保護DataHogo
Security Encyclopedia/Mobile Security (Advanced)
mediumCWE-919A08:2021

Root/Jailbreak Detection Missing

Running a financial or health app on a rooted or jailbroken device means all security controls can be bypassed by the device owner.

How It Works

On a rooted Android or jailbroken iOS device, apps have no security sandbox. Attackers can read your app's private storage, bypass certificate pinning, hook into running processes to modify return values, and extract tokens from memory. Banking apps without root detection are trivially attacked on rooted devices.

Vulnerable Code
// BAD: no root/jailbreak check before showing sensitive data
export function BankingApp() {
  const { balance } = useAccountData();
  return <BalanceDashboard balance={balance} />;  // no device integrity check
}
Secure Code
// GOOD: check device integrity before proceeding
import JailMonkey from 'jail-monkey';

export function BankingApp() {
  if (JailMonkey.isJailBroken() || JailMonkey.isOnExternalStorage()) {
    return <UnsupportedDeviceScreen />; // warn and limit functionality
  }
  return <BalanceDashboard />;
}

Real-World Example

The OWASP Mobile Security Testing Guide documents root detection bypass as a standard test case. Banking trojans on Android specifically target rooted devices because they can read other apps' data from /data/data/ without root detection stopping them.

How to Prevent It

  • Implement root/jailbreak detection using jail-monkey (RN), SafetyNet (Android), or DeviceCheck (iOS)
  • Show a warning and limit sensitive functionality on compromised devices — don't just block silently
  • Combine root detection with runtime application self-protection (RASP) for deeper coverage
  • Re-check device integrity on every app launch, not just the first time

Affected Technologies

React Nativeiosandroid

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Deep Link Hijacking

medium

Custom URL schemes without host verification let malicious apps intercept your app's deep links and steal OAuth tokens or sensitive parameters.

CWE-926A01:2021

Clipboard Exposure

low

Sensitive data copied to the clipboard (passwords, tokens, card numbers) persists there indefinitely and can be read by any app.

CWE-312A02:2021

Screenshot Not Prevented

low

Banking and payment screens without screenshot protection allow sensitive data to be captured by malware or appear in Android's recent apps screen.

CWE-200A02:2021

Certificate Pinning Missing

high

Without certificate pinning, attackers on the same network can intercept your app's HTTPS traffic with a rogue certificate authority.

CWE-295A05:2021