Android Pentesting-Bypassing Root Detection

For the demonstration of bypassing root detection I will be using a vulnerable apk known as insecurebankv2 which is quite showcased in talks and presentations however there are other vulnerable applications that you can try to practice black box test which involves root detection ,ssl pinning, defobfuscating code and calling intents

InsecureBankV2

This is a vulnerable bank application that I found from github (https://github.com/dineshshetty/Android-InsecureBankv2) which has a lot vulnerabilities that you can practice on

Download both the apk and AndroLabServer.zip

I’ll be using linux as for testing this application , and I have already installed tools like drozer , MobSF , objection and frida to analyze the application, to install this app we can use the command adb install InsecureBankv2.apk

And going back to the device we can see that application is installed

Setting up the backend server

It was mentioned on github that in order for this app to work properly we need to run the androlab server , so we need to install the dependencies that the python script needs

I tried installing through but for some reason it didn’t worked , so I just manually installed modules when it prompted errors

python pip flask sqlalchemy simplejson web.py

And then run the python file with python app.py

Viewing the application

So now that application’s backend server is running let’s explore the application

The first screen or the activity for this application is the login screen , so at the start it doesn’t matter what we put because the application will ask for us to setup the IP address where the server is running

Change the IP address according to the interface you have for internet connection , in my case I have wifi interface

Credentials are already given for this application on the github page so let’s use either one of the user

Now to note that that after getting passed the login activity we’ll another activity which will show 3 options , to transfer , view statement or change password also below it will show a text telling that our device rooted

Which is where Root Detection bypass comes in , a lot of banking applications will try to detect if the device is rooted or not if it is then then application will not run so there are many methods available to bypass root detection

Root Detection bypass

To bypass root detection I will be first showing to bypass it through frida script although we can try to use modules from EdXposed/Xposed or Magisk (which might not work ) also by decompiling the apk and modifying the code , building the apk again and then signing the apk with a certificate

Using Frida

Having frida already installed if it’s not you can install it with pip3 install frida , also pip3 intall frida-tools, if you have MobSF installed then frida might be already installed

To start frida , transfer the frida android server binary on to the device through adb push , giving it executable permissions launch it then on the host machine run frida-ps -U

To inject script we either need to know the package name of the apk or the process ID

Using a universal bypass script for root detection we can try to see if we get lucky and save time by not reversing the apk file

https://codeshare.frida.re/@dzonerzy/fridantiroot/

This is a universal script for bypassing root detecting it contains all possible checks that are used in applications to detect root

Run the script against the app package name , and after running the command the application will start again with the script loaded and you’ll see that it will bypass the check for rooted device

frida -U -f com.android.insecurebankv2 --codeshare dzonerzy/fridantiroot --no-pause

Using Objection

Now I’ll try to bypass root detection through objection which is a part of frida and is also to run scripts during runtime

Using the command

objection -g com.android.insecurebankv2 explore

This will launch the application again , then type android root disable this will try to disable root detection which most likely would fail , it would show that file existence for Superuser.apk is being marked as false but it didn't worked

So we have to explicitly make it the function which is checking for superuser.apk and make it return false and in order to do that we need to know name of the screen/activity and the method which is being called

It’s pretty clear that a function is called after login so it will be listed in com.android.insecurebankv2.PostLogin

These are two functions , the first one will check for su binary and second will check the superuser apk , both these functions will be returning a boolean value and as the status is "Device is rooted" it's returning true , so to make doesSUexist return flase we need to run this command

android hooking set return_value com.android.insecurebankv2.PostLogin.doesSUexist false

Using EdXposed RootCloak

I have already shown the way to install EdXposed on the device however it’s for version only from 8.0+ and EdXposed has a module called RootCloak

Install module enable it on which the device will ask to reboot enable this module

After rebooting , launch the application and add it in the list

And rootcloak also bypasses root detection

Using EdXposed Unrootbeer

Unrootbeer is an EdXposed module which is specially built for bypassing root detection on applications that are using RootBeer library for detecting root and in this case it will probably fail as this application isn’t using any library to detect root

Manually bypassing root detection

For static analysis I like to use MobSF which utilizes jadex to decomple apk which can also make a report of things it has find also we can analyze the source code

Here we need to provide the apk file and it will start analyzing it

Looking into the source code , we can search of strings in files so searching for the string superuser we can see there's only file that contains it which is PostLogin.java

If we look into our device su and superuser apk does exists

So to manually patch the apk , we need to decompile apk using apktool , modify the strings in smali file , recompile with apktool and sign the apk

apktool d -r InsecureBankv2.apk

Where d is used for decompiling and r for not decoding resources file

I ran grep to find the location of PostLogin file

Encountering strings “su” , “Superuser” or another binary , append “info” or anything to the binary name

After editing the strings ,verify there aren’t any more strings

Now to recompile into apk

The recompiled apk will be built in ./dist folder

But before installing this , we need to sing the apk

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore InsecureBankv2.apk alias_name

Install the application and set the server IP again , and after logging in you will see that text says device is not rooted

So these are some ways to bypass root detection however this was really simple as it was only looking for su binary and superuser application , it could also become more complex if the source code is obfuscated and they are using libraries like RootBeer which can also be bypassed using the same approach. In the next post I'll try to cover some methods of SSL pinning in this application.

References

• https://github.com/dineshshetty/Android-InsecureBankv2/releases/tag/2.3.1
• https://www.hebunilhanli.com/wonderland/mobile-security/root-detection-bypass/
• https://codeshare.frida.re/@dzonerzy/fridantiroot/
• https://github.com/jakev/unrootbeer
• https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial
• https://stackoverflow.com/questions/10930331/how-to-sign-an-already-compiled-apk