device-root/com.pingidentity.device.root.detector/PermissionDetector

PermissionDetector

class PermissionDetector(androidBuildSdkProvider: AndroidBuildSdkProvider = DefaultAndroidBuildSdkProvider(), var logger: Logger = Logger.WARN) : TamperDetector

Tamper detector that identifies device compromise by examining filesystem mount permissions.

This detector works by analyzing the output of the mount command to determine if critical system directories are mounted with write permissions. On a secure Android device, system directories should be mounted as read-only to prevent unauthorized modifications.

The detector checks for read-write ("rw") mount options on the following critical paths:

/system - Core Android system files
/system/bin - System binary executables
/system/sbin - System super-user binaries
/system/xbin - Extended system binaries
/vendor/bin - Vendor-specific binaries
/sbin - System binaries directory
/etc - System configuration files

If any of these directories are mounted with write permissions, it typically indicates:

The device has been rooted
System partition has been remounted as writable
Custom firmware or ROM is installed
Security mechanisms have been bypassed

The detector handles different Android SDK versions as the mount command output format varies between Android Marshmallow (API 23) and later versions.

The scoring system returns a Double value:

1.0 indicates at least one critical path is writable (high confidence of tampering)
0.0 indicates all critical directories are properly read-only

Example usage:

val detector = PermissionDetector()
val isTampered = detector.isTampered(context)

// Or in analyze DSL:
val isTampered = analyze {
    detector {
        add(PermissionDetector())
    }
}