Root Detection Bypass With Frida.

Sarang Khilare
Dec 12, 2019 · 3 min read

In my past experiences i was mostly working on web application penetration testing and i always wanted to expand my knowledge in android penetration testing.

So now i got a great opportunity to work on android pentesting in current position. So just wanted to share what i learned from these experiences with all my friends in same domain.

So while performing static analysis of android application we came to know that nowadays most of the banking, financial, payment applications are restrict to run on non rooted devices to avoid the advantage to root privileges of the device. So there are many techniques to bypass the root detection check of the application using static analysis of source code and another is using dynamic analysis using some tools like frida.

So today we will cover the frida method hooking and bypassing root detection check.

What is Frida?

Frida is an open source software which is use for dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers, pentester etc. It basically lets attacker to inject javaScript code into native apps that run on Windows, Mac, Linux, iOS and Android.

Installation:

pip install frida-tools

Now we will need adb tool from the Android SDK to connect and communicate with device.

Download the latest frida-server for Android from frida github releases page and uncompress it.

Now on rooted device open the Su terminal and execute below commands

$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"

Now the server is running on android device.

Next, on your desktop check if frida communicating with frida server on android device with below command.

$ frida-ps -U

It will show the installed packages list on the device. -U stands for USB device.

Now decompile the application and find the exact class and finction/method of root detection logic by searching keywords like /system, /sys, root, isDeviceRooted, Supersu.apk, etc.

We will need a javascript to hook the method and inject it.

I will use root-detection-bypass.js script of parad0xer/root-detection-bypass.js from github.

Javascript for root detection bypass

We will use the above code to inject and also we have to change the code according to our source code. Here in our example isDeviceRooted is the function name in DeviceUtils class.

So now we will run the below command using the root detection bypass script to hijack the function.

frida -l <location>root-detection-byass.js -U -f <package name>- - no-pause

  • U : USB Device
  • f : Function name ex. com.xyz.abc.DeviceUtils.isDeviceRooted
Frida Successfully hooked the function

Once we get the notification “Root detection bypassed” it will automatically opens the app and we can see it bypassed the root detection check.

Any suggestions or feedback are always welcome.

Thanks for reading…..Happy Pentesting……

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade