Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Jaimin J Gohel 👨‍💻 Profile picture
Jaimin J Gohel 👨‍💻
@jaimin_gohel
Hacker 💻 • Speaker 🎙️ • Scribbler ✍️ • CTFs 🚩 • Decompiling APKs since 2018

Aug 27, 2021, 19 tweets

Let's discuss a scenario, bypassing Root detection with @fridadotre

🧵👇

• We have an 'UnCrackable-Level1.apk' from OWASP MSTG, which has a Root Detection implemented.

• Let's try to bypass this check using FRIDA.

👉 github.com/OWASP/owasp-ms…

• Let's run the app first.

• Bummer!! We are not supposed to run this app on a rooted device.

• Let's open the APK with jadx-gui to find out how the app is detecting rooted devices.

• Let's Navigate to "sg.vantagepoint > uncrackable1 > MainActivity"

• Have a look at onCreate() method it says if c.a() or c.b() or c.c() returns true then send "Root detected!" string to method a().

• Method a() is responsible for creating AlertBox with title str('Root detected!').

• Content of the AlertBox will be "This is unacceptable. The app is now going to exit."

• To identify the root detection logic we need to drill down to class 'c'.

• Let's Navigate to 'sg.vantagepoint > a > c'

• class c has 3 methods a(), b() and c()

• Let's understand the behavior of all 3 methods.

• Method a()

• This method is checking for the presence of 'su' binary executable in the android device.

Method b()

• This method is searching for 'test-keys' inside Build.TAGS.

• Presence of 'test-keys' inside Build.TAGS indicates that firmware on your device is not signed by release keys.

• Essentially this means you have installed custom firmware by rooting the device.

Method c()

• Method c() is searching for 'su' binary executable at common paths.

• Presence of 'su' at any of these locations indicates the device is Rooted.

Now there are two ways I can think of to bypass the check.

1. Changing the implementation of all three methods of class c to return false.

• sg.vantagepoint.a.c

2. Changing the implementation of method a() of MainActivity to replace the AlertBox logic.

• MainActivity

Method 1

• Wait, before that if you want to set up FRIDA on the android device.

Follow this link 👉 frida.re/docs/android/

Method 1

• Let's write a Frida script that overwrites the implementation of a,b, and c methods to return false each time.

method-1.js

Run 'method-1.js' script to see the action!

💻 frida -U -f owasp.mstg.uncrackable1 -l 'method-1.js' --no-pause

View the messages in the Frida console.

Bingo! Root detection is bypassed with method 1.

There is no AlertBox saying 'Root detected!'

Method 2

• Following Frida script will replace the AlertBox logic present in the method a() of MainActivity.

• So we can interact with the application without any hurdle.

Let's see the action!

💻 frida -U -f owasp.mstg.uncrackable1 -l 'method-2.js' --no-pause

View the message in the Frida console.

Root detection is bypassed with method 2.

I hope you enjoyed reading the thread.

Happy hacking! 😀💻

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling