Device Rooting

Rooted Device Error Message

When performing a penetration test on a mobile application that prevents execution when it detects a rooted device, bypassing this protection is necessary before we can proceed with dynamic analysis. Fortunately there are several ways to defeat root detection, some more complicated than others and some methods that don’t always work. So choosing the correct method is the first step in a successful root detection bypass. However before deciding on the appropriate bypass we have to understand the techniques used to detect a rooted device. The following are the most common techniques and are discussed further in this article.

1. Check the BUILD tag for the “test-keys” string.

2. Check for the existence of the “Superuser.apk” application.

3. Search for other applications that are usually installed on a rooted device

Bypass Methods

• Using RootClock application

• Modify the Smali code

• Hooking the application during runtime using frida

• in case the application using Cordova:

  • delete the root detection plugin folder from Cordova plugin and then re-compile the application

  • Modify the Javascript code and then re-compile the application

RootClock

• First we need to download Xposed framework from here : https://dl-xda.xposed.info/framework/

  • Choose the exact api version for your android device

• Install Xposed APK from here : https://xposed-installer.en.uptodown.com/android
• Open Xposed application from the device

• Install rootclock application from Xposed

• Open rootclock, and then choose to bypass for your target application

Patching Smali Code

• First we need to decompile the application using APKTool

• Finding where the check\s are done may take some time. To speed things up you can search for words such as device or rooted or words that appear on the error message when you start the application.

• Open the smali/ folder in text editor and start search

• So to patch the root detection check so that it always returns zero, we have to change the return function from if-nez v0, :cond_1 to if-nez v0, :cond_0. This is reversing the check so that it skips the rooted device code if v0 is not equal to zero.

Bypass using Frida

• First we need to install frida server in our rooted device : https://github.com/frida/frida/releases/tag/12.11.18

  • Choose the frida-server-12.11.18-android-x86.xz
• Then we transfer the frida-server to /data/local/tmp

  • adb push frida-server /data/local/tmp

  • chmod +x frida-server

  • ./frida-server

• Then we need to install frida client : pip install frida-tools

• Check for installed application in the remote device

  • frida-ps -U

• Then we will download root-bypass script form here : https://gist.github.com/pich4ya/0b2a8592d3c8d5df9c34b8d185d2ea35
• Now, to hook the script in the application dueing runtime we need to run the following command

  • frida -l root-bypass.js -U -f <app.package.com> --no-pause

Cordova Root Bypass

Method 1

• Decompile the application using APKTool

• go to plugins/ folder and search for root-detection plugin, delete it.

• re-compile the application again.

Method 2

• Use text editor and search in the application files for the words like rooted || device

• Modify the function and re-compile the application