5. Reversing & Recompiling .APK to Bypass Root-detection

Rooting Android phones gives any app access of super user upon granting, it becomes risk for other apps installed within that device in terms of violation in CIA triangle. To minimize this risk many Apps comes with Root Detection mechanism, which won’t allow user to run that app on rooted device. On having a rooted device/emulator, still if you want to perform security assessment, then you need to bypass Root-Detection. This could be achieved in multiple ways like Reversing & altering that .apk to turn OFF Root Detection or via run-time analysis fake that device is not-Rooted. Here lets see see how to bypass Root detection via Modifying flow of the app by altering the .APK file.


DownloadRootDetection.apk

Assuming configuration of Apktool is done properly in your machine or refer the Documentation. (Linux/MAC)Assign execute permission to apktool files using chmod 777 or chmod +x. Copy above downloaded RootDetection.APK, where you have apktool files.

 

Step:1 Decompiling RootDetection.apk file into Smali using Apktool

On completion of the above command, a folder having name RootDetection would be created, containing Manifest XML file, smali files, resources & many other files.

 

Step:2 Modifying MainActivity.smali to bypass RootDetection Logic

Open extracted folder RootDetection/smali/com/nestedif/rootdetection/  and open file MainActivity.smali in any of text editor. Now if you notice there are multiple checks to identify whether device is rooted or not. All these Root Detection methods pass on result to checkRoot() method, which takes action of declaring device Rooted or not. Hence checkRoot() is the method what we are interested in tampering.

Programmatically there would be if / else condition which converts into if-eqz / if-nez respectively into smali. And the block of statements within if / else would be cond_0 & cond_1. Which means we need to modify smali in such a way that when device is rooted, instead of going to condition_1 it should take condition_0, which means APK will show device not rooted. Very simple terms we have swapped if-else.

Summarizing Changes to be made are as under:

  1. Near to Line 776 from MainActivity.smali, replace if-eqz v0, :cond_1   line to   if-nez v0, :cond_0
  2. Remove Line 779 having :cond_0
  3. Line 799 make it cond_0 from cond_1

 

Step:3 Recompiling with above change to modified APK using ApkTool

b is to build New APK file followed by Folder name i.e. RootDetection which contains the modified MainActivity.smali file and other source file we made in step1&2, -o is to specify output APK file name what we want.  On completion of the above command, a new APK file would be created within same folder, which would bypass Root Detection.

Remember if you try installing this apk, it will give error saying it is not signed with proper certificate. As we need one more step before installation, i.e. app signing (since modification in APK breaks its integrity).

 

Step:4 Signing modified APK

The apk file generated above could be signed in multiple ways like using Jarsigner-keytool or easiest way using apk-signer Android app. You can install apk-signer from playstore.

Next you need to copy the Modified APK (RootBypass.apk) to the mobile – either use USB & Copy it to /sdcard/Download   OR  Copy Modified APK to directory where ADB is present & from there use the following command:

adb push RootBypass.apk   /sdcard/Download/

From mobile device launch apk-signer & tap on button at bottom right to create new signed apk. Choose path where we copied RootBypass.apk (i.e. /sdcard/Download/) & then choose any path where you want to save Signed APK.

Once APK is signed using any fileexplorer on your device  OR  (Marshmallow onwards) default fileexplorer from Settings>storage>InternalSharedStorage navigate to location where signe apk is present. Tap on it & Accept prompt to install (since app is outside PlayStore).

 

Observation:

Now you would see app says your device is Not-Rooted, even though you may be using rooted phone.

If you want to understand further than decompile both RootDetection.apk & RootBypass.apk into both Java class files as well as Smali files. Comparing MainActivity in both you would understand clearly what happens when we modified few lines in MainActivity file. You might see some apps with custom RootDetection mechanism, however if you are clear by above concept, then you can manage with other apps as well.

 

Exceptions:

  • A Big note, Apktool depends upon framework.apk (used internally by the tool). In case if you update older by download new version of Apktool, then make sure that you delete the older auto generated framework, otherwise you would get errors with failure in decompilation/recompilation.(Refer documentation OR Stackoverflow answer)

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.