Device Rooting
Last updated
Was this helpful?
Last updated
Was this helpful?
When performing a penetration test on a mobile application that prevents execution when it detects a rooted device, bypassing this protection is necessary before we can proceed with dynamic analysis. Fortunately there are several ways to defeat root detection, some more complicated than others and some methods that don’t always work. So choosing the correct method is the first step in a successful root detection bypass. However before deciding on the appropriate bypass we have to understand the techniques used to detect a rooted device. The following are the most common techniques and are discussed further in
Check the BUILD tag for the “test-keys” string.
Check for the existence of the “Superuser.apk” application.
Search for other applications that are usually installed on a rooted device
Using RootClock application
Modify the Smali code
Hooking the application during runtime using frida
in case the application using Cordova:
delete the root detection plugin folder from Cordova plugin and then re-compile the application
Modify the Javascript code and then re-compile the application
Choose the exact api version for your android device
Open Xposed application from the device
Install rootclock application from Xposed
Open rootclock, and then choose to bypass for your target application
First we need to decompile the application using APKTool
Finding where the check\s are done may take some time. To speed things up you can search for words such as device
or rooted
or words that appear on the error message when you start the application.
Open the smali/ folder in text editor and start search
So to patch the root detection check so that it always returns zero, we have to change the return function from if-nez v0, :cond_1
to if-nez v0, :cond_0
. This is reversing the check so that it skips the rooted device code if v0
is not equal to zero.
Then we transfer the frida-server to /data/local/tmp
adb push frida-server /data/local/tmp
chmod +x frida-server
./frida-server
Then we need to install frida client : pip install frida-tools
Check for installed application in the remote device
frida-ps -U
Now, to hook the script in the application dueing runtime we need to run the following command
frida -l root-bypass.js -U -f <app.package.com> --no-pause
Method 1
Decompile the application using APKTool
go to plugins/ folder and search for root-detection plugin, delete it.
re-compile the application again.
Method 2
Use text editor and search in the application files for the words like rooted || device
Modify the function and re-compile the application
First we need to download Xposed framework from here :
Install Xposed APK from here :
First we need to install frida server in our rooted device :
Choose the
Then we will download root-bypass script form here :