Port MASTG-TEST-0045: Testing Root Detection (android) #3136
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| --- | ||
| platform: android | ||
| title: Uses of Root Detection Techniques with r2 | ||
| code: [kotlin] | ||
| id: MASTG-DEMO-0022 | ||
| test: MASTG-TEST-0245 | ||
| --- | ||
|
|
||
| ### Sample | ||
|
|
||
| The following code shows an example of root detection on a device. | ||
|
|
||
| {{ RootDetection.kt }} | ||
|
|
||
| ### Steps | ||
|
|
||
| 1. Unzip the APK package and locate the main binary file (@MASTG-TECH-0007), which in this case is the classes.dex. | ||
| 2. Open the application's binary file using @MASTG-TOOL-0028 with the -i option to run this script. | ||
|
|
||
| {{ root_detection.r2 }} | ||
|
|
||
| {{ run.sh }} | ||
|
|
||
| ### Observation | ||
|
|
||
| The output should include information about detected root indicators, such as the presence of su binaries or modified system properties. | ||
|
|
||
| ### Evaluation | ||
|
|
||
| The demo is considered successful if the rooted device is correctly identified, and the application does not mistakenly flag a non-rooted device as rooted. Furthermore, the bypass techniques should not allow complete circumvention of the root detection. | ||
|
|
||
| On the other hand, the demo fails if the rooted device is not detected, a non-rooted device is falsely flagged as rooted, or if any of the bypass techniques successfully bypass the root detection mechanism. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| object RootDetector { | ||
| fun isDeviceRooted(): Boolean { | ||
| return checkRootFiles() || checkSuperUserApk() || checkSuCommand() | ||
| } | ||
|
|
||
| internal fun checkRootFiles(): Boolean { | ||
| val rootPaths = listOf( | ||
| "/system/app/Superuser.apk", | ||
| "/system/xbin/su", | ||
| "/system/bin/su", | ||
| "/sbin/su", | ||
| "/system/sd/xbin/su", | ||
| "/system/bin/.ext/.su", | ||
| "/system/usr/we-need-root/su-backup", | ||
| "/system/xbin/mu" | ||
| ) | ||
| rootPaths.forEach { path -> | ||
| if (File(path).exists()) { | ||
| Log.d("RootCheck", "Found root file: $path") | ||
| } | ||
| } | ||
| return rootPaths.any { path -> File(path).exists() } | ||
| } | ||
|
|
||
| private fun checkSuperUserApk(): Boolean { | ||
| val superUserApk = File("/system/app/Superuser.apk") | ||
| if (superUserApk.exists()) { | ||
| Log.d("RootCheck", "Found Superuser.apk") | ||
| } | ||
| return superUserApk.exists() | ||
| } | ||
|
|
||
| internal fun checkSuCommand(): Boolean { | ||
| return try { | ||
| val process = Runtime.getRuntime().exec(arrayOf("which", "su")) | ||
| val reader = BufferedReader(InputStreamReader(process.inputStream)) | ||
| val result = reader.readLine() | ||
| if (result != null) { | ||
| Log.d("RootCheck", "su command found at: $result") | ||
| true | ||
| } else { | ||
| Log.d("RootCheck", "su command not found") | ||
| false | ||
| } | ||
| } catch (e: IOException) { | ||
| Log.d("RootCheck", "Error checking su command: ${e.message}") | ||
| false | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # jailbreak_detection.r2 | ||
| e asm.bytes=false | ||
| e scr.color=false | ||
| e asm.var=false | ||
|
|
||
| ?e | ||
|
|
||
| ?e search for root path: | ||
|
|
||
| / /system/app/Superuser.apk | ||
| / /system/xbin/daemonsu | ||
| / /system/xbin/su | ||
| / /sbin/su | ||
| / /system/bin/su | ||
| / /system/sd/xbin/su | ||
| / /system/bin/failsafe/su | ||
| / /data/local/su | ||
| / /data/local/xbin/su | ||
| / /data/local/bin/su | ||
|
|
||
| ?e | ||
|
|
||
| ?e search for urlSchemes: | ||
|
|
||
| / supersu:// | ||
| / magisk:// | ||
|
|
||
| ?e | ||
|
|
||
| ?e search for suspiciousEnvVars: | ||
|
|
||
| / LD_PRELOAD | ||
| / LD_LIBRARY_PATH | ||
|
|
||
| ?e | ||
|
|
||
| ?e Searching for Root output: | ||
|
|
||
| iz~+root | ||
|
|
||
| ?e | ||
|
|
||
| ?e xrefs to Root strings: | ||
| axt 0x10011db00 | ||
|
|
||
| ?e | ||
|
|
||
| ?e Disassembled Root function: | ||
|
|
||
| pdf @ 0x100008c14 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| r2 -q -i root_detection.r2 -A classes.dex > output.asm |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| --- | ||
| title: Root Indicators Detection | ||
| platform: android | ||
| id: MASTG-TEST-0245 | ||
| type: [static] | ||
| weakness: MASWE-0097 | ||
| best-practices: [] | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| This test is specifically designed to evaluate the effectiveness of root detection mechanisms. Its goal is to ensure that rooted devices are accurately identified so that any associated security risks can be addressed, ultimately safeguarding the integrity of the device and protecting user data. | ||
|
|
||
| The testing process involves analyzing the device environment to identify common indicators of root access. This includes checking for the presence of root management tools, suspicious files or directories, and modified system properties on the device itself. It does so by statically analyzing the device for [common root detection checks](../../../Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#root-etection-and-common-root-detection-methods). | ||
|
Check failure on line 14 in tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0245.md
|
||
|
|
||
| ## Steps | ||
|
|
||
| 1. **Check for root indicators:** | ||
|
|
||
| - Look for files such as Superuser.apk, /sbin/su, /system/bin/su, /system/xbin/su. | ||
| - Check for presence of root management apps such as Magisk, SuperSu that are commonly used to manage root access. | ||
|
|
||
| 2. **Check for modified system properties:** | ||
| - ro.secure=0 (should be 1 on production devices). | ||
| - ro.debuggable=1 (indicates the device is in debug mode). | ||
| - Look for properties like ro.allow.mock.location=1 or persist.sys.usb.config=adb which can indicate modifications related to root. | ||
| 3. **Check for modifications to critical system directories:** | ||
| - Look for attempts to modify files or settings in directories such as /data or /system, which should remain immutable on an unrooted device. | ||
| 4. **Check for non-standard system behavior:** | ||
| - Look for processes that shouldn’t normally be running, like su or sh, which are typically used by root management tools. | ||
| - Analyze running processes for any unusual or unauthorized apps, such as root management tools, that should not be running on a non-rooted device. | ||
| 5. **Analyze and report findings.** | ||
|
|
||
| ## Observation | ||
|
|
||
| The output should contain a comprehensive set of findings that demonstrate the accuracy of the root detection mechanisms on the device. Specifically, it should include traces of any root indicators, such as the presence of root management tools, suspicious system files, and modified system properties. The output should also include evidence of any attempts to modify critical system directories or processes that are not normally running on a non-rooted device. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test passes if the root detection mechanisms successfully identify signs of rooting on the device, such as the presence of root management tools, suspicious system files, or modified system properties. The test is considered unsuccessful if a rooted device is not properly detected, if a non-rooted device is mistakenly flagged as rooted (false positive), or if any bypass technique is able to completely circumvent the detection mechanism. | ||
|
|
||
| To enhance the reliability of root detection, a combination of static and dynamic analysis methods should be used, such as checking system properties along with monitoring runtime behavior. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| --- | ||
| title: Root Detection Resilience Testing | ||
martinzigrai marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| platform: android | ||
| id: MASTG-TEST-0245 | ||
| type: [dynamic] | ||
| weakness: MASWE-0097 | ||
| best-practices: [] | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| This test is designed to evaluate the effectiveness of root detection mechanisms. Its goal is to ensure that rooted devices are accurately identified so that any associated security risks can be addressed, ultimately safeguarding the integrity of the device and protecting user data. | ||
|
|
||
| The testing process involves running the app on a non-rooted and a rooted device to observe how the root detection mechanisms work. This includes monitoring system interactions, detecting access to root-specific files or binaries, and analyzing API calls commonly used for root detection. Additionally, various bypass techniques are tested to determine the robustness of the implemented security measures. It does so by dynamically analyzing the app binary for [common root detection checks](../../../Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#root-etection-and-common-root-detection-methods). | ||
|
|
||
| ## Steps | ||
|
|
||
| 1. **Prepare the test environment:** | ||
| - Set up the non-rooted and rooted device to compare their behaviour. | ||
| 2. **Run application which implements root detection on the non-rooted device:** | ||
| - Verify that the detection works as expected. | ||
| 3. **Monitor Application Behaviour:** | ||
| - Use tools like strace or DDMS to trace what the app does when it checks for root. Look for interactions with the system, such as attempts to open su or check running processes. This will help you understand how the app is detecting root and might expose weaknesses in its implementation. | ||
| 4. **Run the application on a rooted device:** | ||
| - Check if root detection alerts appear. | ||
| 5. **Test bypass techniques:** | ||
| - Use tools like MagiskHide, RootCloak or UnRootBeer to see if root detection can be bypassed. | ||
| - Experiment with techniques such as renaming binaries or using Frida/Xposed to hook into APIs. | ||
| 6. **Analyze and report findings.** | ||
|
|
||
| ## Observation | ||
|
|
||
| The main purpose of this test is to evaluate the accuracy of implemented root detection mechanisms. This means we want to see if the root detection mechanisms are effective at identifying devices that have been modified while minimizing instances where non-rooted devices are mistakenly flagged as rooted. The outcome should provide a comprehensive understanding of how effectively the application’s root detection mechanisms function. | ||
|
Check failure on line 33 in tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0246.md
|
||
|
|
||
| ## Evaluation | ||
|
|
||
| The test passes if the root detection mechanisms successfully identify any signs of rooting on the device. The test is considered unsuccessful if a rooted device is not properly detected, if a non-rooted device is incorrectly flagged as rooted, or if any bypass technique allows complete circumvention of the detection mechanism. | ||
|
|
||
| To enhance the reliability of root detection, a combination of static and dynamic analysis methods should be used, such as checking system properties along with monitoring runtime behavior. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.