Insecure root detection implementation

Root detection bypass via deeplink triggering (most likely not recognized as a bug)

Description

The vulnerability were found in a Brazilian insurance Android app. This one were using a splash activity enforced to prevent rooted devices to go further in the app bypassed without high technical knowledges by following an invalid deeplink that triggered an Activity after the splash screen.

In fact the app only verified the device status at the app launch.

Exploitation

To check this behavior, I tried to launch the app with a rooted / "non compliant" device which fetched me this splash activity.

Previously, during static analysis of the app, I found that the app were using several deeplinks to access different part of the app.

And by triggering one of them, I were able to access the main activity of the app and bypass the splash screen.

ADB Command:

$ adb shell am start -a "android.intent.action.VIEW" -c "android.intent.category.BROWSABLE" -d "scheme://host?parameter=value"

Hyperlink from an external app:

Risks

Root detection is a mecanism used to prevent rooted devices to dynamically analyze the apps. If this detection is bypassed, it allow malicious users to analyze every storage actions, system calls, HTTP requests etc that are used by the app during runtime.