Slide 1

Slide 1 text

Root Beer Shibuya.apk #21 @magie_pooh

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Root Beer • A tasty root checker library and sample app. • Java Check • Native Check

Slide 5

Slide 5 text

Java Check • CheckRootManagementApps • CheckPotentiallyDangerousAppss • CheckRootCloakingApps • CheckTestKeys • checkForDangerousProps • checkForBusyBoxBinary • checkForSuBinary • checkSuExists • checkForRWSystem • checkForSuBinary

Slide 6

Slide 6 text

detectRootManagementApps • Using the PackageManager, check for a list of well known root apps • "com.noshufou.android.su" • "com.noshufou.android.su.elite" • "eu.chainfire.supersu" • "com.koushikdutta.superuser" • "com.thirdparty.superuser" • "com.yellowes.su"

Slide 7

Slide 7 text

detectPotentiallyDangerousApps • Using the PackageManager, check for a list of well known apps that require root • "com.koushikdutta.rommanager" • "com.koushikdutta.rommanager.license" • "com.dimonvideo.luckypatcher" • "com.chelpus.lackypatch" • "com.ramdroid.appquarantine" • "com.ramdroid.appquarantinepro"

Slide 8

Slide 8 text

detectRootCloakingApps • Using the PackageManager, check for a list of well known root cloak apps (not used in isRooted function) • “com.devadvance.rootcloak" • "com.devadvance.rootcloakplus" • "de.robv.android.xposed.installer" • "com.saurik.substrate" • "com.zachspong.temprootremovejb" • "com.amphoras.hidemyroot" • "com.amphoras.hidemyrootadfree" • "com.formyhm.hiderootPremium" • "com.formyhm.hideroot"

Slide 9

Slide 9 text

checkForBinary("su") • emulator => RootBeer: checkForBinary() [179] - /system/xbin/su binary detected!

Slide 10

Slide 10 text

checkForBinary("busybox") • busybox • BusyBox combines tiny versions of many common UNIX utilities into a single small executable • https://busybox.net/about.html • RootԽͨ͠ޙʹೖΕͨΓ͢ΔΒ͍͠ • ೖͬͨ··ͷ୺຤΋͋ΔΒ͍͠ • RootBeer#isRootedWithoutBusyBoxCheck

Slide 11

Slide 11 text

checkForDangerousProps() • Checks for several system properties • Runtime.getRuntime().exec("getprop").getInputS tream() • Լه͕̎ͭ͋Ε͹Rooted൑ఆ • ro.debuggable: 1 • ro.secure: 0

Slide 12

Slide 12 text

checkForRWPaths() • When you're root you can change the permissions on common system directories, this method checks if any of these path Const.pathsThatShouldNotBeWrtiable are writable. • "/system" • "/system/bin" • "/system/sbin" • "/system/xbin" • "/vendor/bin" • "/sbin" • "/etc"

Slide 13

Slide 13 text

detectTestKeys() • Release-Keys and Test-Keys has to do with how the kernel is signed when it is compiled. Test-Keys means it was signed with a custom key generated by a third-party developer. • /system/build.prop಺ͷro.build.tags

Slide 14

Slide 14 text

checkSuExists() • `which su`

Slide 15

Slide 15 text

checkForRootNative() • Native checks are often harder to cloak/trick so here we call through to our native root checker • JNI??

Slide 16

Slide 16 text

Disclaimer Remember root==god, so there's no 100% way to check for root.

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Thanks!