Introduction to Android Root Detection and Frida

Android applications, especially those handling sensitive data like banking apps or games, often implement robust root detection mechanisms. These checks are designed to prevent the app from running on compromised devices, where security guarantees are diminished, and attackers might gain privileged access to manipulate app behavior or data. For penetration testers and security researchers, bypassing these checks is a fundamental skill in assessing the true security posture of an application.

Frida, a dynamic instrumentation toolkit, stands out as the ultimate weapon in this cat-and-mouse game. It allows you to inject snippets of JavaScript (or other languages) into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. With Frida, you can hook into functions, inspect memory, modify arguments, and even call unexported functions, making it incredibly powerful for reversing and bypassing security controls on Android.

Common Root Detection Methodologies

Before we can bypass, we must understand what we’re up against. Android apps employ various techniques to detect a rooted environment:

File System Checks

One of the most common methods involves checking for the existence of specific files or directories commonly associated with a rooted device or rooting tools. This includes paths like:

• /system/app/Superuser.apk
• /sbin/su
• /system/bin/su
• /system/xbin/su
• /data/local/xbin/su
• /data/local/bin/su
• /system/sd/xbin/su
• /system/bin/failsafe/su
• /data/local/su
• /magisk/.core/magisk (for Magisk root)
• /system/app/MagiskManager (for Magisk Manager)

A typical Java implementation might look like this:

public boolean isRootedFileExists() {  String[] paths = {    "/sbin/su", "/system/bin/su", "/system/xbin/su",    "/data/local/xbin/su", "/data/local/bin/su",    "/system/sd/xbin/su", "/system/bin/failsafe/su",    "/data/local/su", "/magisk/.core/magisk"  };  for (String path : paths) {    if (new File(path).exists()) {      return true;    }  }  return false;}

Package Name Checks

Applications can also check for the presence of known root-management apps or other security tools by querying the device’s installed packages:

• com.noshufou.android.su (Superuser)
• eu.chainfire.supersu (SuperSU)
• com.topjohnwu.magisk (Magisk Manager)
• de.robv.android.xposed.installer (Xposed Installer)

Example Java code:

public boolean isRootRelatedPackageInstalled(Context context) {  PackageManager pm = context.getPackageManager();  List<ApplicationInfo> packages = pm.getInstalledApplications(0);  String[] rootPackages = {    "com.noshufou.android.su", "eu.chainfire.supersu",    "com.topjohnwu.magisk", "de.robv.android.xposed.installer"  };  for (ApplicationInfo packageInfo : packages) {    for (String rootPackage : rootPackages) {      if (packageInfo.packageName.equals(rootPackage)) {        return true;      }    }  }  return false;}

Property Checks

Certain system properties can indicate a rooted or emulated environment, such as:

• ro.build.tags=test-keys
• ro.secure=0
• ro.debuggable=1

These can be checked using System.getProperty() or by executing shell commands like getprop.

public boolean checkSystemProperties() {  String buildTags = android.os.Build.TAGS;  if (buildTags != null && buildTags.contains("test-keys")) {    return true;  }  // Can also execute "getprop ro.secure" via Runtime.exec() and check output  return false;}

Signature/Certificate Checks

Some advanced apps verify the integrity of their own signature or other system components, or even check for known custom ROM certificates. While powerful, this is generally harder to bypass with basic Frida hooks and often requires patching the APK directly.

Setting Up Your Frida Environment

Before diving into custom scripts, ensure your Frida environment is ready:

Prerequisites

• Python 3: Required for frida-tools.
• Android SDK & ADB: For interacting with your Android device.
• Rooted Android Device or Emulator: With USB debugging enabled.
• Frida-server: The Frida agent running on your Android device.

Installation Steps

1. Install Frida Tools on your host machine:

   pip install frida-tools

2. Download Frida-server: Go to the Frida releases page and download the frida-server binary matching your device’s architecture (e.g., arm64, x86_64) and Frida version.
3. Push Frida-server to your device:

   adb push /path/to/frida-server /data/local/tmp/frida-server

4. Set executable permissions and run Frida-server:

   adb shell"""chmod 755 /data/local/tmp/frida-server/data/local/tmp/frida-server &"""

5. Verify Frida-server is running:

   frida-ps -U

   This command should list processes on your USB-connected device.

Identifying Root Checks with Dynamic Analysis

Identifying *where* root checks occur is crucial. We combine static and dynamic analysis.

Initial Reconnaissance with frida-trace

frida-trace is an excellent starting point. It allows you to hook common Android APIs and log their calls, helping you pinpoint potential root detection points. For example, to trace file system access and package manager queries:

frida-trace -U -f com.example.app --decorate -i "*File.exists*" -i "*PackageManager.getPackageInfo*" -i "*Runtime.exec*" -i "*System.getProperty*"

Run the app, trigger the root check (if possible), and observe the output. This will show you which methods are being called. If you see repeated calls to File.exists("/sbin/su"), you’ve found a target.

Decompilation and Static Analysis

Use tools like Jadx-GUI or Ghidra to decompile the target APK. Search for keywords like