Android-Pentesting- Android Appsec (Kotlin) Bypassing security checks
Android Appsec is an intentionally made vulnerable application made by https://twitter.com/hpandro1337 for educating about security in android applications for learning purposes so I will be taking a look into bypassing checks for root detection , magisk , su , busybox , root cloak ,EdXposed/Xposed
This application can be downloaded from here https://github.com/RavikumarRamesh/hpAndro1337/tree/main/Android%20AppSec%20(Kotlin)/1.2
I have already made a post about setting up lab environment so do check this out as well
Going into root detection section it lists what it’s checking for
This app also explains about root detection it’s methods which is good
The first check that we have to bypass is for root management apps
Bypassing Security Checks
So what root management apps basically are that give root permissions to some applications that can run as a root user , the most commonly used apps are magisk and superuser
We can see that on clicking Check root
it lists these packages as they got detected by this application as this emulator is rooted and has magisk installed. There are many ways that can bypass this check , could be by reversing the application understanding it's source code , making changes , compiling it back and signing the apk with a certificate which can be a little time consuming so I went with using Frida
which is a tool which runs at runtime and dynamically hooks the application
First we need to get the package name of the application by checking the running processes
Make sure that frida is installed on your OS , verify that frida is able to communicate with the android device by running frida-ps -U
which will list the processes from the device
Now that it’s working we need to run a universal script for root detection bypass , there are plenty scripts available online you could also come up with your script but for now I am using this one
https://codeshare.frida.re/@dzonerzy/fridantiroot/
frida --codeshare dzonerzy/fridantiroot -f com.hpandro.androidsecurity -U
As you’ll run with a script it will prompt you to use %resume
This will bypass all the checks for magisk ,su binary , busybox binary
Now this bypassed the check for magisk application but failed to bypass for superuser which we would have to do it through objection or reversing the application but this will bypass most of the security checks
Bypassed Dangerous Props
This will also bypass check for system property which is ro.debuggable": "1"
which allows users to debug any android application regardless of what is set in androidmanifest.xml file and ro.secure": "0"
which allows the adb shell to run as root user so this must be changed to ro.debuggable": "0"
and ro.secure": "1"
Bypassed BusyBox Binaries
Busybox is a suite of linux binaries like cat
, chmod
, wget
, actually most of the commonly used commands in linux , so frida script also bypasses this check
Bypassed Su Binary
Su is a command which is used to switch users in linux and this can be used to switch to root user , frida script also bypass this check as well
Bypassed RW
RW means read write and it’s a security risk that a device can read and write in the following paths when it’s rooted
/system
/system/bin
/system/sbin
/vendor/bin
/sbin
/etc
Bypassed Root Cloaking
Root cloaking apps are apps that are used for hiding root detection in the device , the commonly used apps are RootCloak and Xposed/EdXposed so this script bypasses this check as well
The checks that this script failed to bypass is for EdXposed which comes in Potentially Dangerous Task
and Test keys
Bypassing Potentially Dangerous Task
Since frida script failed to bypass this check , we’ll go with using objection which works with frida but provides more options and we can do much with it
objection --gadget com.hpandro.androidsecurity explore
Now we need to know the name of this activity , so we’ll use this command to list all activities available in the application
android hooking list activities
This lists a lot of activities but we only are concerned about dangerous task activity
Now that we have noted the activity name , we need to list the methods used in this activity which returns the check for apps that should not be on the rooted device
To load methods of the activity com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity
we need to first make sure that it's currently launched else it won't load the methods
android hooking search methods com.hpandro.androidsecurity ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity
But we don’t know the what these methods return , we need to look for a method that returns either true or false when it detects applications from the list
android hooking list class_methods com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity
Now we need to watch this public final boolean com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity.detectPotentiallyDangerousApps
method's arguments that what value does it return when it's called
android hooking watch class_method com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActivity.detectPotentiallyDangerousApps
--dump-args --dump-backtrace --dump-return
This returned True
so we need to make it return False
android hooking set return_value com.hpandro.androidsecurity.ui.activity.task.rootDetection.PotentiallyDangerousTaskActi
vity.detectPotentiallyDangerousApps false
Now when hit the button to launch the method it will set the return value to false and thus bypassing this check
Bypassing Test-Keys
There are two keys , release-keys
and test-keys
, release-keys mean that the android kernel version when it's compiled it's signed withofficial keys , test-keys mean that kernel version is signed with a custom key or from a 3rd party
So to bypass this we can follow the same procedure as we did for bypassing dangerous task by finding the activity name and listing the methods and the arguments
android hooking watch class_method com.hpandro.androidsecurity.ui.activity.task.rootDetection.TestKeysTaskActivity.check
FlagTestKeys --dump-args --dump-backtrace --dump-return
This returns true so we need to change this to false and this hopefully would bypass this check
Lastly the superuser package that the frida script failed to bypass , we can bypass with objection easily by changing the return value of the function which returns true or false to false making it bypass the check
android hooking set return_value com.hpandro.androidsecurity.ui.activity.task.rootDetection.RootManagementTaskActivity.isAnyPackageFromListInstalled false
And with this we have bypassed all security checks that were made in this application , however there’s still about SafetyNet which provides set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users but this hasn’t been implemented in this application so we’ll be skipping this
One thing to note that we don’t really need these tools to bypass root detection this all could be done by decompiling the apk and manually changing the strings in smali file which makes it easy to re-compile it back and sign the apk with a certificate.
Here’s a link for manually bypassing these checks which I have showcased in other application.
References
- https://codeshare.frida.re/@dzonerzy/fridantiroot/
- https://stackoverflow.com/questions/37143960/androidstudio-what-does-debuggable-do
- https://github.com/RavikumarRamesh/hpAndro1337/tree/main/Android%20AppSec%20(Kotlin)/1.2
- https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial
- https://stackoverflow.com/questions/18808705/android-root-detection-using-build-tags