# Device Rooting
## Rooted Device Error Message
When performing a penetration test on a mobile application that prevents execution when it detects a rooted device, bypassing this protection is necessary before we can proceed with dynamic analysis. Fortunately there are several ways to defeat root detection, some more complicated than others and some methods that don’t always work. So choosing the correct method is the first step in a successful root detection bypass. However before deciding on the appropriate bypass we have to understand the techniques used to detect a rooted device. The following are the most common techniques and are discussed further in [this article.](http://resources.infosecinstitute.com/android-hacking-security-part-8-root-detection-evasion/)
1. Check the BUILD tag for the “test-keys” string.
2. Check for the existence of the “Superuser.apk” application.
3. Search for other applications that are usually installed on a rooted device
## Bypass Methods
* Using **RootClock** application
* Modify the **Smali** code
* Hooking the application during runtime using **frida**
* in case the application using Cordova:
* delete the root detection plugin folder from Cordova plugin and then re-compile the application
* Modify the Javascript code and then re-compile the application
### RootClock
* First we need to download Xposed framework from here :
* Choose the exact api version for your android device
* Install Xposed APK from here :
* Open Xposed application from the device
* Install **rootclock** application from Xposed
* Open **rootclock**, and then choose to bypass for your target application
### Patching Smali Code
* First we need to decompile the application using APKTool
* Finding where the check\s are done may take some time. To speed things up you can search for words such as `device` or `rooted` or **words that appear on the error message** when you start the application.
* Open the smali/ folder in text editor and start search
* So to patch the root detection check so that it always returns zero, we have to change the return function from `if-nez v0, :cond_1` to `if-nez v0, :cond_0`. This is reversing the check so that it skips the rooted device code if `v0` is not equal to zero.
### Bypass using Frida
* First we need to install frida server in our rooted device :
* Choose the [frida-server-12.11.18-android-x86.xz](https://github.com/frida/frida/releases/download/12.11.18/frida-server-12.11.18-android-x86.xz)
* Then we transfer the frida-server to /data/local/tmp
* adb push frida-server /data/local/tmp
* chmod +x frida-server
* ./frida-server
* Then we need to install frida client : pip install frida-tools
* Check for installed application in the remote device
* frida-ps -U
* Then we will download root-bypass script form here :
* Now, to hook the script in the application dueing runtime we need to run the following command
* frida -l root-bypass.js -U -f \ --no-pause
### Cordova Root Bypass
Method 1
* Decompile the application using APKTool
* go to plugins/ folder and search for root-detection plugin, delete it.
* re-compile the application again.
Method 2
* Use text editor and search in the application files for the words like `rooted || device`
* Modify the function and re-compile the application
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://co0nan.gitbook.io/mobile-application/device-rooting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.