• We have an 'UnCrackable-Level1.apk' from OWASP MSTG, which has a Root Detection implemented.
• Let's try to bypass this check using FRIDA.
👉 github.com/OWASP/owasp-ms…
• Let's try to bypass this check using FRIDA.
👉 github.com/OWASP/owasp-ms…
• Let's run the app first.
• Bummer!! We are not supposed to run this app on a rooted device.
• Bummer!! We are not supposed to run this app on a rooted device.
• Let's open the APK with jadx-gui to find out how the app is detecting rooted devices.
• Let's Navigate to "sg.vantagepoint > uncrackable1 > MainActivity"
• Let's Navigate to "sg.vantagepoint > uncrackable1 > MainActivity"
• Have a look at onCreate() method it says if c.a() or c.b() or c.c() returns true then send "Root detected!" string to method a().
• Method a() is responsible for creating AlertBox with title str('Root detected!').
• Content of the AlertBox will be "This is unacceptable. The app is now going to exit."
• Content of the AlertBox will be "This is unacceptable. The app is now going to exit."
• To identify the root detection logic we need to drill down to class 'c'.
• Let's Navigate to 'sg.vantagepoint > a > c'
• class c has 3 methods a(), b() and c()
• Let's Navigate to 'sg.vantagepoint > a > c'
• class c has 3 methods a(), b() and c()
• Let's understand the behavior of all 3 methods.
• Method a()
• This method is checking for the presence of 'su' binary executable in the android device.
• Method a()
• This method is checking for the presence of 'su' binary executable in the android device.
Method b()
• This method is searching for 'test-keys' inside Build.TAGS.
• Presence of 'test-keys' inside Build.TAGS indicates that firmware on your device is not signed by release keys.
• Essentially this means you have installed custom firmware by rooting the device.
• This method is searching for 'test-keys' inside Build.TAGS.
• Presence of 'test-keys' inside Build.TAGS indicates that firmware on your device is not signed by release keys.
• Essentially this means you have installed custom firmware by rooting the device.
Method c()
• Method c() is searching for 'su' binary executable at common paths.
• Presence of 'su' at any of these locations indicates the device is Rooted.
• Method c() is searching for 'su' binary executable at common paths.
• Presence of 'su' at any of these locations indicates the device is Rooted.
Now there are two ways I can think of to bypass the check.
1. Changing the implementation of all three methods of class c to return false.
• sg.vantagepoint.a.c
2. Changing the implementation of method a() of MainActivity to replace the AlertBox logic.
• MainActivity
1. Changing the implementation of all three methods of class c to return false.
• sg.vantagepoint.a.c
2. Changing the implementation of method a() of MainActivity to replace the AlertBox logic.
• MainActivity
Method 1
• Wait, before that if you want to set up FRIDA on the android device.
Follow this link 👉 frida.re/docs/android/
• Wait, before that if you want to set up FRIDA on the android device.
Follow this link 👉 frida.re/docs/android/
Method 1
• Let's write a Frida script that overwrites the implementation of a,b, and c methods to return false each time.
method-1.js
• Let's write a Frida script that overwrites the implementation of a,b, and c methods to return false each time.
method-1.js
Run 'method-1.js' script to see the action!
💻 frida -U -f owasp.mstg.uncrackable1 -l 'method-1.js' --no-pause
View the messages in the Frida console.
💻 frida -U -f owasp.mstg.uncrackable1 -l 'method-1.js' --no-pause
View the messages in the Frida console.
Bingo! Root detection is bypassed with method 1.
There is no AlertBox saying 'Root detected!'
There is no AlertBox saying 'Root detected!'
Method 2
• Following Frida script will replace the AlertBox logic present in the method a() of MainActivity.
• So we can interact with the application without any hurdle.
• Following Frida script will replace the AlertBox logic present in the method a() of MainActivity.
• So we can interact with the application without any hurdle.
Let's see the action!
💻 frida -U -f owasp.mstg.uncrackable1 -l 'method-2.js' --no-pause
View the message in the Frida console.
💻 frida -U -f owasp.mstg.uncrackable1 -l 'method-2.js' --no-pause
View the message in the Frida console.
Root detection is bypassed with method 2.
I hope you enjoyed reading the thread.
Happy hacking! 😀💻
Happy hacking! 😀💻
• • •
Missing some Tweet in this thread? You can try to
force a refresh
