In this Article we will learn about one of the ways to bypass Root Detection Techniques for Android Application. Now days many applications such as financial, banking applications do not work on the rooted device. Pen testing requires root permission to install various tools to compromise the security of the application and it is very painful job for any pen tester because these root detection technique implemented over any app restrict the tester from performing various test cases.
There are many ways to bypass the root detection technique. We would be focusing on one of the technique used and bypass those by Reverse Engineering (Decompiling) APK and building the apk with root detection evasion, signing technique and running them on the rooted device.
we would need various tools (Mentioned Below) at various stages to bypass the root detection Logic used in android application.
Apktool :Tool for reverse engineering Android apk files. In this case we are using to extract files from apk and rebuild.
Dex2jar :Converts Android dex files to class/jar files.
JDGui :To view java code
Sublime/Notepad++ :To edit Root detection logic.
Keytool :Java tool for creating keys/certs, that comes with the JDK.
Jarsigner :Java tool for signing JAR/APK files, that comes with the JDK.
Zipalign :Archive alignment tool, that comes with the Android SDK.
Now, we will reverse engineer the application by decompiling the APK file to verify which techniques application is utilizing for root access detection. Here, we will use the
d2j-dex2jar tool to decompile the APK file and get the java code.
Decompile the Test.apk file as illustrated in the below screenshot
We got the decompiled version of the APK file, i.e., Test_dex2jar.jar file. We will now use
JD-GUI tool to read the jar file and find & understand the root detection logic used in the application.
JD-GUI we are going to search for the keywords like isDeviceRooted, root, rootUtils, /sys, /system, superuser, /su, Superuser, Supersu, /sbin etc. to get the exact java methods and functions.
As illustrated in the above screenshot we can see that JD-GUI search has identified class RootDetector.class having string “/system.” We will go through the class and look at Java code.
Yupp!! As we can see application root detection logic is implemented within RootDetector.class where application at runtime verifying if any root access files and packages are present on the device such as Superuser.apk and su binaries. If application found any of these files on the device, it will stop running.
Now we will decompile the apk file with
apktool using below command.
apktool d <apk_file_path>
Now we will Open the decompiled file and search for the RootDetector.smali file. once we find the Smali code, we will open the file with Sublime Text editor and rename all the strings to something else as shown in the below screenshot.
Now, save the changes and rebuild the application with
apktool using below command.
apktool b <decompiled_apk_folder_path>
The new apk will be rebuilt inside the Dist folder 📂 . Now generate the key with
keytool using the below command.
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
Now sign the apk with generated Key with the help of
Jarsignerusing the below command.
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore Test.apk alias_name
Finally, the apk must be aligned for optimal loading which can be done with
Zipalign using the below command.
zipalign -v 4 Test.apk Test-aligned.apk
Now install the application on the rooted device and it will work.