I'm developing an Android application, but I want to restrict my application to only be accessible by hardware that is not running a rooted/custom ROM. I know about Android's Forward Locking content protection, but would like to double check this protection from within my app. Is there any way to get the signature of the device along with a trusted signature of the ROM using android API's so that I lock my app out from Custom ROMs?
There is no fail-proof way that I can think of, sorry. The main point of a ROM or root is that you can change whatever you want. Therefore, none of the Android API calls are safe from modifications e.g. there is no call that would 100% let you know you are running on a legit device.
Update: Check out Google Safety Net, it may allow you to ensure that a device is non-modified. From what I read, safety net is supposed to let you check if a device is "compatible" with what google says are the corrent "android" APIs
This question has some information on determining whether a device is running a custom ROM:
System.getProperty("os.version"); // OS version
android.os.Build.VERSION.SDK // API Level
android.os.Build.DEVICE // Device
android.os.Build.MODEL // Model
android.os.Build.PRODUCT // Product
use this and then compare it with the google stock images
来源:https://stackoverflow.com/questions/3843841/how-to-determine-if-os-is-a-custom-rom-from-an-app