CODEWITHSUNDEEP
androidsecurityrootpenetration-testing
Pradip Tilala
Pradip Tilala

Reputation: 1813

Root detection Implementation can be bypassed using Magisk hide : Android App vulnerability

I have recently have been assigned new security fix for my Android App: This time Vulnerability Assessment and Penetration Testing (VAPT) team using Magisk and Magisk hide to bypass the Android root detection implementation.

Description given by VAPT team: Root detection is checked based on package name and availability of su binary.

Steps followed by VAPT team for Root detection bypass on Android device:

  1. Set Magisk application package name to random.
  2. Next Apply Magisk hide settings. It will hide su binary from Application. So, Application work as normal. The means Magisk Hide lets you use apps without letting it know that it is the rooted device.

Root detection implementation on App:

  1. Currently on Android App we have "Root Bear" and "Root Tool" library integrated for Root detection on Android device.
  2. All App data are stored in encrypted database on Android App.

I have also checked possible way to fix like SafetyNet’s Hardware Attestation but I found that it is also not enough. Here I found link which says they are able to bypass Safety net detection also:

  1. https://nooberinfo.com/magisk-hide-not-working-on-banking-apps-2021-magisk-hide-not-working-2021-android-11/#19-method-6-updating-magisk-to-magisk-canary-version-to-fix-safetynet-issue-in-android-11
  2. https://www.thecustomdroid.com/fix-safetynet-hardware-attestation-guide/

Questions regarding this scenario:

  1. In case if root detection is bypassed, As database is encrypted there should be no chance to any app data leak. If root detection is bypassed, is encypted database is secure enlugh to prevent app from data leak ?

  2. Is there any currently known mitigations available to detect Magisk and Magisk hide on Android app?

  3. If There is new method to bypass and hide root then there is need to integrate new Root detection library on Android App which in turn increases Android APK size each time. Is it always a good idea to integrate new library for root detection ?

Upvotes: 4

Views: 12347

Answers (1)

ARandomPerson
ARandomPerson

Reputation: 17

You can use this piece of code to detect magisk hide, use it in combination with another root detection lib like root beer. Here we are just going through all of the apps installed and searching for magisk specific lib names such as "libstub.so".

private void searchForMagisk() {
    PackageManager pm = getPackageManager();
    @SuppressLint("QueryPermissionsNeeded") List<PackageInfo> installedPackages = pm.getInstalledPackages(0);

    for (int i = 0; i < installedPackages.size(); i++) {
        PackageInfo info = installedPackages.get(i);
        ApplicationInfo appInfo = info.applicationInfo;

        String nativeLibraryDir = appInfo.nativeLibraryDir;
        String packageName = appInfo.packageName;

        Log.i("Magisk Detection", "Checking App: " + nativeLibraryDir);

        File f = new File(nativeLibraryDir + "/libstub.so");
        if (f.exists()) {
            ShowMessageBox("Magisk Detection", "Magisk was Detected!");
        }
    }
}

Upvotes: 0

Related Questions