Android-Pentesting- Android Appsec (Kotlin) Bypassing security checks

Android Appsec is an intentionally made vulnerable application made by https://twitter.com/hpandro1337 for educating about security in android applications for learning purposes so I will be taking a look into bypassing checks for root detection , magisk , su , busybox , root cloak ,EdXposed/Xposed

This application can be downloaded from here https://github.com/RavikumarRamesh/hpAndro1337/tree/main/Android%20AppSec%20(Kotlin)/1.2

I have already made a post about setting up lab environment so do check this out as well

Going into root detection section it lists what it’s checking for

This app also explains about root detection it’s methods which is good

The first check that we have to bypass is for root management apps

Bypassing Security Checks

So what root management apps basically are that give root permissions to some applications that can run as a root user , the most commonly used apps are magisk and superuser

We can see that on clicking Check root it lists these packages as they got detected by this application as this emulator is rooted and has magisk installed. There are many ways that can bypass this check , could be by reversing the application understanding it's source code , making changes , compiling it back and signing the apk with a certificate which can be a little time consuming so I went with using Frida which is a tool which runs at runtime and dynamically hooks the application

First we need to get the package name of the application by checking the running processes

Make sure that frida is installed on your OS , verify that frida is able to communicate with the android device by running frida-ps -U which will list the processes from the device

Now that it’s working we need to run a universal script for root detection bypass , there are plenty scripts available online you could also come up with your script but for now I am using this one

https://codeshare.frida.re/@dzonerzy/fridantiroot/

frida --codeshare dzonerzy/fridantiroot -f com.hpandro.androidsecurity -U

As you’ll run with a script it will prompt you to use %resume

This will bypass all the checks for magisk ,su binary , busybox binary

Now this bypassed the check for magisk application but failed to bypass for superuser which we would have to do it through objection or reversing the application but this will bypass most of the security checks

Bypassed Dangerous Props

This will also bypass check for system property which is ro.debuggable": "1" which allows users to debug any android application regardless of what is set in androidmanifest.xml file and ro.secure": "0" which allows the adb shell to run as root user so this must be changed to ro.debuggable": "0" and ro.secure": "1"

Bypassed BusyBox Binaries

Busybox is a suite of linux binaries like cat , chmod , wget , actually most of the commonly used commands in linux , so frida script also bypasses this check

Bypassed Su Binary

Su is a command which is used to switch users in linux and this can be used to switch to root user , frida script also bypass this check as well

Bypassed RW

RW means read write and it’s a security risk that a device can read and write in the following paths when it’s rooted

/system
/system/bin
/system/sbin
/vendor/bin
/sbin
/etc

Bypassed Root Cloaking

Root cloaking apps are apps that are used for hiding root detection in the device , the commonly used apps are RootCloak and Xposed/EdXposed so this script bypasses this check as well

The checks that this script failed to bypass is for EdXposed which comes in Potentially Dangerous Task and Test keys

Bypassing Potentially Dangerous Task

Since frida script failed to bypass this check , we’ll go with using objection which works with frida but provides more options and we can do much with it

objection --gadget com.hpandro.androidsecurity explore

Now we need to know the name of this activity , so we’ll use this command to list all activities available in the application

android hooking list activities

This lists a lot of activities but we only are concerned about dangerous task activity

Now that we have noted the activity name , we need to list the methods used in this activity which returns the check for apps that should not be on the rooted device

To load methods of the activity com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity we need to first make sure that it's currently launched else it won't load the methods

android hooking search methods com.hpandro.androidsecurity ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity

But we don’t know the what these methods return , we need to look for a method that returns either true or false when it detects applications from the list

android hooking list class_methods com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity

Now we need to watch this public final boolean com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity.detectPotentiallyDangerousApps method's arguments that what value does it return when it's called

android hooking watch class_method com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity.detectPotentiallyDangerousApps
 --dump-args --dump-backtrace --dump-return

This returned True so we need to make it return False

android hooking set return_value com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActi
vity.detectPotentiallyDangerousApps false

Now when hit the button to launch the method it will set the return value to false and thus bypassing this check

Bypassing Test-Keys

There are two keys , release-keys and test-keys , release-keys mean that the android kernel version when it's compiled it's signed withofficial keys , test-keys mean that kernel version is signed with a custom key or from a 3rd party

So to bypass this we can follow the same procedure as we did for bypassing dangerous task by finding the activity name and listing the methods and the arguments

android hooking watch class_method com.hpandro.androidsecurity.ui.activity.task.rootDetection.TestKeysTaskActivity.check
FlagTestKeys --dump-args --dump-backtrace --dump-return

This returns true so we need to change this to false and this hopefully would bypass this check

Lastly the superuser package that the frida script failed to bypass , we can bypass with objection easily by changing the return value of the function which returns true or false to false making it bypass the check

android hooking set return_value com.hpandro.androidsecurity.ui.activity.task.rootDetection.RootManagementTaskActivity.isAnyPackageFromListInstalled false

And with this we have bypassed all security checks that were made in this application , however there’s still about SafetyNet which provides set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users but this hasn’t been implemented in this application so we’ll be skipping this

One thing to note that we don’t really need these tools to bypass root detection this all could be done by decompiling the apk and manually changing the strings in smali file which makes it easy to re-compile it back and sign the apk with a certificate.

Here’s a link for manually bypassing these checks which I have showcased in other application.

References

• https://codeshare.frida.re/@dzonerzy/fridantiroot/
• https://stackoverflow.com/questions/37143960/androidstudio-what-does-debuggable-do
• https://github.com/RavikumarRamesh/hpAndro1337/tree/main/Android%20AppSec%20(Kotlin)/1.2
• https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial
• https://stackoverflow.com/questions/18808705/android-root-detection-using-build-tags