rootbeer
rootbeer copied to clipboard
scottyab
Checking for Root apps on Android 11+ is ineffectual due to package-visibility changes
https://developer.android.com/about/versions/11/privacy/package-visibility
Does rootbeer support these changes? Or everything works fine on android 11?
Thanks for raising this @BanHammerYKT
The good news is we don't crash (we would have caught that earlier). Partly due to the way Android handles the getPackageInfo request and that we have a try/catch around the statement.
But the bad news is that from my testing from Android 11 these checks for any root apps will be ineffective 😢 . Here's a test I ran with Sample Rootbeer looking for com.google.android.gm Gmail as a additional Root Management, Dangerous and Root Cloaking app.
| Android 8.1 | Android 11 |
|---|---|
 |
 |
Will adding apps list from this file
<queries>
<package android:name="first_root_app"/>
...
<package android:name="last_root_app"/>
</queries>
in manifest resolve this issue?
Potentially, but I saw in one of these Google I/O 2021 talks What’s new in Android privacy or The state of Android security that Google are changing the Play policy to make access to package queries only available to apps that genuinely need it. I'm not sure they would agree that root checking qualifies given SafetyNet is offered?.
Therefore I'm reluctant to add this feature as I could see apps getting pulled if we implemented this check. Although it does feel like we need to do something here to flag these checks are not running on Android 11+ maybe deprecating them and moving them out of the default checks 🤔
What if add an optional lib with manifest, something like
implementation 'com.scottyab:rootbeer-packages:0.0.9'