Bypass Android Root Detection in Code
For multiple reasons, some Android Apps check root access on Android devices and block access to the App if root access is allowed. The root access on the device makes access to see all of the application’s functionality and this is the reason why developers block rooted devices on their applications.
To be able to bypass root detection on these applications, you should know how this works.
Android Root Detection Methods
1. Test-Keys
Release-Keys and Test-Keys have to do with how the kernel is signed when it is compiled. Release-Keys means it was signed with an official Key from an official developer. Test-Keys means it was signed with a custom key generated by a third-party developer. So when you find Test Keys on the kernel, that means the device is rooted. There is a file on /system/build.prop which addressed the build key like below:
dalvik.vm.stack-trace-file=/data/anr/traces.txt
ro.product.model.geny-def=Genymotion 'Phone' version
ro.product.brand.geny-def=generic
ro.product.board.geny-def=
ro.product.name.geny-def=vbox86p
ro.product.device.geny-def=vbox86p
ro.manufacturer.geny-def=unknown
ro.build.display.id.geny-def=vbox86p-userdebug 5.1 LMY47D 632 test-keys
ro.build.type.geny-def=userdebug
ro.build.tags.geny-def=test-keys
ro.build.description.geny-def=vbox86p-userdebug 5.1 LMY47D 632 test-keys2. ‘su’ Binary File
‘su’ binary is installed when you want to access root on an Android device. Check for access this binary is the key to detect for root detection.
root@vbox86p:/ # which su
/system/bin/su3. ‘busybox’ Binary File
‘busybox’ is a binary file installed on Android rooted devices for providing Linux commands.
root@vbox86p:/ # which busybox
/sbin/busybox
root@vbox86p:/ # busybox
BusyBox v1.22.1 bionic (2020–06–11 20:16 +0000) multi-call binary.
BusyBox is copyrighted by many authors between 1998–2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices. Merged for bionic by tpruvot@github
Usage: busybox [function [arguments]…]
or: busybox — list[-full]
or: busybox — install [-s] [DIR]
or: function [arguments]…
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
adjtimex, arp, ash, awk, base64, basename, bbconfig, blkid,
blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chattr, chcon,chgrp, chmod, chown, chroot, chvt, clear, cmp, comm, cp, cpio, crond,crontab, cut, date, dc, dd, deallocvt, depmod, devmem, df, diff,dirname, dmesg, dnsd, dos2unix, du, echo, ed, egrep, env, expand, expr ...4. High Privilege Path Access
There are some paths on Android devices which is accessed only if root access is available. Checking access to these files is the key to detect the root device.
/data/local/
/data/local/bin/
/data/local/xbin/
/sbin/
/su/bin/
/system/bin/
/system/bin/.ext/
/system/bin/failsafe/
/system/sd/xbin/
/system/usr/we-need-root/
/system/xbin/
/cache/
/data/
/dev/5. Writable Path Access
There are some paths on Android devices which is writable only if root access is available. Checking write access to these files is the key to detect the root device.
/system
/system/bin
/system/sbin
/system/xbin
/vendor/bin
/sbin
/etc6. Root Cloaking App Packages
Some Apps can block root detection (Root Cloaking). Checking these packages is the key to detect the root devices. Below packages are some of these packages:
com.devadvance.rootcloak
com.devadvance.rootcloakplus
de.robv.android.xposed.installer
com.saurik.substrate
com.zachspong.temprootremovejb
com.amphoras.hidemyroot
com.amphoras.hidemyrootadfree
com.formyhm.hiderootPremium
com.formyhm.hideroot7. Root App Packages
Some Apps help you to root your Android device. Checking these App packages is the key to detect the root device.
com.noshufou.android.su
com.noshufou.android.su.elite
eu.chainfire.supersu
com.koushikdutta.superuser
com.thirdparty.superuser
com.yellowes.su
com.topjohnwu.magisk
com.kingroot.kinguser
com.kingo.root
com.smedialink.oneclickroot
com.zhiqupk.root.global
com.alephzain.framaroot8. Dangerous Root Needed App Packages
Some Apps need root access to do something. Checking these App packages is the key to detect the root device.
de.robv.android.xposed.installer
mobi.acpm.inspeckage
com.koushikdutta.rommanager
com.koushikdutta.rommanager.license
com.dimonvideo.luckypatcher
com.chelpus.lackypatch
com.ramdroid.appquarantine
com.ramdroid.appquarantinepro
com.android.vending.billing.InAppBillingService.COIN
com.android.vending.billing.InAppBillingService.LUCK
com.chelpus.luckypatcher
com.blackmartalpha
org.blackmart.market
com.allinone.free
com.repodroid.app
org.creeplays.hack
com.baseappfull.fwd
com.zmapp
com.dv.marketmod.installer
org.mobilism.android
com.android.wp.net.log
com.android.camera.update
cc.madkite.freedom
com.solohsu.android.edxp.manager
org.meowcat.edxposed.manager
com.xmodgame
com.cih.game_cih
com.charles.lpoqasertAndroid Reverse Engineering
Before start bypassing root detection methods, you should know a bit about Android Reverse Engineering techniques. A native coded application like Java or Kotlin is compiled into a DEX file. If you want to change the code of an application you should change this DEX file. DEX file is going to run on Dalvik Machine (Something like JVM) and there is a ByteCode version of DEX called SMALI. SMALI is ByteCode of compiled native language like Java or Kotlin. SMALI is not binary and it’s human-readable code. You can decompile APK to these SMALI codes and make your change and then ReCompile it to APK.
Decompile APK File
We are going to change SMALI in bypassing methods. To de-compile the APK file we need to follow infra steps:
- Install JDK
We are going to use a tool that needs JDK to be installed. Use this link to find JDK based on your OS and install it. Verify that java is installed by using java -version command on your CMD or Terminal. - Install APKtool
APKtool is the tool in which we installed JDK. Use this link to install APKtool. Verify that java is installed by using apktool -version command on your CMD or Terminal. - De-compile APK
Use apktool d [apkfile].apk command to de-compile your APK file. After the progress, you should see a folder with [apkfile] name. The structure of decompiled folder depends on technologies used for developing the application, you should see a directory named smali. In this directory you find all SMALI files belong to the application’s source code. - Make Change on SMALI Files
Follow Bypass Android Root Detection Methods section to make the change on SMALI files. - Re-compile APK
Use apktool b [apkfile] -o [newapkfile].apk command to re-compile APK. - Sign Re-compled APK
You should Sign your APK to run it on Android OS. Use the following commands to Sign your newborn APK.
user $ #/ keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000user $ #/ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore [newapkfile].apk alias_name
Bypass Android Root Detection Methods
Manipulate Strings
If you take look at Android Root Detection Methods, you will understand that all detection methods are work with a specific string. You should find these strings and change them. I use Microsoft Visual Studio Code to search and replace this string on the smali folder. Change these string to anything you want, for example, /bin/su can change to /bin/ku or /kin/su. After checking for all strings you need to re-compile APK and Sign.
Change Function Retuned Result
In most Android applications which check for root access, there is a function that detects root on the device. These functions normally return True or False. You need to change the return statement to always return False. Look at the following function which check Test-Keys and return True when root access is detected.
There is constant named v0 which created to carry the function result on lines 18 and 23. 0x0 means False and 0x1 means True, you should change 0x1 to 0x0 to function always return False. Then Re-compile and Sign your apk.
Done, You learned two ways to bypass root detection on the source code level of an application.
