I'm doing penetration-testing on an Android application.
This application detects ROOT environment, but instead of stopping the application and exits, it's displaying a warning message and letting the user decide about running or not.
So based on OWASP for Mobile (MASVS), is it a correct implementation or not?
Yes, the requirement is (emphasis added):
8.1 MSTG-RESILIENCE-1 The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.
Either is clearly allowed by the spec.
Now, some advice: as a user, I hate apps that refuse to run on rooted devices. I will absolutely give any app that does a 1-star rating on the app store that I got it from. Most users with rooted devices are running them intentionally, and are aware of the security tradeoffs involved (which are generally no worse than having an Administrator account on a Windows computer, for instance). Please don't make apps that terminate when they detect a rooted device. Give the user the choice of what to do.