Do not show the root information pop up at each start of the app

[Ein-Tim]

Avoid duplicates

• This enhancement request has not already been raised before
• Enhancement request is specific for Android only, for general issues / questions that apply to iOS and Android please raise them in CWA-Wishlist
• If you are proposing a new feature, please do so in CWA-Wishlist

Current Implementation

Currently (since version 2.12), the Corona-Warn-App always shows a pop up, which informs the user that the device is rooted, when the app is opened (not if it's brought to the foreground from the background).

Suggested Enhancement

Do only show this pop up once or include a checkbox, which can be checked by the user, "Do not show this information again.".

Expected Benefits

Most users are aware of the fact that their device is rooted, so they don't need an information reg. this on every start of the app.

Related issue

• app not remembering answer for rooted device #4264

---

Internal Tracking ID: EXPOSUREAPP-10181
Internal Tracking ID: EXPOSUREAPP-10698

[Diapolo]

Needs to be "fixed" ASAP :).

[dsarkar]

@Diapolo @Ein-Tim Thanks for the suggestion: Internal Tracking ID: EXPOSUREAPP-10181

[x2k13]

Even not rooted devices show this warning!

Especially if using custom/aftermarket OS like LineageOS (official).
This has to be a false positive and/or flaw in the used library/code.
I double checked by clean flashing a LOS compatible device plus OpenGapps (official).
The app RootBeer Sample complains about "Dangerous Props". Every other root checker app says "unrooted".

Please investigate.

[vaubaehn]

I proposed a change on how to display the "root warning" here: #4264 (comment)

[Art4]

I have a not rooted device with LineageOS 18.1, but the rootbeer-lib detects it false positive as rooted. I also commented this in their repo (see scottyab/rootbeer#147) but there seems no much hope that this will be fixed. Please remove or add a possibility to remove this check, because it is very annoying. It worsens the UX for a quick check-in.

[vaubaehn]

Hi @Art4 , thanks for your comment. Reading that referenced issue brought up an idea.

@mlenkeit and @thomasaugsten
Please have a look at the issue that @Art4 linked to. It becomes obvious, that the detection of ro.debuggable=true causes that false positive. Neither users nor the devs of rootbeer lib themselves could prove that this system prop alone makes the system vulnerable via adb root. It looks like everything is fine as long as ro.secure=true. Unfortunately, the devs did not take action on this issue anymore and it looks like, rootbeer has paused active maintenance.

My proposal is:
Please fork rootbeer lib (similar like you did with CertLogik), and simply comment out this line from the code:
https://github.com/scottyab/rootbeer/blob/363a9e7182c4fcf367bc67b2dcdebf2fa2aaf565/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java#L265

Everything should be fine then: rootbeer lib stays open source and is part of the CWA project, and this special false positive is solved.
What do you think?

[x2k13]

+1

[dsarkar]

@vaubaehn @x2k13 Thanks for you analysis and comments. Forwarded to the internal ticket.

[dsarkar]

Internal Tracking ID: EXPOSUREAPP-10181
Internal Tracking ID: EXPOSUREAPP-10698

[dsarkar]

see #4264 (comment)

[Ein-Tim]

PR #4550 targeting release/2.16.x changes the behavior so that it will be possible to hide the information until after the next update.

[LillyWho]

+1 On making it dismissable. I know I'm rooted because I did the root myself and compiled the firmware I'm running
I don't need yet another app saying "Hey uh you're rooted, that might be dangerous". My carrier's app already does that and I've shut that one up by using MagiskHide, so the entire root check thing is kind of a moot point. Is there even malware out there that would care to steal this app's data? And if yes, it would still have to get past the permission prompt.

[LillyWho]

Update: MagiskHide fully works on this, so you still have the discussion on your hands that any app using Safetynet has: Since it's so easily bypassed on at least some configurations by the main root solution of today, why even bother? Especially when it annoys the user unnecessarily.

[dsarkar]

@Ein-Tim I think we can close this ticket.

[Ein-Tim]

@dsarkar

Yes, for sure! Internal ticket is already set to "Implemented" I assume.

[dsarkar]

@Ein-Tim Thanks.

[vaubaehn]

Hi all guys with a rooted phone, we could need your help in a different issue.
There may be a bug in the Exposure Notification System that leads to filling up internal storage until the system runs out of free space.
If you may help, please leave a note over #4732
Thank you!