in this video we're going to take a look at two different methods we can use to bypass root detection on Android devices the first is a dynamic approach using Frida and the second is a static approach patching the APK using APK tool [Music] okay so I know I keep saying that we're going to look at some ways to bypass authentication on the app but I decided to restructure the series a little bit just because the previous episode was looking at how we could root Android devices and we use the root ABD project which uses magisk and also the Super SU app to root the device but it was still showing that the device was not rooted whenever we ran the insecure app so we looked into the code and found that the checks that were being done were quite simple so one of them was checking for this superuser.apk and whenever we installed Superuser it gave it a different APK name it had some like letters and numbers after it so that wasn't coming back as true the other check is does SU exist and this function will call which on Su and it will basically return if that's true however it was originally used in system xbin which which is where the which binary used to be on Android devices so that was also a fail-in which basically meant that the root detection was already broken so at the end of the last video we patched the APK and actually fixed it so you can see here this is now system bin which so this will come back true and it is doing that right now it says the device is rooted and that's because of this check the other reason I decided to do this video now is because it's a good demonstration of the use of Frida whereas the authentication bypass isn't so we'll start off with that and we'll start off with Frida because we did do the APK patching on the previous video I've already got a few windows open so let me just go through this we've got the app run in the background if you check the first or the second video we went through on how to set up the insecure app in the second tab I have open Android Studio I believe yep that's Android Studio running and that's where the Android virtual device is and then in the next tab I've got mob SF the mobile security framework running and also jadix GUI which you'll notice I also managed to change the theme as well so you can go to file preferences and then change the theme I think it's looking a lot nicer as it is now and the reason I have mob SF open we looked at this briefly in the first episode I believe and there's quite a lot of features on the static and dynamic analyzer which we'll look at in a future video but the reason I have it open is because we've got Frida built in so you can see there's a 3D scripts here we've got some default ones we've got a 3D code editor and then some available scripts down here as well we have the freedom logs that we can access in here and you can see I'm currently showing the screen so this has basic functionality but we can actually use the emulator here and then we'll see things happening on the screen on the other side so the first thing we could do here is just try to start instrumentation so this is going to run freedom but we don't have anything selected and our function isn't doing anything there either but that's going to run we could have a look in the background as well and see what's happening with our output that's jadux but we have our mob SF here all right nothing of Interest and there we go we can go to autofill credentials because we've already logged in and the device shows it's rooted but notice we have this root detection bypass built in so let's try and tick that first of all and then just start instrumentation again so the device will reload will also fill credentials and log in and now it says the device is not rooted so that was an easy bypass right it works with the built-in default script and we didn't even need to install Freeda or worry about any of that stuff another way we could do that let's untick this and let us modify this code in the code editor so you could select one of these scripts and try to load it actually that's what we already had let's do another one there we go all right so you can get some templates up maybe modify some of these I'm going to paste one in and this is a very basic function you can see that it's going to basically hook the post login and it's particularly looking for this function does SU exist and it's going to override that function and basically just print out to the console root bypass and then return false so if we go back to the code we'll see that the does SU exist function at the moment it basically runs through it's going to call which on the Su binary on the Su APK and then it's going to go through and either return true if this comes back as true so it does find the SU or false if it doesn't and what we basically want to say is override this function and don't do anything in here we don't care what codes in here what we want it to do is just return false we don't need to worry about the super user APK because that one wasn't returning true previously anyway and actually I'm using the root ABD project with magisk now I'm not actually using a super user apk at all so let's go back to our Dynamic analyzer we've got the root detection bypass turned off here so we'll do start instrumentation again and we'll go back to our emulator wait for it to boot up and log in and we'll see the device is not rooted now obviously this isn't a very sophisticated route bypass because the root detection isn't very sophisticated as we found out previously so if we were actually dealing with a real device we might want to use a script like this which is a generic anti-root Frieda scripts which will deal with a lot of checks and we're going to give this a go in fact we could give this a go in our editor there as well let me take a copy of this let us paste this in here and start instrumentation we'll log in again and it says the device is not rooted so that works but we're doing all this through mob SF so what if you're not using mob SF what if you just want to use Frida manually let's take a look at that now you can load Frida through Python scripts or you can use it through the command line in future we'll be looking at some Python scripts so today let's just take a look at the command line and the first thing I'm going to do is just create a script.js so this is basically the script that we want to load this is going to hook that function it's just the same one that we just used previously we're just doing a different way of doing it and we'll save that what you also want to do here is be very careful to remove some of these things so whenever I was doing this originally I forgot to remove the root CA or unset the https proxy I'm not sure which of these was the issue but if you don't do that you'll never be able to log in with the app again another thing to mention is I also had some issues so I don't actually have free to installed at the moment if I do pip install Frida it will install the current version and that was also because whenever I had the latest version of Frida installed mob SF reader didn't work even though it's using like a virtual environment and I should really be using a virtual environment for the Frida package but yeah I messed up my python configurations a long time ago as often happens and haven't sorted them out so that's free to installed anyway you also need to do pip install Frida Dash tools which I already have installed and then you need to make sure Frida is on the device as well so just go to the Frida GitHub and you have the release Here show all assets and then scroll down and try and find what you're looking for it's the 3D server that you need to put on the device and you need to match your architecture so we're using Android and 64-bit so we'll download that to the desktop and then extract that I've got an alias set up for extract which just deals with a lot of different formats so I don't have to remember the syntax of all these various programs so this will basically just extract any of these types so I'm going to use that extract and then Frieda it'll also delete the original archive as well I'm going to move the binary to just be Frida server and now we need to upload it so we can do ADB push and then we're pushing through the server and then where do we want to put it I'm going to put it data local temp looking good ADB shell there we go we're already root so that's good make sure you have that little hash and then we'll go to data local temp we'll change the permissions 755 and Frida server and that should be it we should just be able to run the 3D server now let's try and run it and it says the address is already in use okay I need to exit the mob SF that's one thing I forgot to do let me exit that and let's try that again all right looking better so you don't see any feedback but it is running now let's just go back to our emulator as well we need to unlock the app I believe or actually turn it on so we'll enter in our pin and there we go the device is booted now let us try and run freda-ps Dash U capital u and this should basically come back with a list of the apps on the device and notice that it doesn't it just kind of freezes there and originally I was trying to do this with a python script and I was having a similar problem where it basically just wasn't able to connect and the command that we should be running here is Freda Dash U Dash F and then this is the insecure bank and then Dash L with the name of the script we want to run and let's try that as well and we'll see some more feedback it's saying spawning but we'll never actually see any connection the 3D server just hangs and this will eventually time out so I spent quite a bit of time troubleshooting this as well I eventually found an issue on GitHub which I'm going to bring up basically a lot of people having the same issue so failed to spawn while spawning at times out and a lot of people experience the same thing and eventually find out that okay it's actually been failing since 16.0.3 so that seems to be the workaround is basically to downgrade 16.0.3 and then you also need to use Frida tools 12.0.4 so let's give that a go first thing we'll need to do is do pip uninstall Frida and then we'll need to do the same with the tools and we also need to purge the cache to stop it from reinstalling the cache version so we'll uninstall both and then we'll do pip install Frida the version is equal to 16.0.3 and then did I clear the cache or didn't did I okay it downloaded the correct one anyway let me do pip cash Purge because I know it will do that with Frida tools and we'll do that as 12.0.3 all right so that installs now if we try and run this again just run the exact same in fact we'll do the ps-u not looking good let's try and do our actual command again and again it's just stuck on sporting so the other thing that we didn't do is fix the Frida server version so let's go back to our releases let us go and download the relevant release so 16.0.3 you can let me know in the comments by the way I don't know much about Frida so maybe there's some work around I'm not aware of but we'll go to 16.0.3 Android oh this is a dev kit now we're going to server 16.0.3 Android x86 by 64. and then I'm going to just double your Gap extract Frida will move the Frida server to Frida server I'm going to go back to the Android device we'll cancel this what is it Ctrl d control Z okay let us in fact let me close this down I'm gonna push that again ADB shell again CD data local temp it kept its permissions that's fine so we'll just try and run free the server again Mission denied okay sorry 755 free the server there we go all right it's running let's try this again so we're just trying to run the script and notice it works straight away so let's go to our emulator the emulator is there can we auto fill yes login re-bypass notice that popped up so device is not rooted so we could literally just close this down go back to our emulator go back login again devices rooted run the script go back log in devices not rooted and we can do the same thing with the generic bypass that we got if we go to our code share again paste this in save it and this is one that will work against more reliable root detection methods so run again Android emulator login and notice that it will bypass those checks okay so that's the dynamic approach that's how we can use Frida to hook the function so that every time that function is called it's overwritten with the function that we provide another way that we can do this is by patching the APK and that's how we actually fix the root detection so if you already saw that we're not really going to do anything different in this case but for demonstration purposes let's have a go anyway let us decompile the app again so I'm going to copy over the insecure Bank APK to the desktop I'm going to decompile it with Apk tool d and then pass that in it's going to create a folder with all the decompiled code which we can go and reverse engineer so this is turning this into the small e files remember that we have our Java our high level language we have our Dex files so that Dalvik bytecode which is the low level and then we have the intermediary basically like assembly code which is the smaller which we can go and modify and here we go we've got it's insecure Bank let's go in there let's open up this directory in vs code so we can have a look through it go into the smallie Android no com Android and we go and find the function that we're interested in I believe it was the post login and we can go and search for what we're interested in here I think it was which well I know it was which and this was a string when we changed this from X bin to bin and that's what fixed it so we could simply change it back and that will break the root detection or bypass it another thing we could do is change the Su so instead of it calling which on Su it could just call it on some random name that's not going to come back as true and there's various ways we could do this we could go and look for the conditions so we could have it so it always returns true we could also just change the if else statement which is normally a very easy way for these condition bypasses lots of different ways we can do it let us save that and I'll minimize this we'll rebuild it so the problem is if you try to rebuild this with Apk tool that comes installed on para and maybe on Cali as well we do APK tool build and then in fact let me sorry let me go back a directory APK tool build and then pass in that folder and let's see what error we get because it's using this dirty version and yeah we get this error so we have to go and download the latest version so I'm going to go and do that now download this jar APK tool 2.7.0 and then we can just run this again but we'll replace the name with Java Dash jar and then the APK tool jar it's going to build it and it's going to put the result right here so don't forget this I often forget this and then just like reinstall the same APK so I'm going to copy that here and that is going to be our new APK the only problem is it's not signed so if you try to install this it's not going to work so what I'm going to do is paste in a command first thing we need to do is generate this key stores so very basic command key tool generator key the keystore name the Alias and then the algorithm that we want to use it asks us for passwords just put that in I'm going to use integrity and then we have to put in some details here as well we can just leave these blank but just make sure that you do say yes at the end and there we go that's generated next up is actually sign in to APK so I'm going to clear that I'm going to paste this in jar signer we're using the key store that we just created we're using it against the APK we just created and the Alias is integrity we enter in our passphrase which is integrity and there we go it's self-signed that's fine we don't care let's go and install it we need to uninstall the current version so a couple of ways you can do this you can do it through the actual phone which I'm doing right now or you can do it with the ADB go to find that's it uninstalled let's no it's not all right that's the uninstalled let us now install the new ones so ADB install bank I hate the way it doesn't give you auto complete when I do this so you have to always redo it or type it in manually ADB install paste that in it installs and now if we go and try to log into it also fill oh I've got to redo this okay enter in the credentials bearing in mind I changed mine so they won't be the same as the default login now we have to do all the server stuff again just put in your local IP submit login and the device is not roosted let's just make sure we're not still running the all right so we're not running that but it doesn't matter anyway because the check wouldn't come back as true and in fact if you actually run that let's try and run it and also fill login there we go all right so didn't find anything for the super user APK but it didn't even mention the other one remember up here it said bypass system bin which Su it's not even trying to bypass it now because we already patched the APK so that's no longer an issue okay so that's two different ways we can bypass root detection on Android device the first was a dynamic approach by hooking the function and then replacing it with something else using Frida the second was patching the APK using APK tools so just showing there are different ways of doing things and different tools that we should be familiar with so you can see I'm over on the Integrity website at the moment just encouraging you to sign up and check out some of the programs we do have programs with apks and they generally get less attention than web-based programs partially because people just aren't familiar with the tools that are required and setting them up and hopefully these videos will help anyway I hope you've enjoyed this video as ever if you have any questions or comments leave them down below thanks [Music]