Welcome to the cutting-edge world of Android penetration testing and root detection evasion! Today where mobile applications play a pivotal role in our daily lives, ensuring the security of these applications is paramount. Root detection mechanisms serve as a crucial line of defense against malicious attacks, yet they also present a challenge for security professionals seeking to assess and fortify the resilience of Android applications.
We are not going to explain a new methodology or any new discovery rather we will be listing out a few of the existing traditional and modern methods.
Prerequisites
Familiarity with Basic Android Pentesting and tools such as adb, frida, Objection, Magisk application, Decompiling/Recompiling APK, APK Signing and Dex to Jar Conversion.
What we will explore:
- MagiskHide module in the Magisk application (= <v23.0)
- Zygisk DenyList in the Magisk Application (>v23.0)
- Tampering the Smali code
- Objection’s common method
- Bit manual with Objection
- Using Frida scripts
- Medusa framework
!!! We haven’t covered the basic stuff like setting up the frida server, decompiling/Re-compiling the android application, etc. Hope you are already familiar with them!
1. MagiskHide module in the Magisk application (v23.x< =)
If your device is rooted with Magisk, then you can try the MagiskHide available in the Magisk Application. And please note that this feature is only available up to the Magisk version 23.x
Step:1 Enable the MagiskHide module from the app settings
Step 2: Choose the application in which we have to hide the root
2. Zygisk Denylist (Magisk App > v23.x)
Magisk App > v23.0 provides an alternative feature -Zygisk Denylist instead of the MagiskHide. By enabling this feature, we can bypass the root detection of most applications.
Step 1: Enable Zygisk, DenyList from the app settings
Step 2: Choose the application that we have to hide the root detection
3. Tampering the Smali Code
Yes, sometimes we can do a spell with the application smali code which can be obtained after decompiling the application with Apktool.
Step 1: Decompile the apk file using JADX-GUI or any other alternative.
Step 2: Identify the code which is in charge of the root detection process.
Step 3: In this case, the application is using the rootbeer library for the root detection. And we can see there is a “if” condition is the decision maker element that decides whether the application is rooted or a non-rooted device.
Step 4: Now decompile the APK with Apktool and and find smali code for the above “if “statement.
Step 2: Modify the condition statement as illustrated in the below picture.
Step 3: Now save the file and re-build the application, don’t forget to sign the apk file.
Re-packing the application
This will change the application logic and bypass the root detection.
4. Using Objection’s Common method
Hope you are familiar with the objection tool, if not, pull it out using pip
pip3 install objection
Step 1: start the frida server on the android device/ Virtual device.
Step 2: Now, launch the application with the following Objection command.
objection -g com.test.app explore
Step 3: now the application will be launched on your device, then execute the following objection command.
This module will modify the values of the class methods of the root detection library in order to bypass the root detection
Step 4: If the root detection prompt is still there on the application, just press the back button and exit from the application (don’t kill the app from background) and open it again.
The root detection will disappear :)
5. Bit Manual with Objection tool
This method is a kind of tricky.
Following are the steps.
Step 1: First convert the apk file into class files using dex2jar
Step 2: Analyse the class files and identify which library is being used for the root detection
Step 3: Now connect the app with objection (objection -g pkg_name/processID explore)
Step 4: Execute the following command
android hooking list class_methods <root detection class>
Step 5: Now we can identify that the following boolean method isDeviceRooted() (may differ in other libraries) is in charge of root detection.
Step 5: We can change its return value true to false with the following command:
android hooking set return_value <root_detect_class.method> false
Step 6: Thats it, here we have changed the boolean value returned by the root detection class method, and this will change the application logic for root detection process and bypass the root detection.
6. Using Frida scripts
Here comes the most and widely used root detection bypass method.
Step 1: Make sure the frida server is running on your device and the USB cable is properly connected (if it is a physical device)
Step 2: Also make sure that your PC and the device have established a proper frida connection.
Step 3: You can verify the frida connection by using the command, shown in the below image.
Step 4: There are popular Frida scripts in Codeshare and Git repositories for bypassing root detection mechanisms.
The fav one is:
Step 5: Now connect your application with frida and load the frida script with the command, shown in below image.
7. Medusa Framework
Similar to Objection tool, MEDUSA is also a flexible framework that automates the procedures and methods used in the dynamic analysis of Android applications.
Git repo:
Ch0pin/medusa: Binary instrumentation framework based on FRIDA (github.com)
Step 1: Launch medusa
Step 2: We have to use the helpers/anti_debug module for bypassing the root detection
Step 3: Follow the steps illustrated in the following screenshots.
Bypassing root detection during the run time
Conclusion
While root detection may pose a significant hurdle in Android penetration testing, armed with the right knowledge and tools, security professionals have an array of methods at their disposal to overcome these obstacles effectively. By staying informed, adapting to new techniques, and leveraging the capabilities of various tools and frameworks, security experts can navigate through root detection mechanisms with confidence, ensuring comprehensive testing and robust security measures for Android applications.
ValueMentor specializes in offering tailored security solutions to businesses, including penetration testing, vulnerability assessments, and risk management. We offer enhanced protection to our clients’ Android applications, ensuring resilience against root detection evasion and bolstering overall security posture.
