# Root Detection Bypass ( Manual ) Root Detection are mechanisms implemented by developers for disabling the testers to install the application in the emulator or a rooted device. That mechanism can be evaded with objection, in case of you are restrained from using tools like objection. The manual approach would be the one which would help us as pentesters to get the job done ### Pre-requisite ```bash # Tools ## Apktool https://ibotpeaches.github.io/Apktool/install/ ## dex2jar https://github.com/pxb1988/dex2jar/releases/tag/v2.1 ## jd-gui, zipaligner, jarsigner sudo apt install jd-gui zipalign openjdk-11-jdk-headless ``` ## Summary The application androgoat features for testing multiple mobile pentesting vulnerabilities out of that, *root detection bypass* is the one we are going to be taken care of. Install the application in the emulator with adb. ```bash # connect adb connect :5555 # list the connected device adb devices # Install the application with adb adb install AndroGoat.apk ``` The application is successfully installed and can be verified ![pplication installed](/files/nn4rXYdTtaK519yfBv5c) Upon opening the applicaiton we see bunch of vulnerabilities for testing, the one we are focused now is the **ROOT DETECTION.** In that, we are provided with the option to check weather the host is rooted or not We see that the application says that the "Device is Rooted" ![Root Detected](/files/uRI1vwuRFxSQRqVyRQ42) Now we are going to bypass the root detection manullay ## Steps {% hint style="success" %} 1. Decompile the application 2. Conver the apk to jar file and inspect it with jd-gui 3. Find the root detection contents 4. Replace the strings in the function ( in smali code ) 5. Build the apk 6. Sign the apk with selfsigned certificaiton 7. Allign the apk 8. Install the apk {% endhint %} ### Decompile the Application * The applicatoin that I used for this tutorial is *Androgoat - \[*[*here*](https://github.com/satishpatnayak/MyTest/raw/master/AndroGoat.apk)*]* * Decompile the androgoat with the following command ```bash apktool d AndroGoat.apk ``` * A folder containing all the smali codes, AndroidManifest.xml files will be obtained * Once the folder AndroidGoat is obtained ( the folder name will be the same as the apk's name ) ### APK -> JAR * Conver the apk to the jar file with `d2j-dex2jar` ```bash ~/Downloads/dex_tools-2.1/d2j-dex2jar AndroGoat.apk ``` * A new file `AndroGoat-dex2jar.jar` will be obtained * That jar file can be viewed in `jd-gui` with `jd-gui AndroGoat-dex2jar.jar` * Once the jd-gui opens the jar file, search for contents like `Rooted, root, su etc..,` * The search feature can be found at the top of the `jd-gui` or with the hotkey `Ctrl + Shift + s` * We saw the application thrown us `Device is Rooted` now we will search where does this string exists in the decompiled section of the apk with **grep** ```bash grep -EnRi 'Device is Rooted' ``` ![smali file](/files/am02aoCCLPH6q0WOYAqD) * Upon inspecting the file 'RootDetectionActivity$onCreate$1.smali', we can see that the file directly includes the RootDetectionActivity with the `constructor()` * Taking a look on that file, we can see that the functions that the applications that application uses to identify the root existance ![RootDetectionActivity.smali file](/files/5eL5qdlIOyZo5mUMGMdx) * With the declared function information, we can search for the functions name in jd-gui ![1 Search the function 2 function contents](/files/bhX4sOb61AGpPcKoMzl0) * With the decompiled function, we can see the strings that the apk uses to filter out the root detection * Since its found in the `RootDetectionActivity.class` file, the `RootDetectionActivity.smali` is the one which needs to be altered ### Reconfigure and Compiling * Open the RootDetectionActivity.smali file in any text editor and serch for the specified strings * After finding the files, replace them with something else ( Anything you want ) * After replacing the contents of the smali file, save the file ![edited and changed](/files/AorYClo0jf5tCAD3JlP4) * After saving the smali file, its time to build the application * The application is build with `apktool` using the following command `apktool b ` ![apk compiled](/files/8oHgJec72fEIulFmafmB) * Upon compiling a new folder `dist` is created which contains the compiled version of the apk * But the apk cannot be installed without signing it ### Signing the apk * The certificate can be generated with the `keytool` utility ```bash keytool -genkey -v -keystore dnoscp_androgoat.keystore -alias dnoscp_androgoat -keyalg RSA -keysize 2048 -validity 10000 ``` ![Certificate generated](/files/eAO9G5zGTWIIaTRmSZlw) * With the generated certificate, we can make use of `jarsigner` to sign the compiled apk ```bash jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore dnoscp_androgoat.keystore AndroGoat.apk dnoscp_androgoat ``` ![Succesful signed info](/files/wveBWYVNvz7GHQ0FvgO7) * After siging the apk , verify it with `jarsigner -verify -verbose -certs AndroGoat.apk` * Now installing the application with `adb install AndroGoat.apk` will be successful and will install AndroGoat.apk in the emulator * For optimal loading purpose the application has to be zipaligned with `zipalign -v 4 AndroGoat.apk dnoscp.apk` * A new apk named `dnoscp.apk` will be obtained * Which can be installed in the emulator ( Dont forgot to uninstall the previously installed AndroGoat.apk ) ![Installing APK](/files/dILFGWSKgpFW0byGKnWu) * Once the application is installed, lets again check the root detection feature of the application * Now the application says the Device is not rooted ![Device Not rooted ( Root Detection Bypassed )](/files/CFvBW25FzBl4pdCVTE3W) * Thus the application is manually bypassed the root detection mechanism --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dhaneshsivasamy07.gitbook.io/oscp-2022/mobile-pentesting/android-pentesting/root-detection-bypass-manual.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.