Ive got report from penetration test provider that my hardcoded command is vulnerable to injection. Its Runtime command where Im trying to check if device is rooted ( Runtime.getRuntime().exec(new String[] { "/system/xbin/which", "su" }); )