Device Rooting
Rooted Device Error Message
When performing a penetration test on a mobile application that prevents execution when it detects a rooted device, bypassing this protection is necessary before we can proceed with dynamic analysis. Fortunately there are several ways to defeat root detection, some more complicated than others and some methods that don’t always work. So choosing the correct method is the first step in a successful root detection bypass. However before deciding on the appropriate bypass we have to understand the techniques used to detect a rooted device. The following are the most common techniques and are discussed further in this article.
Check the BUILD tag for the “test-keys” string.
Check for the existence of the “Superuser.apk” application.
Search for other applications that are usually installed on a rooted device
Bypass Methods
Using RootClock application
Modify the Smali code
Hooking the application during runtime using frida
in case the application using Cordova:
delete the root detection plugin folder from Cordova plugin and then re-compile the application
Modify the Javascript code and then re-compile the application
RootClock
First we need to download Xposed framework from here : https://dl-xda.xposed.info/framework/
Choose the exact api version for your android device
Install Xposed APK from here : https://xposed-installer.en.uptodown.com/android
Open Xposed application from the device
Install rootclock application from Xposed
Open rootclock, and then choose to bypass for your target application
Patching Smali Code
First we need to decompile the application using APKTool
Finding where the check\s are done may take some time. To speed things up you can search for words such as
device
orrooted
or words that appear on the error message when you start the application.Open the smali/ folder in text editor and start search
So to patch the root detection check so that it always returns zero, we have to change the return function from
if-nez v0, :cond_1
toif-nez v0, :cond_0
. This is reversing the check so that it skips the rooted device code ifv0
is not equal to zero.
Bypass using Frida
First we need to install frida server in our rooted device : https://github.com/frida/frida/releases/tag/12.11.18
Choose the frida-server-12.11.18-android-x86.xz
Then we transfer the frida-server to /data/local/tmp
adb push frida-server /data/local/tmp
chmod +x frida-server
./frida-server
Then we need to install frida client : pip install frida-tools
Check for installed application in the remote device
frida-ps -U
Then we will download root-bypass script form here : https://gist.github.com/pich4ya/0b2a8592d3c8d5df9c34b8d185d2ea35
Now, to hook the script in the application dueing runtime we need to run the following command
frida -l root-bypass.js -U -f <app.package.com> --no-pause
Cordova Root Bypass
Method 1
Decompile the application using APKTool
go to plugins/ folder and search for root-detection plugin, delete it.
re-compile the application again.
Method 2
Use text editor and search in the application files for the words like
rooted || device
Modify the function and re-compile the application
Last updated