Skip to main content

Root detection control bypass

Description

It is possible to reverse engineer the application and disable detection of rooted devices.

Impact

Avoid the applications detection of rooted devices.

Recommendation

Implement an integrity check on the application so that it cannot be used if it has been modified.

Threat

Attacker with access to APK.

Expected Remediation Time

⌚ 450 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.7
    • Temporal: 3.7
  • Severity:
    • Base: Low
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0 . It may change depending on the context of the src.

Base 4.0

  • Attack vector: N
  • Attack complexity: H
  • Attack Requirements: N
  • Privileges required: N
  • User interaction: N
  • Confidentiality (VC): N
  • Integrity (VI): L
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit madurity: X

Result 4.0

  • Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X
  • Score:
    • CVSS-BT: 6.3
  • Severity:
    • CVSS-BT: Medium

Compliant code

A function implemented to check if the source code has been altered before running the app. A possible option is to include a MD5 hash within the code, generated at each build, and adding a check to the code to ensure that this hash is the same as the one stored before running the app

public static boolean checkApkSha(){
String apkPath = appExample.getInstance().getPackageCodePath();
MessageDigest msgDigest = null;
try {
msgDigest = MessageDigest.getInstance("SHA-1");
byte[] bytes = new byte[1024];
int byteCount;
FileInputStream fis = new FileInputStream(new File(apkPath));
while ((byteCount = fis.read(bytes)) > 0){
msgDigest.update(bytes, 0, byteCount);
}
BigInteger bi = new BigInteger(1, msgDigest.digest());
String sha = bi.toString(16);
fis.close();
if(BaseApplication.getInstance().getString(R.string.apk_sha).equals(sha)){
return true;
}
} catch (Exception e) {
e.printStackTrace();
}
return false;
}

Non compliant code

Source code could be executed after vulnerable adjustments because of an incorrectly implemented integrity check

public static boolean checkDexCrcValue() {
String apkPath = BaseApplication.getInstance().getPackageCodePath();
Long dexCrc = Long.parseLong(QianJinSuoApplication.getInstance().getString(R.string.classesdex_crc));
try {
ZipFile zipfile = new ZipFile(apkPath);
ZipEntry dexentry = zipfile.getEntry("classes.dex");
# The CRC32 check could be bypassed anyway because of debugging code included in the function
Log.i("checkDexCrcValue", "classes.dexcrc=" + dexentry.getCrc());
if (dexentry.getCrc() == dexCrc) {
return true;
}
} catch (IOException e) {
e.printStackTrace();
}
return false;
}

Requirements

Fixes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.