Are apps compromised in Android rooted devices?

Question

I am developing an app that handles sensitive data.

The app has a reasonable security model that includes encryption,SSL and data is not stored persistently on the device.

I am trying to determine whether my app is “safe” running on rooted devices or the fact that the device is rooted will make much easier to exploit/hack the app. So the question is: should an app handling sensitive data run on rooted devices?

I have done research but I have not seen any discussion about the safety of rooted devices though. I am aware that the methods to detect rooted devices could potentially been circumvented and thus what’s the point of not supporting rooted devices?

Answer 1

Are apps compromised in Android rooted devices? Yes they are.

Even on a non-rooted phone, there is still a possibility for the attackers to capture the vulnerabilities and take root control (GingerBreak is one of the show case). So there is no 100% the phone is not compromised even if it is not rooted by the users.

As you mentioned, the detections for root cannot be totally reliable as they can be bypassed. However, still if you detect the phone rooted, you should definitely block it. In case that you don't detect it, it doesn't mean the phone is not rooted and you still need to have security mechanism against the attacks for rooted phone.

There are a couple type of attacks that you may need to cope with: Man-In-The-Middle attacks, keyloggers, screencaptures, user-mode rootkits, kernel-mode rootkits, ...

The good news is that there are companies that make libraries for you to protect your apps against such type of attacks. They offer you solution to free yourself from headache as they will care abt it for you. V-Key is one of those, you can look at their website and consider if you want to buy their V-Guard product.

Answer 2

The biggest security concerns to apps on rooted devices are that:

1. Users can access your internal data directly
2. Other apps can access your app's private data

The best you can do is:

1. Encrypt your data in a manner that makes it hard to reverse engineer. If someone is after your data, you should work on the assumption that they have decompiled your app as well. Due to this, do all encryption/decryption on the server, and don't make your algorithms etc common knowledge
2. If you are supposed to store data on the device itself, make it obscure. So if you have to save an integer, don't save the raw value. Use something like savedValue = ((((realValue*10)+1)/365*23)*50)+1; This makes it hard for a hacker to edit your saved value and get a desired result, though since he/she would have decompiled your apk, it's a very basic protective measure.
3. Store as little high risk data as possible on the device. When needed, download it over a secure connection, display it and delete it even from the RAM. Also, keep confidential data in the memory for as little time as possible, as unencrypted data in the RAM can be read.
4. Make sure your encryption techniques aren't easy to brute force. As other apps can also access your data on rooted devices, there is a chance your data could be sent to a remote server for decryption, and such a server will have a lot more processing power than your mobile phones

These are just some suggestions I could think of. I am by no means a security expert, and you might want to consult one of those on this matter.