Android Root Detection Bypass

Prerequisite

  • Frida

Download Frida

  • install in your Windows, linux or mac , see tuto here
  • I have some here

Android Root Detection

  • These day developers tried to add root-detection function in order to avoid debugging and atttacking to their application. But it can always be bypassed in some ways.

Bypass

  • First tried to understand the code.
  • some app search the package like supsersu, busybox , cydia

diging to code

  • below is example , not applications could be same.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

public static void checkRootedDevice(Activity paramActivity)
{
if (("Staging".compareToIgnoreCase("Live") == 0) && ("Staging".compareToIgnoreCase("Staging") == 0) && ("Staging".compareToIgnoreCase("Production") == 0)) {
return;
}
new SafetyNetHelper("", paramActivity).requestTest(paramActivity, new SafetyNetHelper.SafetyNetWrapperCallback()
{
public void error(int paramAnonymousInt, String paramAnonymousString)
{
Log.d("My App", "errorCode:" + paramAnonymousInt + " and errormsg, " + paramAnonymousString);
}

public void success(boolean paramAnonymousBoolean1, boolean paramAnonymousBoolean2)
{
if (!paramAnonymousBoolean2) {
Helper.showAlertNotCancelAble(this.val$activity, "Alert", "Root/Jail break detected on this device. App cannot run on rooted/jail-broken device.", new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramAnonymous2DialogInterface, int paramAnonymous2Int)
{
Helper.10.this.val$activity.finish();
}
});
}
}
});
}

hook with frida

1
2
3
4
5
6
7
8
Java.perform(function() {

var myClass = Java.use("com.myapp.package.Helper")
myClass.checkRootedDevice.implementation = function(v) {
send("checkRootDevice got called! Let's call the original implementation ");
return false;
}
})
  • now applicaiton is hook and return false
  • run with in frida

frida -U -l disableroot.js -f com.myapp.package