Cwa-app-android: [BSI][05_23_cwa-app-android-master] Root Detection only Implemented in Launcher Activity

Created on 23 May 2020 · 5Comments · Source: corona-warn-app/cwa-app-android

Rating: Medium

Description:

The Android root detection check is solely implemented in the LauncherActivity of the app. Therefore, detection is only possible at the start of the app and can also be completely circumvented by directly calling the MainActivity as root user. Depending on the intention of implementing root detection, this implementation might be sufficient to warn users about the risk but should not be considered to be enough to prevent app usage on rooted devices.

Proof of Concept:

The following code snippet is an excerpt from de.rki.coronawarnapp.ui.LauncherActivity which shows the location, in which the check is implemented.

[...]

class LauncherActivity : AppCompatActivity() {
companion object {
private val TAG: String? = LauncherActivity::class.simpleName
}

override fun onCreate(savedInstanceState: Bundle?) {
    super.onCreate(savedInstanceState)
    val rootBeer = RootBeer(applicationContext)
    // if root is enabled the user isn't allowed to use the app
    if (rootBeer.isRooted) {
        Log.i(TAG, "Device is rooted")
        startRootedActivity()
    } else {
        Log.i(TAG, "Device is very probably not rooted")
        if (LocalData.isOnboarded()) {
            startMainActivity()
        } else {
            startOnboardingActivity()
        }
    }
}

[...]

The check can therefore be circumvented by directly calling

am start -n de.rki.coronawarnapp/de.rki.coronawarnapp.ui.main.MainActivity

as a root user on the device (as the activity is not exported and as such requires highest permissions).

enhancement

Source

BSI-TF-CWA

👎3

Most helpful comment

The intention is to only warn the user and not to safeguard the application completely.

I'd like to emphasize, that warning is the way to go for the root detection!

Blocking rooted devices would even reduce the security for some users.

Smart phones older than 3 or 4 years can only be patched against current security vulnerabilities by using a custom ROM. And installing a custom ROM usually requires root permissions.
(sometimes root permissions can be dropped partially after installing a custom ROM, but not always)

kolAflash on 1 Jun 2020

👍15

All 5 comments

The intention is to only warn the user and not to safeguard the application completely.
More elaborate handling could be part of a future version of the application.

ElmarKuesters on 25 May 2020

👍5

The intention is to only warn the user and not to safeguard the application completely.

I'd like to emphasize, that warning is the way to go for the root detection!

Blocking rooted devices would even reduce the security for some users.

kolAflash on 1 Jun 2020

👍15

I'd like to add that with the use of the Drozer Framework as well as with the use of Xposed and Root cloaking the blocking of rooted devices probably wouldn't work to well. Especially since the code basis is open source.

GammaG on 5 Jun 2020

Hello @BSI-TF-CWA,

as the root detection was removed from scope for the time being, I am closing this issue since it does not seem applicable anymore. If you still consider this of importance nevertheless, please reopen the issue and let us know. Afaik root detection with the intention to warn users of the implications might be introduced again in a later version.

Thanks and best,
Marc

marcmuschko on 9 Jun 2020

Hello @BSI-TF-CWA,

as the root detection was removed from scope for the time being, I am closing this issue since it does not seem applicable anymore.

Totally fine for me.
Actually I don't consider root detection useful, because a virus/attacker would mostly gain root permissions in a way which wouldn't be detectable.
(consider root to be like a god and if a god really doesn't want to be seen, s*he won't be seen - it's kind of like the halting problem)

So root detection only detects if the user accesses root permissions in a standard way.

kolAflash on 9 Jun 2020

Was this page helpful?

0 / 5 - 0 ratings