Contact us

Fine-tuning the role of root and jailbreak detection in mobile banking security

Mobile app security
Frederik Mennes,
The role of root and jailbreak detection in mobile banking security

Root and jailbreak detection are sometimes viewed as the ultimate indicators of mobile device integrity. Yet, relying on these signals as binary risk indicators often leads to high rates of false positives, a degraded user experience, and a false sense of security.

This blog examines the mechanics of root and jailbreak detection, the costs of maintaining detection frameworks, and the necessity of integrating these signals into a broader contextual risk-scoring model. While root and jailbreak detection remains a vital regulatory and security tool, its true value lies in being one signal among many, and not a gatekeeper that ignores the reality of modern mobile threats.

What are rooting and jailbreaking?

Mobile operating systems like Android and iOS are designed with a “sandbox” model. This means every app lives in its own isolated environment. For example, a mobile banking app cannot see what is happening inside the environment of a gaming app.

At their core, rooting (Android) and jailbreaking (iOS) are processes intended to bypass built-in operating system restrictions, such as the sandbox, to gain elevated privileges.

  • On Android, rooting grants "superuser" permissions on the mobile device, allowing the user to access and modify the Android subsystem and system files, which are normally kept hidden or locked by the device manufacturer.
  • On iOS, jailbreaking grants elevated privileges and removes the restrictions Apple places on the device, allowing the installation of apps and software from sources other than the official App Store.

Users of mobile devices usually root or jailbreak their devices to customize the operating system, remove pre-installed bloatware, and optimize performance. It enables advanced features like installing specialized apps, extending battery life, blocking system-wide ads, and updating old devices with custom ROMs. But, it also puts mobile app security at risk.

At a global level, one in 400 Android devices (0.25%) is rooted and one in 2,500 iOS devices (0.04%) is jailbroken. The APAC region sees slightly higher rates than the US and Europe.

Rooting and jailbreaking almost always require physical access to the device. A user typically roots or jailbreaks a device with specialized tools such as Magisk, APatch, or KernelSU (Android) and Dopamine or Checkra1n (iOS).

What are root and jailbreak detection?

Root and jailbreak detection processes identify whether a device has been rooted or jailbroken. Usually a multi-layered detection strategy is used to identify environmental compromise, such as:

  • Unusual files: The app searches for specific files that only exist if the device has been modified (e.g., the “Magisk” app on Android).
  • System permissions: The app tries to perform a task that a normal app shouldn't be able to do, like editing a system folder. If it succeeds, the app knows the device is rooted.
  • Tamper evidence: The app checks whether the digital signature of the device’s operating system, which acts as a security seal, is still valid.

Why root and jailbreak detection should not be considered binary risk signals

Mobile banking apps use detection mechanisms to interrogate the environment before allowing sensitive operations. If the app detects that the device is compromised, it may:

  • Prevent the app from launching entirely
  • Restrict certain features (e.g., disable high-value transfers)
  • Trigger an alert to the bank’s fraud backend

At first sight, it seems logical for mobile banking apps to consider rooted or jailbroken devices untrustworthy, as these devices lack the usual restrictions device manufacturers put in place. However, rooting or jailbreaking is not necessarily equivalent to malicious intent.

Users of mobile devices may root or jailbreak their device for a variety of perfectly benign reasons, so it is not correct to assume that a mobile banking app is threatened just because it runs on a rooted or jailbroken device.

If excessive weight is placed on root and jailbreak detection or a simplistic approach to blocking such devices, there is an important cost — degraded user experience. Benign users may not be able to access their bank accounts anymore from their mobile devices, damaging relationships and draining resources.

Additionally, most modern real-world attacks against mobile banking apps, such as phishing overlays, repackaging, and abuse of accessibility services, can operate on non-rooted devices, meaning root detection does not protect against all threats. Excessive focus on root and jailbreak detection may create a false sense of security that causes banks to miss actual threats.

Key takeaway: Approaching root and jailbreak detection from a binary lens, whereby rooted and jailbroken are equivalent to “bad,” comes with a high degree of false positives, negatively impacts user experience, and might cause actual threats to be ignored.

The low ROI of constantly evolving root and jailbreak detection

Root and jailbreak techniques constantly evolve to hide their presence. For example, modern rooting tools like Magisk operate systemlessly, leaving no or fewer traces on the system partition and rendering traditional file-based detection ineffective.

Developers of root and jailbreak detection can respond to evolving root and jailbreak mechanisms by identifying new signs to detect them. However, this motivates hackers to come up with even better mechanisms, resulting in an endless loop or never-ending arms race. For example, the popular rooting framework KernelSU has had 7 releases since January 1, 2025.

For mobile banking app providers, the only way to keep up with the latest root and jailbreak techniques is by releasing daily or weekly app updates. This comes at a significant cost, as each version has to go through release processes, often involving security penetration tests (pentests) by external companies.

This cat-and-mouse game provides a limited return on investment for most financial services organizations, especially since root and jailbreak detection do not represent the most meaningful threat signal.

Root and jailbreak detection is one risk signal among many

Banks should consider root and jailbreak detection as a useful risk signal, but avoid exaggerating the importance of it compared to other risk signals that should also be considered. With root and jailbreak detection, banks can be made aware of the following threats:

  • Detecting removal of the app sandbox: Banks should be aware that the fundamental sandbox restrictions designed to prevent applications from accessing each other's data are no longer present on a certain device.
  • Malware susceptibility: Rooted devices are more susceptible to malware that can steal credentials, log keystrokes, and intercept SMS verification codes.
  • Runtime manipulation: Hackers can use rooted devices to inject code, hook API calls, and bypass security checks (e.g., using Frida or Xposed frameworks).
  • Regulatory requirements: In certain regions, financial regulations compel banks to detect operations on compromised devices.

Rather than just binary blocking, mobile banking security is moving toward a more nuanced approach that includes:

  • Contextual risk scoring: Combining root detection with other signals (e.g., app integrity, presence of debugging tools, location) to create a risk score.
  • Restricting functionality: Instead of completely blocking the app, some banks allow low-risk actions (e.g., checking balance) but block high-risk actions (e.g., transferring large amounts) on rooted devices.
  • Backend verification: Using server-side attestation (e.g., Google Play Integrity API), which is harder to spoof than client-side checks.

The role of regulation and pentesting frameworks

Mobile banking security regulations and some pentesting frameworks include requirements for root and jailbreak detection. While important to a degree, these regulations should avoid creating a gap between what is measured and what matters.

More specifically, mandating that mobile banking apps perform root and jailbreak detection makes sense, but forbidding a mobile banking app to run on a rooted or jailbroken device will result in many false positives and negatively impact many legitimate bank customers.

Prepare for modern risks with comprehensive security

Root and jailbreak detection is a crucial tool for mobile banking apps to identify a compromised operating system, but it is best used as one of many risk signals within a layered, defense-in-depth approach. Banks, regulators, and pentesters must balance risk reduction with user experience.

A binary approach rarely achieves this equilibrium. All entities in the banking ecosystem should use root and jailbreak detection as a signal in contextual risk scoring, combining them with other risk signals to create an overall risk score that better identifies threats and protects legitimate customer interactions.

Speak to one of our cybersecurity experts

Need support with your holistic mobile app security planning?

Speak with one of our experts
Frederik Mennes
Frederik Mennes

Frederik Mennes is Director of Product Management & Business Strategy at OneSpan. In this role, he is responsible for defining and implementing OneSpan’s business strategy for specific industry verticals, and to determine how OneSpan responds to security and regulatory market trends. Previously, Frederik led OneSpan's Security Competence Center, where he was responsible for the security aspects of OneSpan's products and infrastructure. 

Sign up for OneSpan updates
Share