Whitepaper | Jan, 2019
Root & Jailbreak Detection Bypass in Mobile Apps
Introduction:
Ever found yourself in the dilemma whether it’s worthwhile to perform procedures such as Rooting or Jailbreaking on your mobile device. Rooting and Jailbreaking are two different names having similar capabilities. The only difference is that the former applies to android and the latter is for iOS. With attention on obvious caveats, it helps you acquire the complete administrator rights on the device, allowing third-party programs to perform operations that were not originally available to them, such as controlling CPU clock speed or overwriting system files.
Many applications consider rooting/jailbreaking to be a security threat, and refuse to run on an unlocked device. Many MDM (Mobile Device Management)-class applications fall under this category – these applications help review working documents and email on a private smartphone. In fact, most mobile applications from secure domains such as banks have their features disabled on rooted devices. While it’s a good practice to introduce this security implementation, more often than not, penetration testing or security testing of Android and iOS applications requires rooted/jailbroken devices, handled of course ethically.
Talking about Android, the rooted devices are able to provide the shell access in root or admin privileges enabling the testing vulnerabilities such as insecure storage of credentials or database files. Other vulnerabilities including improper export of application components like services or activities which are verified through Drozer, requires the device to be rooted.
Beside all these, the emulators and virtual devices like Android Studio virtual device or Genymotion used for testing are by default in rooted mode which enable security testing of Android applications.
So, to restrict an attacker from investigating the application, the best practice is to incorporate the root detection policy wherein an application detects whether the device is rooted or not through various methodologies. The application then refuses to open after being installed citing an error message of the device being in root mode.
For IOS applications, SSH connection to the device is required to access the application data. This connection is only possible in jailbreak devices. This facilitates the testing of vulnerabilities like insecure data storage or application components export. Applications detecting the jailbreak devices will not open up and throw a similar error message
But, as a security researcher, we always try ways to bypass such limitations to assess the application thoroughly and catalyse the testing process. Herein we have listed few methods to bypass the Root detection/Jailbreak detection and run the applications in rooted/jailbroken devices.
1 QA InfoTech | www.qainfotech.com Whitepaper | Jan, 2019
ANDROID (ROOT DETECTION BYPASS)
Pre-requisites – A rooted Android Device supporting the version of application to be used, an application detecting rooted devices and having obfuscated code & rebuilding allowed for the apk, Magisk manager, Apktool, Sign-master.
Method 1: Rebuilding APK by removing detection code [Tested on Android 6.0]
1. Install the application in a rooted device and try opening the application. The application generally throws an error message. In our case it was: “Application will not support in rooted devices!” The application exited after throwing this error message. 2. The next step is to decompile the application using apktool and observe the smali files.
A folder with the name test will be created in the same folder where apktool is installed. (We renamed it to apk).
3. Open these files in Notepad and manually search for the error message.
In our case, we found the error message in RootUtil
2 QA InfoTech | www.qainfotech.com Whitepaper | Jan, 2019
4. View the logic of file and modify it to bypass the error message.
(Note: Deleting the entire root validation function or called/calling functions will cause the application to crash as soon as we install and open it) Observing the functions carefully:
There are several methods to detect whether the device is rooted or not.
QA InfoTech | www.qainfotech.com 3 Whitepaper | Jan, 2019
These methods are invoked by another method, they return the values based on the detection.
Based on the output of various root detecting methods, a binary condition is specified as to whether the device is rooted (represented by 1) or not (represented by 0).
If we reverse the condition value, we can simply bypass the root detection since now the condition which was true is false.
QA InfoTech | www.qainfotech.com 4 Whitepaper | Jan, 2019
So, change “cond_1” to “cond_0” (Do the opposite if initially the value is 0) in top 4 of the invoked methods in “isDeviceRooted” method.
5. Save the smali file and rebuild the apk using apktool
6. The next step is to sign the apk before installing it in the rooted device. For this we used the sign-master tool (open source tool)
7. Install the newly created apk in rooted device and root detection will be bypassed!
Method 2: Blocking Root Detection
1. Backup the contents of device in case of any data loss at the time of rooting the device.
2. Install the “official TWRP app” from the Google play store.
QA InfoTech | www.qainfotech.com 5 Whitepaper | Jan, 2019
3. Install SuperSu app (already present if rooted)
QA InfoTech | www.qainfotech.com 6 Whitepaper | Jan, 2019
4. Select full unroot from superuser application
5. Download Magisk manager from https://github.com/topjohnwu/Magisk/releases. The ZIP file can be downloaded from here.
QA InfoTech | www.qainfotech.com 7 Whitepaper | Jan, 2019
6. Fastboot the device.
7. Through Fastboot mode, access the recovery mode and install the downloaded Magisk manager.zip file through TWRP.
QA InfoTech | www.qainfotech.com 8 Whitepaper | Jan, 2019
8. Now boot through normal mode.
9. Open Magisk manager and block the targeted applications.
10. Open the targeted applications now - root detection will be bypassed!
QA InfoTech | www.qainfotech.com 9 Whitepaper | Jan, 2019
IOS JAILBREAK DETECTION BYPASS
Pre-requisites – IOS application detecting Jailbreak devices, Apple device [Tested in IOS 10, 11], Liberty Lite application.
Steps to Block Jailbreak Detection
1. Install the application in Jailbreak device which currently will not open up.
2. Add the repository https://ryleyangus.com/repo/ in Cydia to install Liberty Lite.
QA InfoTech | www.qainfotech.com 10 Whitepaper | Jan, 2019
3. Download “Liberty Lite” application.
4. The application after installing would ask for restarting the springboard. Restart it and go to settings. 5. Find “Liberty” in settings and go to “Block Jailbreak Detection”. 6. Select the Application whose jailbreak detection is to be blocked.
QA InfoTech | www.qainfotech.com 11 Whitepaper | Jan, 2019
7. Then select the “Block Cydia Substrate” option in settings of Liberty. Find and block the targeted applications again.
8. Close the application (if running in background) and reopen it. The jailbreak detection is bypassed!
Conclusion
Although it is a good practice to stop users from running mobile apps on rooted/jail-broken devices from ethical security engineering perspective, it limits researchers from conducting a successful penetration test/audit. This article will help researchers and testers to bypass the restrictions imposed by developers on their applications and intensify the identification of vulnerabilities since the scope gets enlarged with root access to the device. On the other end of the spectrum, it is highly recommended that developers use extremely complex techniques to fend attackers from bypassing their validation controls. It will continue to be a health battle amongst developers and quality engineers as one strengthens the game and the other breaks the robust shield, all with the right intentions to protect the application from cyber wrong doers.
QA InfoTech Inc. U.S.A. QA InfoTech Software Services Pvt.
32985 Hamilton Court East, Suite 121, Ltd. (Head Office) Farmington Hills, MI 48334 U.S.A A-8, Sector 68 Noida, U.P, 201309, India +1 469-759-7848 +91 956-000-0079
QA InfoTech | www.qainfotech.com