Research

Android Root Detection Bypass using Frida (Part 1 – OWASP Uncrackable 1)

Researchers:

Richard Mason

Mobile application penetration testing is becoming more and more common as the use of mobile applications are now the norm with how businesses allow their users to interact with whatever service they provide. As information/cyber security is quite often a requirement for most businesses the level at which it is implemented has increased. Depending on the function of the application I have noticed an increase in applications implementing some sort of root/emulator detection during penetration tests. Which as you can probably tell is the reason why I have written this blog with the hope I can learn to bypass these mechanisms without using built in tools/script that don’t always work and to hopefully help others to do so as well.

The first part is going to be how I have managed to bypass the root/emulator detection on OWASP’s Uncrackable 1 on Android using Frida. Frida and other tools within the toolset can look quite intimidating at first glance but once you get a hang of it, it becomes an incredibly powerful tool to have at your disposal.

——————————

*Before I show how I have bypassed the root/emulator detection I should say that I’m not an expert at this and the way I have performed the bypass might not be the most efficient or “correct” way of doing so. At one point or another we have all been at the start of our learning journeys so please take this into consideration.

——————————

First things first, you’re gonna need some equipment and tools to perform this:

Rooted Android device (I’m using an emulated device using Android Studio which has been rooted using rootAVD)
ADB
Frida
JADX
Anything you want to use to edit code

I’m going to assume you already have a basic knowledge of testing Android devices and have used ADB and Frida before. Once you have installed Uncrackable 1 on the Android device we of course need to run it and see what happens.

When we click “OK” on the prompt the application exits.

The message presented is going to be our starting point when looking for how to bypass the root/emulator detection. Once you have imported the apk into JADX we can search for “Root detected” to see where this string is called.

We can see in the code below that the string is called if it meets a condition within methods “m5a”, “m4b” or “m3c”.

So once again we are going to search in the code for these.

We can see in the code that if a condition exists then the method will return true.

The good thing about using JADX is that you can copy parts of code to be used within/with Frida. So in this case to see what happens, we are gonna copy the “m5a” method as a Frida snippet.

To make the copied Frida snippet work as a script with Frida we need to put it within a function.

				
					Java.perform(function(){
  let C0002c = Java.use("sg.vantagepoint.a.c");
  C0002c["a"].implementation = function () {
    console.log('a is called');
    let ret = this.a();
    console.log('a ret value is ' + ret);
    return ret;
  };
});

When we run the code snippet with with Frida we can see that the return value is “True” which is why the root detection prompt is shown.

				
					$ .\frida.exe -U -l bypass.js -f owasp.mstg.uncrackable1
     ____
    / _  |   Frida 16.0.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 1234 (id=emulator-1234)
Spawned `owasp.mstg.uncrackable1`. Resuming main thread!
[Android Emulator 1234::owasp.mstg.uncrackable1 ]-> a is called
a ret value is true

To bypass the root/emulator detection it’s pretty simple. All we have to do within our code is change the return value to “false”.

				
					Java.perform(function(){
  let C0002c = Java.use("sg.vantagepoint.a.c");
  C0002c["a"].implementation = function () {
    console.log('a is called');
    let ret = this.a();
    console.log('a ret value is ' + ret);
    return false;
  };
});

Once changed lets run it again. The output is going to be exactly the same within the command line as we haven’t changed any of the code that is logged to console. But this time we have changed the actual value returned to the method to false.

				
					$ .\frida.exe -U -l bypass.js -f owasp.mstg.uncrackable1
     ____
    / _  |   Frida 16.0.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 1234 (id=emulator-1234)
Spawned `owasp.mstg.uncrackable1`. Resuming main thread!
[Android Emulator 1234::owasp.mstg.uncrackable1 ]-> a is called
a ret value is true

Which in turn defeats the root detection.

Hopefully you have found this run through somewhat helpful and has given you a basic understanding of using Frida and creating your own scripts to use with it. Like I said at the start of the write up, this might not be the most efficient or be the “correct” way to bypass the root detection, but I am figuring this out as I go along. If there is any help or tips that you can give me to get better that would be much appreciated.

Please see part 2 in this series by clicking here.