Introduction to Android Root Detection and Bypassing

Android applications often implement root detection mechanisms to prevent their execution on rooted devices. This is typically done for security reasons, such as protecting sensitive data, preventing cheating in games, or enforcing DRM. However, for security researchers, penetration testers, and legitimate users, bypassing these checks is crucial for analyzing app behavior, performing vulnerability assessments, or simply using an application on their preferred device setup.

Frida is a powerful dynamic instrumentation toolkit that allows developers and security professionals to inject custom scripts into running processes. It’s incredibly versatile, supporting various platforms including Android, and enables real-time interaction with an application’s code, memory, and runtime environment. This guide will delve into practical techniques for identifying and bypassing common Android root detection methods using Frida.

Understanding Common Android Root Detection Methods

Android applications employ a variety of techniques to detect root access. Knowing these methods is the first step towards an effective bypass strategy. Common checks include:

• File and Directory Existence Checks: Looking for files or directories commonly associated with root environments, such as /system/bin/su, /system/xbin/su, /sbin/su, /data/local/tmp/su, /system/app/Superuser.apk, /data/app/com.topjohnwu.magisk (for Magisk), etc.
• Command Execution Checks: Attempting to execute the su command and checking its exit status or output. This might be done via Runtime.exec() or ProcessBuilder.
• Package Management Checks: Looking for known root management applications (e.g., Magisk Manager, SuperSU) installed on the device using PackageManager.
• Test-Keys Check: Examining the build tags (android.os.Build.TAGS) for the string “test-keys,” which often indicates a custom or rooted ROM.
• Permissions Checks: Attempting to write to system directories (e.g., /system) that are usually read-only on unrooted devices.
• Native Library Checks: More sophisticated apps might use native code (JNI) to perform root checks, such as calling C functions like access() or stat() to verify file existence or permissions, or detecting debuggers.

Setting Up Your Frida Environment

Before we begin hooking, ensure you have Frida set up correctly:

Prerequisites:

• A rooted Android device or emulator.
• ADB (Android Debug Bridge) installed and configured on your host machine.
• Python 3 and pip installed on your host machine.

Installation Steps:

1. Install Frida-tools on your host machine:

   pip install frida-tools

2. Download Frida-server for your Android device:
   Determine your device’s architecture (e.g., arm64, arm, x86) by running adb shell getprop ro.product.cpu.abi. Then, download the corresponding frida-server release from the Frida GitHub releases page. For example, frida-server-*-android-arm64.

3. Push and run frida-server on your device:

   adb push /path/to/frida-server /data/local/tmp/frida-server
   adb shell "chmod 755 /data/local/tmp/frida-server"
   adb shell "/data/local/tmp/frida-server &"

4. Set up ADB port forwarding (optional, but recommended):

   adb forward tcp:27042 tcp:27042

   This allows Frida clients on your host to communicate with the server on the device.

Frida Basics for Android Hooking

Frida scripts are written in JavaScript and interact with the Dalvik/ART runtime. Key concepts include:

• Java.perform(function() { ... });: Ensures that your script runs within the context of the Java VM.
• Java.use('com.example.ClassName');: Obtains a wrapper for a specific Java class, allowing you to interact with its methods.
• implementation: function() { ... };: Used to override a method’s behavior. Inside this function, this refers to the instance of the object, and this.methodName(...) can be used to call the original method.
• Java.choose(): Allows enumerating and interacting with existing instances of a class.

Bypassing Common Root Checks with Frida Hooks

Let’s look at practical examples for bypassing the root detection methods mentioned earlier.

1. Bypassing File/Directory Existence Checks

Many apps check for the presence of su binaries or Magisk directories. We can hook java.io.File.exists() and related methods.

Java.perform(function () {
    var File = Java.use('java.io.File');
    var commonRootPaths = [
        "/system/app/Superuser.apk",
        "/sbin/su",
        "/system/bin/su",
        "/system/xbin/su",
        "/data/local/su",
        "/data/local/bin/su",
        "/data/local/xbin/su",
        "/magisk", // Magisk directory
        "/system/etc/init.d/99superuser",
        "/system/bin/.ext/.su",
        "/system/usr/we-need-a-su-ABI"
    ];

    File.exists.implementation = function () {
        var path = this.getAbsolutePath();
        // console.log("File.exists(" + path + ") called.");
        if (commonRootPaths.indexOf(path) !== -1) {
            console.log("Frida: Bypassing File.exists() for root path: " + path);
            return false;
        }
        return this.exists.apply(this, arguments);
    };

    // Hooking 'canExecute' and 'isDirectory' might also be necessary
    File.canExecute.implementation = function() {
        var path = this.getAbsolutePath();
        if (commonRootPaths.indexOf(path) !== -1) {
            console.log("Frida: Bypassing File.canExecute() for root path: " + path);
            return false;
        }
        return this.canExecute.apply(this, arguments);
    };

    File.isDirectory.implementation = function() {
        var path = this.getAbsolutePath();
        if (commonRootPaths.indexOf(path) !== -1) {
            console.log("Frida: Bypassing File.isDirectory() for root path: " + path);
            return false;
        }
        return this.isDirectory.apply(this, arguments);
    };
});

2. Intercepting Runtime.exec() Calls

Apps often try to execute su directly. We can hook Runtime.exec() and prevent it from running root-related commands.

Java.perform(function () {
    var Runtime = Java.use('java.lang.Runtime');

    Runtime.exec.overload('java.lang.String').implementation = function (command) {
        if (command.includes("su") || command.includes("which su")) {
            console.log("Frida: Bypassing Runtime.exec() for root command: " + command);
            // Return a dummy process that indicates no root, or throw an exception
            // For simplicity, we can just return null or an empty array of bytes
            return null;
        }
        return this.exec.apply(this, arguments);
    };

    Runtime.exec.overload('[Ljava.lang.String;').implementation = function (cmdarray) {
        var command = cmdarray[0];
        if (command.includes("su") || command.includes("which su")) {
            console.log("Frida: Bypassing Runtime.exec() for root command array: " + cmdarray.join(" "));
            return null;
        }
        return this.exec.apply(this, arguments);
    };

    // Also handle ProcessBuilder if used
    var ProcessBuilder = Java.use('java.lang.ProcessBuilder');
    ProcessBuilder.$init.overload('java.util.List').implementation = function (commandList) {
        var command = commandList.get(0);
        if (command && (command.includes("su") || command.includes("which su"))) {
            console.log("Frida: Bypassing ProcessBuilder for root command: " + commandList.toString());
            // Modify the command to something harmless or throw
            var newCommandList = Java.use('java.util.ArrayList').$new();
            newCommandList.add('/system/bin/id'); // Replace with a harmless command
            return this.$init.overload('java.util.List').call(this, newCommandList);
        }
        return this.$init.overload('java.util.List').call(this, commandList);
    };
});

3. Bypassing Package/App Checks

Apps might check for the presence of root management apps like Magisk Manager or SuperSU.

Java.perform(function () {
    var PackageManager = Java.use('android.content.pm.PackageManager');
    var ApplicationInfo = Java.use('android.content.pm.ApplicationInfo');
    var PackageInfo = Java.use('android.content.pm.PackageInfo');

    var rootPackages = [
        "com.topjohnwu.magisk",
        "eu.chainfire.supersu",
        "com.noshufou.android.su",
        "com.koushikdutta.superuser"
    ];

    PackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function (packageName, flags) {
        if (rootPackages.indexOf(packageName) !== -1) {
            console.log("Frida: Bypassing getPackageInfo for root package: " + packageName);
            // Return a dummy PackageInfo object or throw NameNotFoundException
            // Returning null might crash the app, better to return a benign dummy object
            var dummyPackageInfo = PackageInfo.$new();
            dummyPackageInfo.packageName.value = packageName;
            dummyPackageInfo.applicationInfo.value = ApplicationInfo.$new();
            dummyPackageInfo.applicationInfo.value.flags.value = 0; // Set flags to non-system, non-debug
            return dummyPackageInfo;
        }
        return this.getPackageInfo.apply(this, arguments);
    };

    // You might also need to hook getApplicationInfo, getInstalledPackages, getInstalledApplications
    // depending on how the app checks.
});

4. Bypassing Build.TAGS Check

This is less common but can be bypassed by overriding the static field.

Java.perform(function () {
    var Build = Java.use('android.os.Build');
    Build.TAGS.value = "release-keys"; // Standard non-test keys
    console.log("Frida: Modified Build.TAGS to: " + Build.TAGS.value);
});

5. Generic Application-Specific Root Detection Methods

Often, applications will have their own custom root detection logic, potentially within a specific class (e.g., com.app.security.RootChecker) and method (e.g., isDeviceRooted()). The most effective bypass involves identifying these methods via decompilation (e.g., with Jadx or Ghidra) and directly hooking them to return `false`.

For example, if an app has a method `com.example.myapp.RootDetectionUtil.isRooted()`:

Java.perform(function () {
    var RootDetectionUtil = Java.use('com.example.myapp.RootDetectionUtil');

    RootDetectionUtil.isRooted.implementation = function () {
        console.log("Frida: Hooked com.example.myapp.RootDetectionUtil.isRooted() and returning false.");
        return false;
    };
});

Running Your Frida Script

To inject your script, save it as a .js file (e.g., `bypass.js`) and run:

frida -U -f com.your.package.name -l bypass.js --no-pause

-U: Connects to a USB device.
-f com.your.package.name: Spawns the application.
-l bypass.js: Loads your JavaScript file.
--no-pause: Starts the app immediately after injection.

Advanced Considerations

• Obfuscation: Apps often use ProGuard or DexGuard to obfuscate code, making class and method names cryptic (e.g., a.b.c.d()). Decompilers with deobfuscation capabilities are essential here. Frida can still hook obfuscated methods once identified.
• Anti-Frida Measures: Some applications attempt to detect Frida by looking for the frida-server process, specific shared libraries, or Frida-related memory patterns. Bypassing these requires more advanced techniques like modifying `frida-server` or using custom loaders.
• Native Root Detection: Root checks implemented in C/C++ native libraries (JNI) are harder to hook with Java-side Frida. You’d need to use Frida’s `Interceptor.attach()` to hook native functions like `access`, `stat`, `fopen`, etc., and modify their return values. This requires understanding ARM/ARM64 assembly and system calls.

Conclusion

Frida is an indispensable tool for dynamic analysis and bypassing various security controls on Android, including root detection. By understanding common root detection strategies and leveraging Frida’s powerful instrumentation capabilities, you can effectively circumvent these checks for legitimate security research, penetration testing, and debugging purposes. Always remember to use these techniques responsibly and ethically.