search

Root Detection Bypass ( Manual )

Root Detection are mechanisms implemented by developers for disabling the testers to install the application in the emulator or a rooted device. That mechanism can be evaded with objection, in case of you are restrained from using tools like objection. The manual approach would be the one which would help us as pentesters to get the job done

hashtag
Pre-requisite

# Tools

## Apktool
https://ibotpeaches.github.io/Apktool/install/

## dex2jar
https://github.com/pxb1988/dex2jar/releases/tag/v2.1

## jd-gui, zipaligner, jarsigner
sudo apt install jd-gui zipalign openjdk-11-jdk-headless

hashtag
Summary

The application androgoat features for testing multiple mobile pentesting vulnerabilities out of that, root detection bypass is the one we are going to be taken care of. Install the application in the emulator with adb. 

# connect
adb connect <mobileip>:5555

# list the connected device
adb devices

# Install the application with adb
adb install AndroGoat.apk

The application is successfully installed and can be verified

pplication installed

Upon opening the applicaiton we see bunch of vulnerabilities for testing, the one we are focused now is the ROOT DETECTION. In that, we are provided with the option to check weather the host is rooted or not

We see that the application says that the "Device is Rooted"

Root Detected

Now we are going to bypass the root detection manullay

hashtag
Steps

circle-check

  1. Decompile the application

  2. Conver the apk to jar file and inspect it with jd-gui

  3. Find the root detection contents

  4. Replace the strings in the function ( in smali code )

  5. Build the apk

  6. Sign the apk with selfsigned certificaiton

  7. Allign the apk

  8. Install the apk

hashtag
Decompile the Application

  • The applicatoin that I used for this tutorial is Androgoat - [herearrow-up-right]

  • Decompile the androgoat with the following command

  • A folder containing all the smali codes, AndroidManifest.xml files will be obtained

  • Once the folder AndroidGoat is obtained ( the folder name will be the same as the apk's name )

hashtag
APK -> JAR

  • Conver the apk to the jar file with d2j-dex2jar

  • A new file AndroGoat-dex2jar.jar will be obtained

  • That jar file can be viewed in jd-gui with jd-gui AndroGoat-dex2jar.jar

  • Once the jd-gui opens the jar file, search for contents like Rooted, root, su etc..,

  • The search feature can be found at the top of the jd-gui or with the hotkey Ctrl + Shift + s

  • We saw the application thrown us Device is Rooted now we will search where does this string exists in the decompiled section of the apk with grep

smali file

  • Upon inspecting the file 'RootDetectionActivity$onCreate$1.smali', we can see that the file directly includes the RootDetectionActivity with the constructor()

  • Taking a look on that file, we can see that the functions that the applications that application uses to identify the root existance

RootDetectionActivity.smali file

  • With the declared function information, we can search for the functions name in jd-gui

1 Search the function 2 function contents

  • With the decompiled function, we can see the strings that the apk uses to filter out the root detection

  • Since its found in the RootDetectionActivity.class file, the RootDetectionActivity.smali is the one which needs to be altered

hashtag
Reconfigure and Compiling

  • Open the RootDetectionActivity.smali file in any text editor and serch for the specified strings

  • After finding the files, replace them with something else ( Anything you want )

  • After replacing the contents of the smali file, save the file

edited and changed

  • After saving the smali file, its time to build the application

  • The application is build with apktool using the following command apktool b <folder>

apk compiled

  • Upon compiling a new folder dist is created which contains the compiled version of the apk

  • But the apk cannot be installed without signing it

hashtag
Signing the apk

  • The certificate can be generated with the keytool utility

Certificate generated

  • With the generated certificate, we can make use of jarsigner to sign the compiled apk

Succesful signed info

  • After siging the apk , verify it with jarsigner -verify -verbose -certs AndroGoat.apk

  • Now installing the application with adb install AndroGoat.apk will be successful and will install AndroGoat.apk in the emulator

  • For optimal loading purpose the application has to be zipaligned with zipalign -v 4 AndroGoat.apk dnoscp.apk

  • A new apk named dnoscp.apk will be obtained

  • Which can be installed in the emulator ( Dont forgot to uninstall the previously installed AndroGoat.apk )

Installing APK

  • Once the application is installed, lets again check the root detection feature of the application

  • Now the application says the Device is not rooted

Device Not rooted ( Root Detection Bypassed )

  • Thus the application is manually bypassed the root detection mechanism

PreviousLab TroubleShootNextPhysical Device

Last updated