Android root/Jailbreak detection won't detect Rooting/cloaking/dangerous apps

[ronan-burke-civ]

I've been doing a little bit of investigation and I don't believe the check for rooting apps such as Magisk will succeed based on setting up the app according to the documentation (even if you have something like Magisk installed, the root detection will not detect it and mark the device as not rooted).

I think the following would need to be added to the setup documentation for Android:

• The following packages need added to the <queries> section of the Android Manifest to ensure they can be detected by the plugin:

  <queries>
      <!-- KnownRootAppsPackages -->
      <package android:name="com.noshufou.android.su" />
      <package android:name="com.noshufou.android.su.elite" />
      <package android:name="eu.chainfire.supersu" />
      <package android:name="com.koushikdutta.superuser" />
      <package android:name="com.thirdparty.superuser" />
      <package android:name="com.yellowes.su" />
      <package android:name="com.topjohnwu.magisk" />
      <package android:name="com.kingroot.kinguser" />
      <package android:name="com.kingo.root" />
      <package android:name="com.smedialink.oneclickroot" />
      <package android:name="com.zhiqupk.root.global" />
      <package android:name="com.alephzain.framaroot" />
  
      <!-- KnownDangerousAppsPackages -->
      <package android:name="com.koushikdutta.rommanager" />
      <package android:name="com.koushikdutta.rommanager.license" />
      <package android:name="com.dimonvideo.luckypatcher" />
      <package android:name="com.chelpus.lackypatch" />
      <package android:name="com.ramdroid.appquarantine" />
      <package android:name="com.ramdroid.appquarantinepro" />
      <package android:name="com.android.vending.billing.InAppBillingService.COIN" />
      <package android:name="com.android.vending.billing.InAppBillingService.LUCK" />
      <package android:name="com.chelpus.luckypatcher" />
      <package android:name="com.blackmartalpha" />
      <package android:name="org.blackmart.market" />
      <package android:name="com.allinone.free" />
      <package android:name="com.repodroid.app" />
      <package android:name="org.creeplays.hack" />
      <package android:name="com.baseappfull.fwd" />
      <package android:name="com.zmapp" />
      <package android:name="com.dv.marketmod.installer" />
      <package android:name="org.mobilism.android" />
      <package android:name="com.android.wp.net.log" />
      <package android:name="com.android.camera.update" />
      <package android:name="cc.madkite.freedom" />
      <package android:name="com.solohsu.android.edxp.manager" />
      <package android:name="org.meowcat.edxposed.manager" />
      <package android:name="com.xmodgame" />
      <package android:name="com.cih.game_cih" />
      <package android:name="com.charles.lpoqasert" />
      <package android:name="catch_.me_.if_.you_.can_" />
  
      <!-- KnownRootCloakingPackages -->
      <package android:name="com.devadvance.rootcloak" />
      <package android:name="com.devadvance.rootcloakplus" />
      <package android:name="de.robv.android.xposed.installer" />
      <package android:name="com.saurik.substrate" />
      <package android:name="com.zachspong.temprootremovejb" />
      <package android:name="com.amphoras.hidemyroot" />
      <package android:name="com.amphoras.hidemyrootadfree" />
      <package android:name="com.formyhm.hiderootPremium" />
      <package android:name="com.formyhm.hideroot" />
  </queries>

The permission QUERY_ALL_PACKAGES permission is another option, but Google heavily restricts its usage since it gives access to sensitive data: https://support.google.com/googleplay/android-developer/answer/10158779?hl=en-GB The above <queries> list may be too overreaching as well and be rejected by Google Play review.

[Pmr-precure]

I just tested with a device with Magisk and it didnt detect it.

[ronan-burke-civ]

I just tested with a device with Magisk and it didnt detect it.

If you add the config above, does it work @Pmr-precure ? I think this might be mainly a documentation / setup issue.

[Pmr-precure]

I just tested with a device with Magisk and it didnt detect it.

If you add the config above, does it work @Pmr-precure ? I think this might be mainly a documentation / setup issue.

Sorry for the late answer, i didnt try with the queries, but i dont want to risk it getting rejected on play store, you think it will?

[ronan-burke-civ]

I think Google is likely to scrutinise QUERY_ALL_PACKAGES and reject submissions with it that don't require it for their main purpose. The smaller, fixed list is maybe more likely to pass review.

However, I think one of the options is required for more comprehensive "root detection". You should be able to test it locally before submitting to the store to see if it detects Magisk for you. Ultimately then it would be your call to decide to submit it to the Play Store or not.