Incorrect Android Root Detection


#1

Today I have been locked out of the Starling app on my Android 6.0.1 device (Lenovo P2) following an app update. The app is stating the device is rooted (and it isn’t and never has been), but would initially allow me to proceed if I accepted the risk (which I won’t in case there is some acceptance of liability) . I see from the past few days play store reviews that I am not alone.

The support desk suggested uninstalling and reinstalling, but this now presents the warning and only gives an exit option, so has now removed my option of even accepting the warning and proceeding.

Anyone else aware of the issue?


#2

@sarah.guha or @LoganAllan are you aware of any issues with android app thinking phone is rooted?


#3

@StarlingSupport are issues with root detection something you’re aware of?


#4

I have just been asked to uninstall/reinstall the app after getting ‘your phone is rooted’ which it is not.
I cannot now install the app because of this false root detection.
Hopefully the problem gets sorted out quickly as I feel that my hands are tied not being able to access my main bank account


#5

I can also confirm this issue has presented itself as of the latest update; the previous release on the 18th of April runs without a hitch.

Device Information:
Model: OnePlus 2 (A2001)
Android: Oreo 8.1 (AOSP)
Network: EE (UK)

Download Link for (18th April 2018): com.starlingbank.android

^ Don’t know the timeframe until this version stops working but hopefully a solution will be available prior to this point. :confused:


#6

Hi all, we’ve recently made changes to our security model which detects rooted devices and custom ROMs.
The Starling app may have worked for some of you prior to getting the latest Android build.
If you’re experiencing any issues and haven’t already been in touch with CS, please do so; with your account, device and OS details - help@starlingbank.com


#7

Any estimate on when the rooted device detection will be tuned correctly?

I am currently running 4 other bank apps on my device, I know for sure that 2 of these have root detection on them and these have no issue with false positives on the detection method they are using.


#8

I presume you haven’t got android 8.1 officially on that phone. Could be something to do with that.


#9

I don’t get the rooted issue, but I keep getting messages saying I’m logging in from a new device, so have to set everything up all over again, then a day later the same thing.


#10

I personally see any company and developer that trying to block rooted device being a bit excessive.

It not like all rooted device and custom roms are unsafe, quite often especially on older devices which the manufacturer no longer update, custom roms from reliable sources e.g. LineageOS its actually more secure since they use more updated android version and have security vulnerability patched.


#11

This is about trust and risk. A bank can ensure their own systems and communications infrastructure is secure: they can do that as it’s their own stuff.

But they have to assume the client device is also secure. A rooted device may be compromised and therefore can’t necessarily be trusted to be secure. And an insecure device increases the risk of fraud to the bank and the customer.


#12

What exactly is the new security criteria. Rooted phones maybe unacceptable but if this expanded to include every custom ROM will mean loosing some customers needlessly. Your update is already triggering false positives , nice coding :roll_eyes: I am using Linage OS and get weekly updates, it has worked fine with Starling since I moved my main account to you in January it is no more a security risk than any other Android out there in fact probably more secure with OEM updates lagging long after Google release security fixes. So will it be a new phone or new bank.


#13

Isn’t it possible for a custom ROM to contain malware. That could be an issue.


#14

OEMs have been known to install malware, Samsung, LG, Sony among others, it depends how you define malware, if you mean some means to defeat your OS security for whatever reason it is normally attempted via an app. There are a couple of issues with rooting and ROMs firstly an app via Google play ( Starling ?) can detect a rooted phone and refuse to install, secondly more recently Google will no longer allow downloads from the store if the phone does not meet certain criteria https://www.android.com/certified/


#15

Ok I do agree with that to some level, But a stock device that no longer receives OEM updates and running on a older version of Android is very likely to be more insecure than running a custom rom that is running on the latest android version.

I think most user that use a rooted device most likely understand the risks their self and accept them, even if someone account dose gets compromised due to a insecure device and lets say they steal all their money by transferring it out I doubt Starling would liable as it was caused by the user there self by using a insecure device.

Its the same as If I login into my legacy bank account from a computer full of virus etc and get my bank login compromised it’s not like they are going to liable for any loss to my account if it gets cleaned out.


#16

I have asked on here for clarification and messaged customer support through the app regarding custom ROMs, no reply either way, so thought I would install the latest update to find out myself since I am running Lineage OS. The app installed fine and gave a message saying my phone was rooted, it is NOT rooted but I could click accept the risk, what risk ? . I joined Stirling partly because they build their own software and thought they would be more technically competent than the average bank who’s software incompetence makes the headlines monthly. This is a poor show from Stirling, no warning that the latest app may cause problems and customers without access to their accounts.


#17

@Patrick - I do hope you havent changed it so that Magisk/Systemless + with cloak now breaks starling - God forbid we can see data about our account .


#18

Hey, I currently use LineageOS on my OP2 and I have an unrooted phone. However, I can’t get starling since it automatically says “Rooted Device” when I open the app and only gives me the option to exit. How did you manage to use LineageOS and Starling?


#19

I already had Starling installed and had two options either don’t upgrade or upgrade and accept the risk. There are others getting the same rooted message running standard Android, I hope Starling get it sorted soon.


#20

I should have added CS said should be no problem with Lineage OS.