Root Detection Bypass ( Manual )

Root Detection are mechanisms implemented by developers for disabling the testers to install the application in the emulator or a rooted device. That mechanism can be evaded with objection, in case of you are restrained from using tools like objection. The manual approach would be the one which would help us as pentesters to get the job done

Pre-requisite

# Tools

## Apktool
https://ibotpeaches.github.io/Apktool/install/

## dex2jar
https://github.com/pxb1988/dex2jar/releases/tag/v2.1

## jd-gui, zipaligner, jarsigner
sudo apt install jd-gui zipalign openjdk-11-jdk-headless

Summary

The application androgoat features for testing multiple mobile pentesting vulnerabilities out of that, root detection bypass is the one we are going to be taken care of. Install the application in the emulator with adb. 

# connect
adb connect <mobileip>:5555

# list the connected device
adb devices

# Install the application with adb
adb install AndroGoat.apk

The application is successfully installed and can be verified

Upon opening the applicaiton we see bunch of vulnerabilities for testing, the one we are focused now is the ROOT DETECTION. In that, we are provided with the option to check weather the host is rooted or not

We see that the application says that the "Device is Rooted"

Now we are going to bypass the root detection manullay

Steps

  1. Decompile the application

  2. Conver the apk to jar file and inspect it with jd-gui

  3. Find the root detection contents

  4. Replace the strings in the function ( in smali code )

  5. Build the apk

  6. Sign the apk with selfsigned certificaiton

  7. Allign the apk

  8. Install the apk

Decompile the Application

  • The applicatoin that I used for this tutorial is Androgoat - [here]

  • Decompile the androgoat with the following command

apktool d AndroGoat.apk

  • A folder containing all the smali codes, AndroidManifest.xml files will be obtained

  • Once the folder AndroidGoat is obtained ( the folder name will be the same as the apk's name )

APK -> JAR

  • Conver the apk to the jar file with d2j-dex2jar

~/Downloads/dex_tools-2.1/d2j-dex2jar AndroGoat.apk

  • A new file AndroGoat-dex2jar.jar will be obtained

  • That jar file can be viewed in jd-gui with jd-gui AndroGoat-dex2jar.jar

  • Once the jd-gui opens the jar file, search for contents like Rooted, root, su etc..,

  • The search feature can be found at the top of the jd-gui or with the hotkey Ctrl + Shift + s

  • We saw the application thrown us Device is Rooted now we will search where does this string exists in the decompiled section of the apk with grep

grep -EnRi 'Device is Rooted'

  • Upon inspecting the file 'RootDetectionActivity$onCreate$1.smali', we can see that the file directly includes the RootDetectionActivity with the constructor()

  • Taking a look on that file, we can see that the functions that the applications that application uses to identify the root existance

  • With the declared function information, we can search for the functions name in jd-gui

  • With the decompiled function, we can see the strings that the apk uses to filter out the root detection

  • Since its found in the RootDetectionActivity.class file, the RootDetectionActivity.smali is the one which needs to be altered

Reconfigure and Compiling

  • Open the RootDetectionActivity.smali file in any text editor and serch for the specified strings

  • After finding the files, replace them with something else ( Anything you want )

  • After replacing the contents of the smali file, save the file

  • After saving the smali file, its time to build the application

  • The application is build with apktool using the following command apktool b <folder>

  • Upon compiling a new folder dist is created which contains the compiled version of the apk

  • But the apk cannot be installed without signing it

Signing the apk

  • The certificate can be generated with the keytool utility

keytool -genkey -v -keystore dnoscp_androgoat.keystore -alias dnoscp_androgoat -keyalg RSA -keysize 2048 -validity 10000

  • With the generated certificate, we can make use of jarsigner to sign the compiled apk

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore dnoscp_androgoat.keystore AndroGoat.apk dnoscp_androgoat

  • After siging the apk , verify it with jarsigner -verify -verbose -certs AndroGoat.apk

  • Now installing the application with adb install AndroGoat.apk will be successful and will install AndroGoat.apk in the emulator

  • For optimal loading purpose the application has to be zipaligned with zipalign -v 4 AndroGoat.apk dnoscp.apk

  • A new apk named dnoscp.apk will be obtained

  • Which can be installed in the emulator ( Dont forgot to uninstall the previously installed AndroGoat.apk )

  • Once the application is installed, lets again check the root detection feature of the application

  • Now the application says the Device is not rooted

  • Thus the application is manually bypassed the root detection mechanism

PreviousLab TroubleShootNextPhysical Device

Last updated