Android Bypass Root Detection
ssooking Lv5
  2020-09-29 16:27:00 2020-09-29 16:27    

常见方法

RootCloak

RootCloak是非常流行的Xposed模块,可用于隐藏设备的根状态。即使模块的回购页面显示“具有5.x和6.x支持”并且我的设备运行的是Android 9.0,我仍然尝试过。

***Bypass Root Check Using Xposed:
*1) Install Xposed https://repo.xposed.info/module/de.robv.android.xposed.installer
2) Install “RootCloak” (Xposed Module)
3) Open RootCloak > Add/Remove Apps > (select target app) and tap it.
4) Done! (open app and check if it’s works)

UnRootBeer

UnRootBeer](https://github.com/jakev/unrootbeer)是另一个Xposed模块,专门开发用于禁用RootBeer库执行的检查。要使用此工具,只需安装[APK文件](https://github.com/jakev/unrootbeer/raw/master/out/jakev.unrootbeer-debug.apk),然后重新启动设备以激活该模块。

Objection

Objection是由Frida提供支持的运行时工具包。使用命令android root disable,异议将尝试绕过应用程序的根检测机制。

1
objection -g "com.navinfo.gw" explore

Magisk隐藏

Magisk的功能之一是Magisk Hide,它可用于绕过根检测和系统完整性检查。

从Magisk v20.4开始,默认情况下将禁用Magisk Hide。要启用此功能,请打开Magisk Manager,在边栏中单击设置,将Magisk Hide选项切换为ON ,然后重新启动应用程序。

RootBeer Sample添加到Magisk Hide之后,结果是接近完美的分数,通过了11张检查中的10张。

Fridantiroot

下一个工具涉及Frida,它是一个动态的检测工具包,可用于篡改应用程序的过程。在本实验中,使用了公共可用的JS脚本(Fridantiroot)。但是,此脚本在我的设备上不起作用。

幸运的是,我发现了适用于我的设备的Fridantiroot修改版本

1
frida -U --no-pause -f com.xxxx.xxx -l root_bypass.js

手工分析APK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Bypass Root Check Manual Way:
1) Decompile the APK file using “APKTool”
# apktool d /path/to/apk/target.apk -o /path/to/output/
(“d” for “decompile” and “-o” for output dir)
2) Most root detection techniques rely on checking for files on the OS that indicate the device has been rooted. Using GREP, search for any of the follow strings and change them to something random:
- Superuser
- Supersu
- /su
- /system/app/Superuser.apk
- /system/bin
- /system/bin/su
- /system/sd/xbin
- /system/xbin/su
- /system/xbin
- /data/local
- /data/local/bin
- /data/local/xbin
- /sbin
- /system/bin/failsafe
- /vendor/bin
Note: Other detection techniques look for any of the below-installed packages on the mobile device at runtime:
- supersu.apk
- Busybox
- Root Cloak
- Xpose framework
- Cydia
- Substrate
3) Build the new version of APK with APKTool:
# apktool b /path/to/modified apk/target-new.apk -o /path/to/output/
(“b” for “build” and “-o” for output dir)
4) Sign with jarsigner tool
# /path/to/my-key.keystore -storepass password -keypass password target-new.apk alias_name
(You may need to generate the keystore first with keytool:)
# keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity10000
5) Finally, install the new version and enjoy!

参考

Comparison of Different Android Root-Detection Bypass Tools

Android: How to Bypass Root Check and Certificate Pinning

Android root detection bypass by reverse engineering APK

  • Post title:Android Bypass Root Detection
  • Post author:ssooking
  • Create time:2020-09-29 16:27:00
  • Post link:https://ssooking.github.io/2020/09/android-bypass-root-detection/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.