Introduction to Android Root Detection and Dynamic Analysis

In the realm of mobile application security, developers often implement mechanisms to detect if an Android device has been rooted. Root detection is employed by sensitive applications like banking apps, DRM-protected media players, and games to prevent tampering, ensure data integrity, and enforce license agreements. While these measures enhance security, they pose a significant challenge for penetration testers, security researchers, and even legitimate power users.

Why Apps Detect Root?

Rooting an Android device grants superuser privileges, allowing users to modify system files, install custom ROMs, and bypass security restrictions. From an app developer’s perspective, a rooted device is an untrusted environment where the app’s code or data could be compromised. Common threats include:

• Accessing sensitive data stored in private app directories.
• Bypassing payment mechanisms or license checks.
• Modifying app behavior for malicious purposes (e.g., cheating in games).
• Running the app in a debuggable state on a production device.

Enter Frida: The Dynamic Instrumentation Toolkit

Frida is a powerful, open-source dynamic instrumentation toolkit that allows developers and security researchers to inject JavaScript snippets into native applications on Windows, macOS, Linux, iOS, Android, and QNX. It enables you to hook into functions, inspect arguments, modify return values, and even call private functions at runtime. For Android penetration testing, Frida is an indispensable tool for bypassing various security controls, including root detection, SSL pinning, and obfuscation.

Setting Up Your Android Penetration Testing Environment

Before we dive into bypassing root detection, ensure you have the necessary tools set up.

Prerequisites

• A rooted Android device or an emulator (e.g., AVD, Genymotion) with root access.
• ADB (Android Debug Bridge) installed and configured on your host machine.
• Python 3 installed on your host machine.

Installing Frida Server on Android

Frida operates on a client-server model. The Frida client runs on your host machine, and the Frida server runs on the target Android device. The server mediates the communication and performs the actual instrumentation.

1. Download Frida Server: Visit the Frida releases page and download the `frida-server` file corresponding to your device’s architecture (e.g., `arm64`, `arm`, `x86`, `x86_64`). You can determine your device’s architecture using `adb shell getprop ro.product.cpu.abi`.

2. Push to Device: Transfer the `frida-server` binary to your Android device’s `/data/local/tmp/` directory, which is typically writable.

   adb push /path/to/your/frida-server /data/local/tmp/frida-server

3. Set Permissions and Execute: Grant executable permissions to the `frida-server` binary and run it.

   adb shellsu -c "chmod 755 /data/local/tmp/frida-server"su -c "/data/local/tmp/frida-server &"

   The `&` puts the server in the background, allowing you to continue using the shell. Verify it’s running by checking for a listening port (e.g., 27042) or using `ps`.

Installing Frida Tools on Your Host Machine

On your host machine, install the Frida Python tools using `pip`:

pip install frida-tools

After installation, you can test connectivity:

frida-ps -U

This command lists all running processes on the USB-connected device (`-U`). If you see a list of processes, your setup is correct.

Understanding Common Root Detection Mechanisms

Before bypassing, it’s crucial to understand how applications detect root. Common methods include:

• File System Checks

  Apps look for common root-related files and directories, such as `/system/bin/su`, `/system/xbin/su`, `/data/local/tmp/su`, `/system/app/Superuser.apk`, `/sbin/magisk`, etc.

• Binary Checks (`su`, `busybox`)

  Executing `which su` or attempting to run the `su` command and checking its exit status or output. Some apps also check for `busybox`.

• Property Checks

  Inspecting system properties like `ro.secure` (should be 1), `ro.build.tags` (should be `release-keys` for stock), or `ro.build.type` (should be `user`). Custom ROMs or rooted devices often have different values.

• PackageManager Checks

  Querying the `PackageManager` for installed packages that indicate root (e.g., `com.noshufou.android.su`, `eu.chainfire.supersu`, `com.topjohnwu.magisk`).

• Dangerous App Permissions

  Checking if any app has dangerous permissions often associated with root management apps.

• SELinux Status

  Checking if SELinux is in `permissive` mode, which is common on rooted devices.

Practical Bypass: Hooking `java.io.File.exists()` and Other Checks

Let’s demonstrate how to bypass a common root detection technique: checking for the existence of `su` binaries or root-related files. We’ll write a Frida script to hook `java.io.File.exists()`.

Identifying the Target Method

Many apps use `java.io.File.exists()` to check for the presence of root binaries like `/system/bin/su`. We can use `frida-trace` to monitor API calls or analyze the app’s code (static analysis) to find these checks. For this example, we assume `File.exists()` is being used.

Developing the Frida Script (bypass-root.js)

Create a file named `bypass-root.js` with the following content:

Java.perform(function() {    console.log("[*] Initiating root detection bypass...");    // Hook java.io.File.exists()    var File = Java.use("java.io.File");    File.exists.implementation = function() {        var path = this.getAbsolutePath();        console.log("[+] File.exists() called for: " + path);        var rootIndicators = [            "/system/app/Superuser.apk",            "/sbin/su",            "/system/bin/su",            "/system/xbin/su",            "/data/local/xbin/su",            "/data/local/bin/su",            "/system/sd/xbin/su",            "/system/bin/failsafe/su",            "/data/local/su",            "/su/bin/su",            "/system/xbin/daemonsu"        ];        if (rootIndicators.indexOf(path) > -1) {            console.log("[*] Root indicator detected: " + path + ". Returning false.");            return false; // Lie about the file existing        }        return this.exists(); // Call the original method for other files    };    // Hook java.lang.Runtime.exec() for direct command execution    var Runtime = Java.use("java.lang.Runtime");    Runtime.exec.overload('java.lang.String').implementation = function(cmd) {        console.log("[+] Runtime.exec() called with: " + cmd);        if (cmd.indexOf("su") > -1 || cmd.indexOf("which su") > -1) {            console.log("[*] Command with 'su' detected. Blocking execution.");            // Return a dummy process that indicates failure or non-root            return null; // Or throw an exception for robustness        }        return this.exec(cmd);    };    // Hook android.os.SystemProperties.get() for property checks    var SystemProperties = Java.use("android.os.SystemProperties");    SystemProperties.get.overload('java.lang.String').implementation = function(key) {        // console.log("[+] SystemProperties.get() called for key: " + key); // Too verbose        switch(key) {            case "ro.secure":                console.log("[*] ro.secure check detected. Returning '1' (secure).");                return "1";            case "ro.build.tags":                console.log("[*] ro.build.tags check detected. Returning 'release-keys'.");                return "release-keys";            case "ro.build.type":                console.log("[*] ro.build.type check detected. Returning 'user'.");                return "user";            default:                return this.get(key);        }    };    // You can also hook PackageManager to spoof installed packages, etc.    console.log("[*] Root detection bypass script loaded successfully.");});

Executing the Bypass

Now, run the target application with Frida, injecting our bypass script. Replace `com.example.app` with the actual package name of the app you want to test.

frida -U -l bypass-root.js -f com.example.app --no-pause

• -U: Connects to a USB device.
• -l bypass-root.js: Loads our JavaScript script.
• -f com.example.app: Spawns (launches) the specified application.
• --no-pause: Tells Frida to start the process immediately after injection without pausing.

As the app runs, you’ll see messages in your console indicating when `File.exists()`, `Runtime.exec()`, or `SystemProperties.get()` are called and when the bypass logic intervenes. The application should now behave as if it’s running on a non-rooted device, even if the device is rooted.

Advanced Bypass Techniques

While the above script handles many common cases, sophisticated apps employ more advanced root detection.

Bypassing Native Checks

Some applications implement root detection in native libraries (C/C++). Frida can also hook native functions using `Module.findExportByName()` and `Interceptor.attach()`. This requires reverse engineering the native library to identify the relevant functions.

Example (conceptually):

Interceptor.attach(Module.findExportByName("libfoo.so", "is_device_rooted"), {    onEnter: function(args) {        console.log("[*] Native is_device_rooted() called.");    },    onLeave: function(retval) {        console.log("[*] Native is_device_rooted() original return: " + retval);        retval.replace(0); // Force return 0 (false)        console.log("[*] Native is_device_rooted() modified return: 0");    }});

Evading Anti-Frida Measures

Some apps try to detect Frida by looking for the `frida-server` process, checking for loaded Frida libraries, or monitoring system calls. Bypassing these requires more advanced techniques like:

• Renaming `frida-server`.
• Obfuscating Frida scripts.
• Using Frida-Gum stealth mode.
• Hooking anti-Frida checks themselves.

Conclusion

Frida is an incredibly powerful and versatile tool for dynamic analysis and runtime manipulation of Android applications. By understanding common root detection mechanisms and leveraging Frida’s hooking capabilities, penetration testers can effectively bypass these security controls. This tutorial provides a solid foundation for tackling root detection, but remember that application security is an arms race. Continuously evolving detection techniques require equally evolving bypass strategies, often blending dynamic analysis with static reverse engineering for comprehensive results.