Summary

Mobile applications must check whether the device on which they will run is rooted.

Description

Rooting is a process that grants mobile device users privileged control over the device's system. Applications running on such devices are susceptible to technical information leaks (database connection strings, source code, certificates, etc.). Therefore, applications must check whether the device is rooted and inform the user about the associated risks, or prevent its own execution.

Supported In

This requirement is verified in following services

References

• OWASP-M TOP 10-M8. Code tampering
• MITRE ATT&CK®-M1034. Limit hardware installation
• CMMC-MP_L2-3_8_7. Removable media
• HITRUST CSF-13_m. Accuracy and quality
• FedRAMP-CM-7_5. Least functionality - Authorized software, whitelisting
• ISO/IEC 27002-7_9. Security of assets off-premises
• ISO/IEC 27002-8_26. Application security requirements
• ISSAF-S_5_8. Web server security - Countermeasures (run as a non-root user)
• CWE™-693. Protection mechanism failure
• ISO/IEC 27001-7_9. Security of assets off-premises
• ISO/IEC 27001-8_26. Application security requirements

Vulnerabilities

• 048.Lack of root detection
• 279.Root detection control bypass

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.