Comment by the_biot

It's fundamentally client-side security: the phone tells the server "no, I haven't been rooted" and the server believes it.

Any security system that relies on any form of client-side security is going to have other problems as well, since its designers haven't grasped this basic principle.