ROOT DETECTION AND BYPASS

What Root Detection Bypass Scripts Check

Scripts or tools for bypassing root detection typically examine:
1. File Existence:
o Checking for files targeted by the detection logic and hiding them.
2. Function Overriding:
o Overriding system calls like Runtime.getRuntime().exec().
3. System Properties:
o Intercepting and altering responses for Build.TAGS or other properties.
4. Anti-Debugging/Hooking:
o Patching anti-debugging or anti-hooking mechanisms.

1. File Existence Checks

Many root detection mechanisms scan the filesystem for the presence of files and binaries associated
with rooting tools. Bypass scripts focus on:
Files and Directories Checked
 Common Root Binaries:
o /system/bin/su
o /system/xbin/su
o /sbin/su
o /system/app/Superuser.apk
o /data/data/com.noshufou.android.su
o /data/local/xbin/su
o /data/local/bin/su
o /system/sd/xbin/su
 Root Management Tools:
o Magisk binaries (/sbin/.magisk/, /data/adb/magisk.img)
o BusyBox binary paths
Bypassing Techniques
 File Cloaking: Tools like MagiskHide hide these files from detection.
 Filesystem Virtualization: Root managers modify the kernel or filesystem to prevent access
to these files for non-root processes.
 Path Obfuscation: Attackers rename or move these binaries to paths not checked by the app.

2. Command Execution Checks

Root detection logic often executes commands to determine root status. Scripts check how these
commands are handled:
Commands Used by Root Detection
 which su: Checks for the presence of the su binary.
 id: Detects if the current user has root privileges (UID = 0).
 mount: Identifies writable system partitions.
 ls: Lists root-related files or directories.
Bypassing Techniques
 Command Hooking: Tools like Frida or Xposed intercept and modify the results of these
commands.
 Command Replacement: Scripts replace the su binary or other commands with benign
executables that return safe values.
 Result Spoofing: Custom scripts inject false outputs for commands executed by the
application.

3. System Property Checks

Root detection often involves querying Android system properties for evidence of rooting.
Properties Commonly Checked
 ro.build.tags: If it contains test-keys, it indicates a developer/rooted build.
  ro.secure: A value of 0 indicates an insecure device.
 ro.debuggable: A value of 1 indicates the device can run as root.
 ro.build.selinux: Checks the SELinux enforcement status.
Bypassing Techniques
 Property Modification:
o Tools like Magisk allow users to modify or spoof system properties.
o Scripts like resetprop (from Magisk) can dynamically alter properties.
 Environment Isolation:
o Root managers create a separate namespace to isolate real properties from apps
querying them.

4. Root Management Apps Detection

Applications often look for installed root management tools (e.g., Magisk Manager, SuperSU).
Detection Methods
 Checking for installed APKs with specific package names:
o com.topjohnwu.magisk
o eu.chainfire.supersu
 Checking process lists for running instances of root managers.
Bypassing Techniques
 Package Name Obfuscation: Tools rename root management apps to avoid detection.
 App Hiding: Root management apps use modules like MagiskHide to remove traces from the
system.
 Process Cloaking: Frameworks like Magisk alter the process table to hide root-related
processes.

5. SELinux Status Checks

SELinux is a mandatory access control system in Android. Apps check if SELinux is in permissive mode,
which is often used in rooted devices.
Bypassing Techniques
 Fake Status: Scripts modify the SELinux status reported to the app.
 Enforcing Mode Spoofing: Root managers operate with SELinux in enforcing mode while
maintaining root access.

6. Dynamic Analysis of Root Detection Logic

Bypass scripts often analyze the root detection logic itself. This is done by:
Code Analysis Techniques
 Reverse Engineering:
o Decompiling APKs with tools like JADX or APKTool.
o Searching for root detection methods and classes.
 Runtime Hooking:
o Using Frida or Xposed to intercept function calls, analyze arguments, and override
return values.
Bypassing Techniques
 Function Hooking:
o Modifying return values of critical functions (e.g., checkForSuBinary(), Build.TAGS).
o Example in Frida:
Java.perform(function() {
varRootCheckClass= Java.use("com.example.RootCheck");
RootCheckClass.checkForSuBinary.implementation= function() {
console.log("Bypassed checkForSuBinary");
returnfalse; // Always return false};
});

 Dynamic Code Patching:

o Injecting custom code to bypass detection without modifying the APK.
7. Anti-Debugging and Anti-Hooking
Some apps implement anti-debugging or anti-hooking measures to prevent tampering. Scripts bypass
these by:
Bypassing Techniques
 Disabling Anti-Debugging:
o Overriding native debugging checks (e.g., ptrace or isDebuggerConnected()).
o Using Frida to hook the isDebuggerConnected() method:

Java.perform(function() {
varDebugClass= Java.use("android.os.Debug");
DebugClass.isDebuggerConnected.implementation= function() {
returnfalse; // Always return false};
});

 Anti-Hooking Bypass:
o Modifying the application logic to neutralize anti-hooking checks (e.g., detecting
Frida processes).
o Using Magisk modules to hide hooking frameworks like Xposed.

8. Emulator and Virtual Environment Checks

Root detection mechanisms sometimes verify whether the app is running in an emulator or
virtualized environment.
Detection Methods
 Checking hardware information (e.g., ro.hardware or ro.product.model).
 Analyzing sensor availability (emulators often lack real sensors).
 Looking for known emulator files or directories.
Bypassing Techniques
 Property Spoofing:
o Modifying properties to mimic real devices.
 Sensor Emulation:
o Spoofing sensor data to simulate a physical device.

9. Network Behavior Checks

Some root detection systems monitor network behavior for signs of tampering (e.g., HTTP proxying or
DNS tunneling).
Bypassing Techniques
 Using VPN or root-specific tools to anonymize network activity.
 Intercepting and spoofing traffic at runtime
Patching Root Detection
1. Use a Layered Approach
Relying on a single method for root detection is insufficient. A layered approach combining multiple
techniques makes bypassing more difficult:
 File checks
 System property checks
 Command execution checks
 Integrity verification
 Anti-hooking
 Anti-tampering
 Obfuscation

2. Implement Advanced Root Detection

File Checks
Verify the presence of files or directories associated with rooting.

Code Example:
privatebooleancheckRootFiles(){
String[] paths = {
"/system/app/Superuser.apk",
"/system/bin/su",
"/system/xbin/su",
"/data/local/bin/su",
"/data/local/xbin/su",
"/sbin/su",
"/system/sd/xbin/su"};
for(String path : paths) {
Filefile=newFile(path);
if(file.exists()) {
returntrue;
}
}
returnfalse;
}
Improvements:
 Obfuscate file paths to prevent bypass by simple string replacement.
 Randomize the file check logic to make reverse engineering harder.

System Property Checks

Verify system properties for signs of rooting.

Code Example:
privatebooleancheckSystemProperties(){
StringbuildTags=Build.TAGS;
if(buildTags != null&& buildTags.contains("test-keys")) {
returntrue;
}
returnSystem.getProperty("ro.debuggable").equals("1");
}
Improvements:
 Combine multiple property checks and verify them dynamically.
 Encrypt or obfuscate property names in the code.
Command Execution Checks
Detect suspicious commands being executed on the device.

Code Example:
privatebooleanexecuteSuCommand(){
try{
Processprocess=Runtime.getRuntime().exec("which su");
BufferedReaderin=newBufferedReader(newInputStreamReader(process.getInputStream()));
returnin.readLine() != null;
} catch(Exception e) {
returnfalse;
}
}
Improvements:
 Use native libraries (JNI) for command execution to make bypass harder.
 Monitor system command usage patterns dynamically.

Additional Paths for Common Root Binaries

Superuser/Root Binaries
 /data/local/su
 /data/local/.su
 /data/local/tmp/su
 /system/bin/.ext/.su
 /system/usr/we-need-root/su
 /cache/su
 /dev/su
 /magisk/.core/bin/su

Root Management Tools

 Magisk:
o /sbin/.magisk
o /data/adb/magisk
o /data/adb/magisk.db
o /data/adb/modules/
o /data/adb/post-fs-data.d/
o /data/adb/service.d/
 SuperSU:
o /data/data/eu.chainfire.supersu/
o /data/data/com.superuser/
o /data/app/com.noshufou.android.su-1/
o /data/app/com.noshufou.android.su-2/

BusyBox
BusyBox binaries are commonly used in rooted environments for advanced command-line utilities:
 /system/bin/busybox
 /system/xbin/busybox
 /data/local/busybox
 /sbin/busybox

Xposed Framework
Xposed is widely used for modifying app behavior:
 /system/framework/XposedBridge.jar
 /data/data/de.robv.android.xposed.installer/
 /data/dalvik-cache/xposed/
 /magisk/xposed/
Temporary Directories
Rooting processes often leave files in temporary or cache directories:
 /data/local/tmp/root/
 /cache/.root/
 /data/.root/

System Partition Modifications

Detect writable or remounted system directories:
 /system/etc/init.d/
 /system/etc/init/
 /system/etc/mkshrc
 /system/bin/.ext/
 /system/lib/libsu.so

Magisk-Related Paths
 /dev/magisk/
 /magisk/
 /sbin/magisk/
 /init.magisk.rc

Custom Root Scripts

Detect scripts or files commonly used for rooting:
 /data/local/install-recovery.sh
 /system/etc/install-recovery.sh
 /system/bin/.su-daemon
 /data/local/su-install.sh

Emulator or Debugging Tools

Paths related to debugging environments:
 /data/local/debuggerd
 /data/local/adb_keys
 /dev/socket/su-daemon
 /system/app/Frida/

3. Add Integrity Verification

APK Signature Verification
Ensure the app's APK has not been modified or tampered with.

Code Example:
privatebooleanverifySignature(){
try{
PackageInfopackageInfo=getPackageManager().getPackageInfo(getPackageName(),
PackageManager.GET_SIGNATURES);
Signature[] signatures = packageInfo.signatures;
for(Signature signature : signatures) {
if(!isValidSignature(signature)) {
returnfalse;
}
}
returntrue;
} catch(Exception e) {
returnfalse;
}
}
privatebooleanisValidSignature(Signature signature){
StringvalidSignature="YOUR_VALID_SIGNATURE_HASH";
 returnvalidSignature.equals(signature.toCharsString());
}
Improvements:
 Validate signatures server-side to avoid tampering with client logic.
 Implement a checksum to verify app resources.

Checksum Verification
Verify the integrity of critical app files.

Code Example:
privatebooleanverifyChecksum(String filePath, String expectedHash){
try{
MessageDigestmd=MessageDigest.getInstance("SHA-256");
FileInputStreamfis=newFileInputStream(filePath);
byte[] buffer = newbyte[1024];
intbytesRead;
while((bytesRead = fis.read(buffer)) != -1) {
md.update(buffer, 0, bytesRead);
}
fis.close();
byte[] hashBytes = md.digest();
StringBuildersb=newStringBuilder();
for(byteb : hashBytes) {
sb.append(String.format("%02x", b));
}
returnexpectedHash.equals(sb.toString());
} catch(Exception e) {
returnfalse;
}
}

4. Implement Anti-Hooking Mechanisms

Detect Hooking Frameworks
Check for signs of frameworks like Frida or Xposed.

Code Example:
privatebooleandetectHooking(){
returnnewFile("/data/data/de.robv.android.xposed.installer").exists() ||
newFile("/system/framework/XposedBridge.jar").exists();
}

Use Native Code for Critical Logic

Move root detection logic into native code (JNI) to make it harder to hook or analyze.

JNI Example:
#include<jni.h>#include<string.h>JNIEXPORT jboolean JNICALL
Java_com_example_RootDetection_nativeCheck(JNIEnv *env, jobject obj){
FILE *file = fopen("/system/bin/su", "r");
if(file) {
fclose(file);
returnJNI_TRUE;
}
returnJNI_FALSE;
}

5. Obfuscate Root Detection Logic

Code Obfuscation
Use tools like ProGuard or R8 to obfuscate your code. For example:
 Rename classes and methods.
 Inline simple methods.
 Encrypt sensitive strings (e.g., file paths, commands).

6. Use Runtime Integrity Protections

SafetyNet Attestation API
Google's SafetyNet API helps detect rooted devices and tampered environments.

Integration Example:
SafetyNet.getClient(this).attest(requestNonce, API_KEY)
.addOnSuccessListener(response -> {
StringresponseJson=response.getJwsResult();
// Validate response on server})
.addOnFailureListener(e -> {
// Handle failure});

Anti-Debugging Checks
Prevent runtime debugging to stop analysis or tampering.

Code Example:
privatebooleanisBeingDebugged(){
returnandroid.os.Debug.isDebuggerConnected() || BuildConfig.DEBUG;
}

7. Implement Anti-Tampering Measures

Dynamic Code Loading
Store sensitive code or detection logic on a remote server and load it dynamically during runtime.
Encrypt Critical Logic
Use encryption for critical functions or data. Decrypt them only at runtime.

8. Employ Server-Side Validations

Backend Verification
 Validate app integrity and device status on the server.
 Use short-lived tokens to ensure requests come from untampered devices.

9. Additional Advanced Techniques

 Environment Verification:
o Check for emulators or virtualized environments.
o Use unique device attributes (e.g., hardware info) to validate devices.
 Monitor for Anomalous Behavior:
o Detect unusual network traffic or modified app responses.
 Frequent Updates:
o Regularly update detection methods and signatures to stay ahead of bypass tools.