SECURITY
Detect and Respond to
Rooted Android Devices
from Xamarin Apps
Joe Sewell
In last November’s issue, I illustrated how you can use Runtime Checks, a code injection feature included with Visual Studio 2017, to protect your .NET Framework apps from unauth­ orized use of a debugger, as well as from tampering (msdn.com/ magazine/mt845626). Since then, a new type of Check has become available. The Root Check detects when a Xamarin.Android app is running on a “rooted” device—one that allows ordinary apps to act with administrator permissions (root access).
In this follow­up article, I explain why rooted devices pose a risk that all Android developers must understand; detail how Xamarin.An­ droid developers can use Root Checks to detect and respond to that risk; and demonstrate best practices with an example scenario.
Why You Need to Protect Against Rooting
The Xamarin platform allows you to efficiently create mobile apps for Android, iOS and Windows devices. Developers familiar with .NET languages like C# can take that knowledge and apply it to the mobile space. Technologies like Xamarin.Forms abstract away many of the differences between platforms, reducing the complex­ ity, cost and risk of developing cross­platform apps. By keeping your Xamarin tools up­to­date, you can continue to support new versions and features of each platform.
However, some platform­specific aspects of mobile development do deserve a developer’s attention. One such aspect is security. Each platform has unique security risks and a unique security model to address those risks. For example, the permission systems dif­ fer among platforms and sometimes even among versions of the same platform.
For Android apps, rooted devices are a particularly important security concern. Such devices have been modified to allow apps to break out of the normal security sandbox that the OS imposes. This can expose the device to many dangers, such as malware and password­stealing keyloggers. Often, users root their devices to solve some problem—like wanting a version of an app that’s not normally available for their device—without realizing the severity of these threats. In other cases, a user may not even be aware that the device is rooted and thus vulnerable.
Last September, the Payment Card Industry Security Standards Council (PCI SSC) issued version 2.0 of the Mobile Payment Acceptance Security Guidelines for Developers. To combat the
This article relies on a preview version of Dotfuscator Community Edition version 5.35. All information is subject to change.
This article discusses:
• Why PCI and OWASP advise that Android apps detect and respond to rooted devices
• How to use Root Checks to protect Xamarin apps on Android
Technologies discussed:
Xamarin, Android, Runtime Checks, Dotfuscator Community Edition, Visual Studio 2017
Code download available at:
bit.ly/2GQutOv
34 msdn magazine