Android’s RootBeer Library Bypass | Done By Ishara Abeythissa
This post is to follow up how to bypass RootBeer Library on Android. Let me give you brief idea what is actually RootBeer. RootBeer an open source root checking application specific to the android platform.
Tools,
Frida Framework
JavaScript
ADB
JADX-GUI
As you can see in above application performed gathering/testing listed testcases inside device once it’s start. Let’s go through each test cases.
TEST KEYS — In Android architecture includes test-keys under
build/target/product/security. APK signing process is handle by using test-keys.
Since the test-keys are publicly known, anybody can sign their own .apk files with the same keys, which may allow them to replace or hijack system apps built into your OS image.BUSYBOX BINARIES — RootBeer is always checking BusyBox binaries in device once application started. Process is same for SU Binary & SU Exists.
Reversing the Application,
Now let’s reverse the RootBeer APK using JADX-GUI tool.
You can see functions which are use for check device root status in RootBeer application. Let’s look closer
If you closer into functions you can see all functions having boolean return type. It mean if we can intercept the process and modify the return value of functions we can change the output of application. For that, I’m using frida application.
Java.perform(function(){
var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer");
var Utils = Java.use("com.scottyab.rootbeer.util.Utils");
RootBeer.detectRootManagementApps.overload().implementation = function(){
return false;
};
RootBeer.detectPotentiallyDangerousApps.overload().implementation = function(){
return false;
};
RootBeer.detectTestKeys.overload().implementation = function(){
return false;
};
RootBeer.checkForBusyBoxBinary.overload().implementation = function(){
return false;
};
RootBeer.checkForSuBinary.overload().implementation = function(){
return false;
};
RootBeer.checkSuExists.overload().implementation = function(){
return false;
};
RootBeer.checkForRWPaths.overload().implementation = function(){
return false;
};
RootBeer.checkForDangerousProps.overload().implementation = function(){
return false;
};
RootBeer.checkForRootNative.overload().implementation = function(){
return false;
};
RootBeer.detectRootCloakingApps.overload().implementation = function(){
return false;
};
Utils.isSelinuxFlagInEnabled.overload().implementation = function(){
return false;
};
RootBeer.checkForMagiskBinary.overload().implementation = function(){
return false;
};
RootBeer.isRooted.overload().implementation = function(){
return false;
};
});
We can use this code to bypass RootBeer application, if you go through the code you can see this code modify the return type of application’s root checking functions. let’s run this code.
Happy Hacking :)