Dependence on a secure client is generally a bad idea. Security should be server-side.

A rooted android device doesn't run apps as root either, not does it generally allow them to get root access without the user accepting a system prompt.