What is Cross-Site Request Forgery?
Introduction
Mobile application security testing is a critical aspect of ensuring the security of Android apps. Among the various security mechanisms used in mobile app development, root detection is one of the common techniques employed to prevent apps from running on rooted devices. Rooted devices, which have elevated privileges and unrestricted access to the device’s system files and settings, can potentially be exploited by malicious actors to gain unauthorized access or perform malicious activities within the app.
However, attackers can bypass root detection mechanisms using various techniques and tools, posing a significant security risk to the app and the underlying device. One such tool that has gained popularity in the security community for bypassing Android root detection is Frida, a dynamic instrumentation toolkit. In the following sections, we will explore the concept of root detection, the potential risks associated with root detection bypass, and the use of Frida as a tool for bypassing Android root detection.
Understanding Root Detection:
Root detection is a security mechanism used by app developers to determine if a device has been rooted or has superuser (root) access. It typically involves checking for the presence of certain files or binaries that are associated with root access, or verifying the existence of specific system properties that indicate the presence of root access. By detecting root access, apps can prevent certain actions, such as accessing sensitive data or performing privileged operations, from being executed on rooted devices.
Root detection mechanisms can be implemented using various techniques, such as third-party libraries, custom code, or a combination of both. Common methods used in root detection include checking for the existence of su binary, checking system properties like “ro.secure” or “ro.debuggable”, or detecting the presence of known files or directories associated with root access. These mechanisms are typically implemented during app runtime, and their effectiveness depends on the specific implementation and the root access detection techniques used.
These are the tools needed before you start bypassing the Root Detection of a Mobile Application:
- Android Studio – A tool called Android Studio is used by developers to create mobile applications, and you can use it to create an emulator for Android Pentesting.
- ADB – A command-line tool that allows you to interact with a device is called Android Debug Bridge (adb). Download SDK here:
https://developer.android.com/studio/releases/platform-tools
- Frida – It’s a dynamic code instrumentation toolkit. It enables you to insert JavaScript or your own libraries into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX.
- AndroGoat – is a deliberately vulnerable Android application designed for educational and training purposes. It is similar to OWASP WebGoat, which is a vulnerable web application used for learning and practicing web application security testing. AndroGoat is specifically designed for mobile application security testing and provides a hands-on learning experience for understanding and mitigating common security vulnerabilities in Android apps.
Here are the steps to bypass root detection using Frida (Emulator):
1.Downlading the SDK from the Provided Link
https://developer.android.com/studio/releases/platform-tools
2. Extracting the Downloaded Zip File
3. Moving the Extracted File to a Secure Directory with the following command below
% sudo mv platform-tools /etc
4. Navigating to the directory where the Platform-Tools are moved
% cd /etc/platform-tools
%ls
5. Adding the adb or the platform-tools to /etc/paths directory
%cd /etc
%vim paths
6. Utilizing the adb command anywhere in your terminal
%adb
7. Installing Frida tool and verifying the installed version with the following commands
% pip3 install Frida-tools
% frida –version
8. Establishing connection to your Device/Emulator with adb and verifying the architecture with the command below
% adb shell
- Download the latest frida-server https://github.com/frida/frida/releases (Note: Downloading the compatible architecture for your Device/Emulator, e.g. x86))
10. Once you downloaded the frida-server, push the file into the device/emulator using the following command
%adb push file-name /data/local/tmp/
11. Change the permission of the frida-server to 755 to be able to execute the file later using this command
% adb shell “chmod 755 /data/local/tmp/file-name“
12. Enabling root access for adb with the command to restart adbd with root permission
%adb root
13. Establishing connection to your Device/Emulator with the command to interact with the frida-server and navigating to the /data/local/tmp/ directory
% adb shell
# cd /data/local/tmp
14. After that switch user to root to be able to execute the frida-server
# su root
15. Launching the frida-server with the command for execution
# ./file-name
16. Once the frida-server is up, open the application that you want to bypass the Root Detection. In this case we are going to use AndroGoat a deliberately vulnerable Android application designed for educational and training purposes.
17. To validate that the device is rooted we used the Root Checker application and there is a button in AndroGoat that identifies that the device/emulator is rooted
(Image above shows the application has Root Detection)
18. Identifying the Application Identifier of the vulnerable application with the command after verifying device root access
% frida-ps -Ua
19. Once you got the Application Identifier, use this command to bypass the Root Detection of the application
% frida -U -f app-identifier –codeshare dzonerzy/fridantiroot/ –no-pause
- -U, –usb > connect to USB device
- -f TARGET > spawn FIL
- –codeshare > load CODESHARE_URI
- –no-pause > automatically start a main thread after startup
(Image above shows that Frida is sending payload to bypass the Root Detection of the Application)
20. After Frida sent the payload the application will respawn and bypassed the Root Detection.
(Image above shows that Frida was able to bypass the Root Detection of the application)
Recommendation
To prevent Android root detection bypass using Frida, app developers should implement additional security measures, such as using obfuscation techniques, implementing custom root detection methods, and regularly updating and patching the app to address any vulnerabilities or security flaws. Developers can also use third-party security libraries, such as DexGuard, to protect the app from reverse engineering and tampering.
Conclusion
In conclusion, root detection is a common security mechanism used in mobile app development to prevent app execution on rooted devices. However, attackers can bypass root detection mechanisms using various techniques and tools, posing a significant security risk. Frida, a dynamic instrumentation toolkit, is one such tool that has gained popularity in the security community for bypassing Android root detection. Understanding these bypass techniques is crucial in identifying and mitigating potential vulnerabilities in mobile applications. By staying informed and proactive in addressing root detection bypass, we can contribute to the overall security of Android apps and protect sensitive data from potential exploitation by malicious actors.
References
- https://github.com/frida/frida/releases
- https://developer.android.com/studio/releases/platform-tools
- https://frida.re/docs/android/
- https://github.com/satishpatnayak/AndroGoat
