How to detect rooted/jailbroken android device

Question

In my Android application, I want to provide a specific feature only to rooted devices. Is the only way to check is to know if I can run super user commands? Is this check enough? Are there more ways to detect a jailbroken android device?

Answer 1

For those people still wondering how to detect rooted devices, there is now a way to do so.

You may now use the SafetyNet Attestation API.

Here is the link to the documentation.

Here is a snippet of how to use the API taken from the documentation.

// The nonce should be at least 16 bytes in length.
// You must generate the value of API_KEY in the Google APIs dashboard.
SafetyNet.getClient(this).attest(nonce, API_KEY)
    .addOnSuccessListener(this,
        new OnSuccessListener<SafetyNetApi.AttestationResponse>() {
            @Override
            public void onSuccess(SafetyNetApi.AttestationResponse response) {
                // Indicates communication with the service was successful.
                // Use response.getJwsResult() to get the result data.
            }
        })
    .addOnFailureListener(this, new OnFailureListener() {
        @Override
        public void onFailure(@NonNull Exception e) {
            // An error occurred while communicating with the service.
            if (e instanceof ApiException) {
                // An error with the Google Play services API contains some
                // additional details.
                ApiException apiException = (ApiException) e;
                // You can retrieve the status code using the
                // apiException.getStatusCode() method.
            } else {
                // A different, unknown type of error occurred.
                Log.d(TAG, "Error: " + e.getMessage());
            }
        }
    });

To use the following API, you will have to generate an API Key from the Google API Console. This key is what you pass to the .attest() method.

Also add the SafetyNet Dependency.

implementation 'com.google.android.gms:play-services-safetynet:15.0.1'

See https://developers.google.com/android/guides/setup for the latest dependency version.

The API returns the following:

{
  "nonce": "R2Rra24fVm5xa2Mg",
  "timestampMs": 9860437986543,
  "apkPackageName": "com.package.name.of.requesting.app",
  "apkCertificateDigestSha256": ["base64 encoded, SHA-256 hash of the
                              certificate used to sign requesting app"],
  "apkDigestSha256": ["base64 encoded, SHA-256 hash of
                  the APK installed on a user's device"],
  "ctsProfileMatch": true,
  "basicIntegrity": true,
}

Where ctsProfileMatch and basicIntegrity integrity of the device.