusted environment you don't control and ask it if it can be trusted. That will never work. You can prove an environment is untrustworthy, you can't ever prove its trustworthy.

Answer 2

It's best to just use the SafetyNet api. While it cant tell root specifically, it will let you know the device is untrustworthy. the code is pretty simple as well.

val nonce = ByteArray(20)
SecureRandom().nextBytes(nonce)
SafetyNet.getClient(context).attest(nonce, API_KEY)
        .addOnSuccessListener(this) { response ->
            // Indicates communication with the service was successful.
            // Use response.jwsResult to get the result data.
            val resultParts = result.jwsResult.split(".")
            if (resultParts.size == 3) {
                val bytes = Base64Utils.decode(resultParts[1])
                val newString = String(bytes)
                val json = JSONObject(newString)
                    // Check json fields to see if device is secure
                    // NOTE best practice is to send this to server instead of handling locally.
                }
        }
        .addOnFailureListener(this) { e: Exception ->
            // An error occurred while communicating with the service.
            if (e is ApiException) {
                // An error with the Google Play services API contains some
                // additional details.
                // You can retrieve the status code using the
                // e.statusCode property.
            } else {
                // A different, unknown type of error occurred.
                Log.d(TAG, "Error: ${e.message}")
            }

        }

Here are the different checked scenarios. Please check out the android documentation

Answer 3

Adding on to Gabe Sechan's answer, detecting systemless roots consistently is next to impossible, due to the fact that root privileges could modify the software performing the check.

That being said, there is the proposed pull request to rootbeer, that should be able to detect Magisk using Unix Domain Sockets, at least until the method gets patched.