In my past experiences i was mostly working on web application penetration testing and i always wanted to expand my knowledge in android penetration testing.
So now i got a great opportunity to work on android pentesting in current position. So just wanted to share what i learned from these experiences with all my friends in same domain.
So while performing static analysis of android application we came to know that nowadays most of the banking, financial, payment applications are restrict to run on non rooted devices to avoid the advantage to root privileges of the device. So there are many techniques to bypass the root detection check of the application using static analysis of source code and another is using dynamic analysis using some tools like frida.
So today we will cover the frida method hooking and bypassing root detection check.
What is Frida?
pip install frida-tools
Now we will need
adb tool from the Android SDK to connect and communicate with device.
Download the latest
frida-server for Android from frida github releases page and uncompress it.
Now on rooted device open the Su terminal and execute below commands
$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"
Now the server is running on android device.
Next, on your desktop check if frida communicating with frida server on android device with below command.
$ frida-ps -U
It will show the installed packages list on the device. -U stands for USB device.
Now decompile the application and find the exact class and finction/method of root detection logic by searching keywords like /system, /sys, root, isDeviceRooted, Supersu.apk, etc.
We will use the above code to inject and also we have to change the code according to our source code. Here in our example isDeviceRooted is the function name in DeviceUtils class.
So now we will run the below command using the root detection bypass script to hijack the function.
frida -l <location>root-detection-byass.js -U -f <package name>- - no-pause
- U : USB Device
- f : Function name ex. com.xyz.abc.DeviceUtils.isDeviceRooted
Once we get the notification “Root detection bypassed” it will automatically opens the app and we can see it bypassed the root detection check.
Any suggestions or feedback are always welcome.
Thanks for reading…..Happy Pentesting……