Lack of Jailbreak/Root Check in Android
Play Android Labs on this vulnerability with SecureFlag!
Prevention
For this reason, developers might consider augmenting applications destined for Android devices with a root status detection function that, in the event of a root identification, either shuts down the application or at the very least notifies the user.
Checking whether a device is rooted or not is not easy due to the vast variability of devices. Thus, developers are advised against implementing their own in-house root detection mechanism; instead, a third-party library stocked with (hopefully) an extensive list of checks should be used.
RootBeer is one of such libraries. As you can see, its usage is quite straightforward:
RootBeer rootBeer = new RootBeer(context);
if (rootBeer.isRooted()) {
// TODO notify the user or shutdown
}
Keep in mind, however, that this is a best-effort endeavor, so much so that it is perhaps more apt to switch terms and adopt “root indication” instead of “root detection”.
Also note that in a real world application any root detection approach should be paired with a strong anti-tampering protection to avoid that the used could patch the application and remove the root check.