[READ] Step 1: Are you in the right place?
Issues filed here should be about bugs in the code in this repository. If you have a general
question, need help debugging, or fall into some other category use one of these other channels:
- For general technical questions, post a question on StackOverflow
with the firebase tag.
- For general Firebase discussion, use the
firebase-talk google group.
- For help troubleshooting your application that does not fall under one of the above categories,
reach out to the personalized Firebase support channel.
[REQUIRED] Step 2: Describe your environment
- Android Studio version: Otter 2025.2.3
- Firebase Component: Crashlytics (Database, Firestore, Storage, Functions, etc)
- Component version: 19.4.0 -> latest
[REQUIRED] Step 3: Describe the problem
The method CommonUtils.isRooted() is currently being flagged by third-party independent security researchers during mobile application assessments based on OWASP Mobile Application Security Testing Guide (MASTG), specifically MASTG-KNOW-0027: Root Detection.
While OWASP clearly states that root detection is not a vulnerability by itself, the current implementation in Firebase appears to:
Rely on outdated / simplistic heuristics (e.g., static file checks, basic binaries presence).
Produce unreliable results on modern Android versions, including false positives and false negatives.
Not align with modern root detection practices (multi-layered, runtime-aware, obfuscation-resistant approaches).
Be easily bypassable, which reduces its value even as a soft anti-tampering signal.
Additionally, this method has already shown instability and incorrect behavior on newer Android devices, as discussed in:
Issue #5525 (detection on Android 13+)
Issue #2495 (detection on emulators)
These reports suggest that isRooted() may no longer behave consistently across API levels and device configurations (e.g., scoped storage, system-as-root, modern SELinux policies, Magisk hiding, etc.).
Steps to reproduce:
Use Firebase Crashlytics in an Android app.
Run the app on:
- Android devices across modern API levels (Android 10 / 12 and 13+)
- Either rooted (with Magisk hiding) or non-rooted device
Observe:
- Inconsistent isRooted() results depending on environment
- Security scanners flagging the implementation as insufficient / non-compliant with OWASP recommendations
Security review tools specifically flag:
- Static file path checks (/system/xbin/su, etc.)
- Lack of runtime or behavioral checks
- No mitigation for modern root-hiding techniques
Expected behavior:
CommonUtils.isRooted() should either:
- Use a modern, more reliable root detection approach compatible with current Android versions, or
- Be clearly documented (or deprecated/removed) as non-security-grade, so it is not flagged during security reviews.
Given that Firebase Crashlytics is widely embedded across production applications, its internal utilities should not introduce audit friction or trigger OWASP-related findings in downstream apps.
Relevant Code:
https://github.com/firebase/firebase-android-sdk/blob/main/firebase-crashlytics/src/main/java/com/google/firebase/crashlytics/internal/common/CommonUtils.java#L321
[READ] Step 1: Are you in the right place?
Issues filed here should be about bugs in the code in this repository. If you have a general
question, need help debugging, or fall into some other category use one of these other channels:
with the firebase tag.
firebase-talk google group.
reach out to the personalized Firebase support channel.
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
The method CommonUtils.isRooted() is currently being flagged by third-party independent security researchers during mobile application assessments based on OWASP Mobile Application Security Testing Guide (MASTG), specifically MASTG-KNOW-0027: Root Detection.
While OWASP clearly states that root detection is not a vulnerability by itself, the current implementation in Firebase appears to:
Rely on outdated / simplistic heuristics (e.g., static file checks, basic binaries presence).
Produce unreliable results on modern Android versions, including false positives and false negatives.
Not align with modern root detection practices (multi-layered, runtime-aware, obfuscation-resistant approaches).
Be easily bypassable, which reduces its value even as a soft anti-tampering signal.
Additionally, this method has already shown instability and incorrect behavior on newer Android devices, as discussed in:
Issue #5525 (detection on Android 13+)
Issue #2495 (detection on emulators)
These reports suggest that isRooted() may no longer behave consistently across API levels and device configurations (e.g., scoped storage, system-as-root, modern SELinux policies, Magisk hiding, etc.).
Steps to reproduce:
Use Firebase Crashlytics in an Android app.
Run the app on:
Observe:
Security review tools specifically flag:
Expected behavior:
CommonUtils.isRooted() should either:
Given that Firebase Crashlytics is widely embedded across production applications, its internal utilities should not introduce audit friction or trigger OWASP-related findings in downstream apps.
Relevant Code:
https://github.com/firebase/firebase-android-sdk/blob/main/firebase-crashlytics/src/main/java/com/google/firebase/crashlytics/internal/common/CommonUtils.java#L321