This is my first post to medium.com regarding Application Security Testing.
Nowadays many applications such as financial, banking, payment wallet applications do not work on the rooted device. Pen testing requires root permission to install various tools to compromise the security of the application and it is very painful job for any pen tester if app does not work on the rooted device that restrict the tester from performing various test cases.
We usually find many blogs on application penetration testing on internet but not every blogs helps you in every situation. So i am writing this article in simple words to for better understanding.
There are many ways to bypass the root detection check in android application, first is static code analysis that we will discuss today and another is dynamic by using frida, xposed framework (we will try to cover this in next post.)
Now, we will reverse engineer the Test application by decompiling the APK file to verify which techniques application is utilizing for root access detection.
Below are the tools required for root detection bypass manually.
- Apktool — to decompile the application
- Any Text editor — Sublime preferred.
- Decompile our APK using Apktool
2. Now we will use d2j-dex2jar to convert the classes.dex to jar file to get the java codes from the application.
3. jd-gui is a standalone graphical application that displays Java source codes of “.class” files.
4. Now search for the keywords like isDeviceRooted, root, rootUtils, /sys, /system, superuser etc. to get the exact java methods and functions.
5. Here we can see that JD-GUI search has identified classes having string “isDeviceRooted” We will go through the classes and look at Java code.
6. Once you find the keyword and the exact class try to understand the logic of root detection check. Also search in the smali files for the same methods/functions.
7. Once you find the exact function or method from the class in smali file check the return value in the function. Always remember we need to return 0x0 to the function i.e return false when the application checks for device is rooted or not. And when we need to return true we will use 0x1.
8. When the application checks for isDeviceRooted? it will return false.
9. There is another thing where we can change in the smali files, search for Superuse.apk and rename it to something else.
10. Now rebuild the application and use a custom self signed certificate to sign the rebuilt application using apk-signer.
11. Check the application on the rooted device and it will work.
Note: This is just a demonstration how to find the code for root detection and how we can bypass it. Please follow the procedure not the exact steps as above.