security risks associated with rooted devices, the guidelines rec­ ommend mobile app developers implement root detection and a response mechanism to quarantine the app (bit.ly/2H5ymge). Here’s the relevant text from section 4.3 (emphasis added):
[T]he device should be monitored for activities that defeat operating system security controls—e.g., jailbreaking or rooting—and, when detected, the device should be quar- antined by a solution that removes it from the network, removes the payment­acceptance application from the device, or disables the payment application. Offline jailbreak and root detection and auto­quarantine are key since some attackers may attempt to put the device in an offline state to further circumvent detection.
In addition to risks associated with a legitimate user operating the app in a rooted environment, such an environment can also indicate a malicious user attempting to reverse engineer the app. Attackers frequently use rooted devices to study and create tam­ pered versions of apps, which they then fill with malware. The Open Web Application Security Project (OWASP) lists code tampering as one of the Top 10 Mobile Risks (bit.ly/2GNbd4o) and specifically calls out root detection and response as a way to combat this risk. Not doing so, according to OWASP, can lead to reputational damage and lost profits.
Root Checks
Detecting rooted devices can be challenging. A device can be rooted using many different techniques, and the set of available techniques changes over time and across Android versions. As a result, root detection code must constantly evolve and adapt. This is compounded by the fact that some malicious rooting techniques attempt to conceal their use, so good root detection code must also address these countermeasures. Maintaining up­to­date root detection code is tricky and may not be where you want to spend your limited resources.
Luckily, you don’t have to write your own code to detect rooting. PreEmptive Protection ­ Dotfuscator
Community Edition (CE), which
is included with Visual Studio
Sample Scenario
To demonstrate Root Checks, I’ve provided a sample app called Protected­TodoAzureAuth. It’s based on an existing Xamarin.Forms sample, TodoAzureAuth (bit.ly/2InvU48), originally written by David Britch.
The remainder of this article explains the app, the protection strategy I applied to it, and how I applied that strategy with Root Checks. You can use this case study, as well as additional scenar­ ios included in the sample’s GitHub repository (bit.ly/2GQutOv), to learn approaches to Root Checks you can then apply to your own Xamarin.Android apps.
Original Sample: TodoAzureAuth connects to a Microsoft Azure Mobile App instance, enabling users to view and modify a shared to­do list. To demonstrate how to perform authentica­ tion in a Xamarin app, the sample requires the user to log in with a Google account before accessing the to­do list.
The app begins on the Login Page, which has no fields, just a Login button. When the user selects this button, the app delegates the login process to Google’s OAuth system, which may require the user to enter credentials, including a password. As a result, the app itself doesn’t handle the credentials. Once the user has logged in, the app displays the Todo List Page, allowing the user to access the shared to­do list. The user can log out and return to the Login Page by selecting the Logout button.
Protection Strategy: For this article, I treated the TodoAzure­ Auth Android project, TodoAzure.Droid, as if it were handling sensitive data, like a PCI­compliant app would. I implemented an appropriate protection strategy by using Dotfuscator CE to inject a Root Check into the app, producing a protected version of the app, Protected­TodoAzureAuth.
In the protected app, when the user selects the Login button, the Root Check activates. If the app is running on a rooted device, it exits abruptly, and all further attempts to run the app will also exit after a short error message, even if the device is no longer rooted. Figure 1 shows an overview of the app protected by this strategy.
Internet
2017 for Windows, can inject Root Checks into your Xamarin.An­ droid apps. Root Checks detect rooted environments, even when the device is offline. In addi­ tion to a standard “exit the app” action, you can configure the Checks to respond to rooting by calling customized app code.
Just like Xamarin itself, Root Checks reduce complexity, cost and risk compared to rolling your own implementation. Keep Dotfuscator up­to­date and let it handle the root detection—get back to work on the interesting parts of your app quicker.
Control Flow Security Controls Data Flow
Google OAuth
Credential Entry
Azure Mobile App Instance
Todo List Page
Device
App Start
Login Page
If app disabled, show error and exit.
App Disable Status (Local Storage)
Root Check
If rooting detected, disable app and exit.
msdnmagazine.com
May 2018 35
Figure 1 Overview of the Protected-TodoAzureAuth Sample App