Can you ask the pen tester what they expect you to do about it? I’m not sure how replacing existing constants is an issue in this case, but I don’t get paid to analyze code for vulnerabilities either. The only fix I can think of is you need to figure out a different way to check to see if the device is rooted that doesn’t involve a runtime.exec() call (I don’t know if there is one).