I have implemented SSL pinning in Android application but I am able to bypass using SSL trust killer. I am looking for some solution to be able to detect or prevent such attacks. One solution is to check for root and then uninstall the application because SSL trust killer requires root privileges.
Is there any other solution besides this?
Android SSL-TrustKiller does not simply work by putting a new trusted root CA into the trust store since an application could protect against this using pinning, like you do. Instead SSL-TrustKiller patches the SSL-API used by the program so that the usual way of pinning does not work any longer but that the application will not notice this.
While there might be a way to work around SSL-TrustKiller by using uncommon ways to pin a certificate which are not covered by the API patches it is impossible to find a general solution against TLS interception as long as the user fully owns the system (i.e. is root). Such a user could for example modify your application and disable the code for pinning or add hooks into the application to get to the plain text before encryption.
