SuCommandDetector

Pre-configured tamper detector that identifies device rooting by checking for the su command.

This detector extends CommandDetector and specifically looks for the presence of the su (superuser) command in the system PATH. The su command is the fundamental component of root access on Unix-like systems, including Android.

What is the su command:

• su stands for "substitute user" or commonly "superuser"

• Allows a user to execute commands as another user, typically root

• Essential for any form of elevated privileges on Android devices

• Present on virtually all rooted Android devices

How the detection works: The detector uses the which command to check if su is available in the system PATH. This method is effective because:

• The su binary must be in PATH to be usable by applications

• Standard Android installations do not include su in user-accessible locations

• Root management tools install su in system directories that are included in PATH

Why this indicates tampering:

• Stock Android devices do not have su accessible to user applications

• The presence of su in PATH indicates the device has been rooted

• This is one of the most reliable indicators of root access

This detector provides a lightweight and reliable method for detecting rooted devices by checking for the most fundamental root access tool.

Example usage:

val detector = SuCommandDetector()
val isTampered = detector.isTampered(context)

// Or in analyze DSL:
val isTampered = analyze {
    detector {
        add(SuCommandDetector())
    }
}

See also