# Insecure root detection implementation

## Root detection bypass via deeplink triggering (most likely not recognized as a bug)

### Description

The vulnerability were found in a Brazilian insurance Android app. This one were using a splash activity enforced to prevent rooted devices to go further in the app bypassed without high technical knowledges by following an invalid deeplink that triggered an Activity after the splash screen.

In fact the app only verified the device status at the app launch.

### Exploitation

To check this behavior, I tried to launch the app with a rooted / "non compliant" device which fetched me this splash activity.

<figure><img src="/files/YmRopAGNtWw24vqXVQkT" alt=""><figcaption></figcaption></figure>

Previously, during static analysis of the app, I found that the app were using several deeplinks to access different part of the app.

And by triggering one of them, I were able to access the main activity of the app and bypass the splash screen.

ADB Command:

*`$ adb shell am start -a "android.intent.action.VIEW" -c "android.intent.category.BROWSABLE" -d "scheme://host?parameter=value"`*

Hyperlink from an external app:

<figure><img src="/files/Jm6rnXGjDIk3C62BwK3B" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Hh5bLjV7ly1OTCaMp5Na" alt=""><figcaption></figcaption></figure>

### Risks

Root detection is a mecanism used to prevent rooted devices to dynamically analyze the apps. If this detection is bypassed, it allow malicious users to analyze every storage actions, system calls, HTTP requests etc that are used by the app during runtime.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bugbounty.s1rn3tz.ovh/android/insecure-root-detection-implementation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.