Rooting your Android device gives you access to a wider variety of apps and a deeper access to the Android system. But some apps–like Google’s Android Pay–won’t work at all on a rooted device.
Google uses something called SafetyNet to detect whether your device is rooted or not, and blocks access to those features. Google isn’t the only one, either–plenty of third-party apps also won’t work on rooted Android devices, although they may check for the presence of root in other ways.
SafetyNet: How Google Knows You’ve Rooted Your Android Phone
Android devices offer a “SafetyNet API,” which is part of the Google Play Services layer installed on Google-approved Android devices. This API “provides access to Google services that help you assess the health and safety of an Android device,” according to Google. If you’re an Android developer, you can call this API in your app to check whether the device you’re running on has been tampered with.
This SafetyNet API is designed to check whether a device has been tampered with–whether it’s been rooted by a user, is running a custom ROM, or has been infected with low-level malware, for example.
Devices that ship with Google’s Play Store and other apps installed must pass Google’s Android “Compatibility Test Suite”. Rooting a device or installing a custom ROM prevents a device from being “CTS Compatible”. This is how the SafetyNet API can tell if you’re rooted–it merely checks for CTS compatibility. Similarly, if you get an Android device that never came with Google’s apps–like one of those $20 tablets shipped direct from a factory in China–it won’t be considered “CTS compatible” at all, even if you haven’t rooted it.
To get this information, Google Play Services downloads a program named “snet” and runs it in the background on your device. The program collects data from your device and sends it to Google regularly. Google uses this information for a variety of purposes, from getting a picture of the wider Android ecosystem to determining whether or not your device’s software has been tampered with. Google doesn’t explain exactly what snet is looking for, but it’s likely snet checks if your system partition has been modified from the factory state.
You can check the SafetyNet status of your device by downloading an app like SafetyNet Helper Sample or SafetyNet Playground. The app will ask Google’s SafetyNet service about your device’s status and tell you the response it gets from Google’s server.
For more technical details, read this blog post written by John Kozyrakis, a technical strategist at Cigital, a software security company. He dug into SafetyNet and explains more about how it works.
It’s Up to the App
SafetyNet is optional for app developers, and app developers can choose to use it or not. SafetyNet only prevents an app from working if an app’s developer doesn’t want it to work on rooted devices.
Most apps won’t check the SafetyNet API at all. Even an app that does check the SafetyNet API–like the test apps above–won’t stop working if they receive a bad response. The app’s developer has to check the SafetyNet API and make the app refuse to function if it learns your device’s software has been modified. Google’s own Android Pay app is a good example of this in action.
Android Pay Won’t Work on Rooted Devices
Google’s Android Pay mobile payment solution doesn’t work at all on rooted Android devices. Try to launch it, and you’ll just see a message saying “Android Pay cannot be used. Google is unable to verify that your device or the software running on it is Android compatible.”
It’s not just about rooting, of course–running a custom ROM would also put you afoul of this requirement. The SafetyNet API will claim it’s not “Android compatible” if you’re using a custom ROM the device didn’t come with.
Remember, this doesn’t just detect rooting. If your device were infected by some system-level malware with the ability to spy on Android Pay and other apps, the SafetyNet API would also prevent Android Pay from functioning, which is a good thing.
Rooting your device breaks Android’s normal security model. Android Pay normally protects your payment data using Android’s sandboxing features, but apps can break out of the sandbox on a rooted device. Google has no way to know how secure Android Pay would be on a particular device if it’s rooted or running an unknown custom ROM, so they block it. An Android Pay engineer explained the problem on the XDA Developers forum if you’re curious to read more.
Other Ways Apps Can Detect Root
SafetyNet is just one way an app could check if it’s running on a rooted device. For example, Samsung devices include a security system named KNOX. If you root your device, KNOX security is tripped. Samsung Pay, Samsung’s own mobile-payments app, will refuse to function on rooted devices. Samsung is using KNOX for this, but it could just as well use SafetyNet.
Similarly, plenty of third-party apps will block you from using them, and not all of them use SafetyNet. They may just check for the presence of known root apps and processes on a device.
It’s tough to find an up-to-date list of apps that don’t work when a device is rooted. However, RootCloak provides several lists. These lists may be out-of-date, but they’re the best ones we can find. Many are banking and other mobile wallet apps, which block access on rooted phones in an attempt to protect your banking information from being captured by other apps. Apps for video streaming services may also refuse to function on a rooted device as a sort of DRM measure, attempting to prevent you from recording a protected video stream.
Some Apps Can Be Tricked
Google’s playing a cat-and-mouse game with SafetyNet, constantly updating it in an attempt to stay ahead of people getting around it. For example, Android developer Chainfire has created a new method of rooting Android devices without modifying the system partition, known as “systemless root”. SafetyNet initially didn’t detect such devices as being tampered with, and Android Pay worked–but SafetyNet was eventually updated to detect this new rooting method. This means Android Pay no longer works along with systemless root.
Depending on how an app checks for root access, you may be able to trick it. For example, there are reportedly methods to root some Samsung devices without tripping the KNOX security, which would allow you to continue using Samsung Pay.
In the case of apps that just check for root apps on your system, there’s an Xposed Framework module named RootCloak that reportedly allows you to trick them into working anyway. This works with apps like DirecTV GenieGo, Best Buy CinemaNow, and Movies by Flixster, which don’t normally work on rooted devices. However, if these apps were updated to use Google’s SafetyNet, they wouldn’t be so easy to trick in this way.
Most apps will continue working normally once you’ve rooted your device. Mobile payment apps are the big exception, as are some other banking and financial apps. Paid video-streaming services sometimes attempt to block you from watching their videos as well.
If an app you need doesn’t function on your rooted device, you can always unroot your device to use it. The app should work after you’ve returned your device to its secure, factory state.
Image Credit: Danny Choo on Flickr