RevEnge! Reverse engineering android apps to bypass root detection capabilities for mobile app-pentesting
Root and Emulator detection capabilities are common these days in most of the android apps which makes it harder for pen-testers and reverse engineers to test applications. Root detection capabilities are much needed to avoid actual adversaries to pry into the internal workings of android applications. However, hackers are highly skilled individuals therefore a complete blackbox testing of android applications is very important and bypassing root is the first step for android and mobile application pen-testing.
In this article, my work is more focused on reverse engineering of android applications rather than penetration testing. I will explain the steps to pull an apk file from the playstore, reverse engineer to find and remove the root detection code inside the apk and repackage it to start on a rooted emulator device.
The tools that I use are :
- Apktool
- Jadx-gui
- jd-gui
- dex2jar
- MobSF
- jarsigner
- zipalign
- Android studio platform tools and emulator devices
Lets start with finding the application from the playstore that must be tested. For that install android studio along with its platform-tools and software development kit. It will automatically install a basic emulator device on the system which includes playstore in it. We need 2 emulators, one which contains a playstore for finding and pulling the android apps from the store and other rooted device without playstore for testing applications.
This is the root detection alert that is poped up when the application is started in the emulator and when OK button is pressed, app exits itself. This is the case in most of the android application to prevent hackers to reverse engineer these apps. However, as a black box penetration testing or red teaming we have to bypass these checks to further test applications. For pulling the app from android emulator device. I will use adb shell. Adb is installed by default in Android studio platform tools.
Just open adb shell and look for third party packages installed in it with the command provided in the screenshot below:
The listed package is the application that I am trying to reverse engineer. For pulling it out I need to find the actual path which I can find by running a command “pm path package-name”.
Note: In some applications there might be multiple files instead of one. In such cases, you have to manually combine these files into a single APK file. There are multiple tools available that can be used to combine split APKs. SAP (split APKs) is a tool that can be used to merge the split APKs for further testing.
To pull out the apk file, I used adb pull command and the the path of apk file. I can export the files into the system and start analysis.
Reversing starts here. To analyze the code I will use Jadx-GUI. It is an excellent java decompiler that is very easy to use and I can explore code in whole package. First major task is to find the starting activity so we can trace the root detection code and then try to bypass it. I mostly use mobSF for the static analysis of android APKs. It is a powerful automated static analysis tool which can make our job easier by listing all the important information on a single page. It also lists the starting activities and additional important information.
So the first activity that is being called whenever this application is opened in the emulator is SplashActivity. In Jadx-GUI, I searched the activity and found some interesting code in it. In the onCreate method, a particular function is called which returns either true or false. If the condition is true then, a rooted device error message is displayed and app exits. However, if that function returns false value that means the device is not rooted and app continues. I will analyze that function further on what it does.
In the screenshot above, it is clear that root detection is being handled in function i() of class m. In jadx-GUI, I can double click a function and it will automatically take me to the source code which is very convenient especially while reversing highly obfuscated applications.
So the function i() is in-turn calling other multiple functions that checks weather a device is rooted, running in an emulator, contains google apis and much more information. Since, I have been able to track the original function that is returning the boolean weather a device is rooted or not? I can simply patch it to always return false. For that I must change the code in smali because jadx-GUI can not patch applications.
Note: In some high security apps, the code is obfuscated and jadx-GUI is not able to decompile some highly obfuscated parts of an application. That is why I also use dex2jar and jd-gui to try to decompile even highly obfuscated code that do not contains ascii characters.
For patching applications, I use apktool to first decompile the apk package into smali classes and then try to change code in smali syntax and repackage the application again. First step is to decompile the package. The command for decompiling apps using apktool is simple:
apktool d app_package.apk -o decompiled_folder_name
From jadx-GUI, I can get the path of the function that I want to patch. It was a folder in smali classes with package name q → m.smali. In this file there is a method named i().
I just need to remove all unnecessary code and simply return a false in this function. So I understood smali syntax and returned false while removing all unnecessary things in the file.
So the app is patched, just repackge the application, sign it and drag & drop it into the emulator for installation.
I used jarsigner for singing the application with a self-signed certificate. The need is because android doesn’t allow apps to run if they are not signed. The apk can then be installed and run on emulator to see weather the root detection code is bypassed or not?
In the above screenshot, it can be seen that android application is running successfully and the initial root message is not showing. Reverse engineering is a very powerful methodology that can be used for both legitimate and illegitimate purposes. The main idea of this exercise is to guide beginner security researchers and to show that hackers are highly skilled individuals that rely on reverse engineering which signifies its importance.
The blurred screenshots is for the safety and security of the app so that It can’t be targeted.
