How to Bypass RootBeer’s Root Detection
During the android penetration testing process, one of the challenges is to bypass root detection in order to be able to access the target application folder on the device.
The most common library that was found implemented, is RootBeer library, so here is a tutorial to bypass the RootBeer security checks using the reverse engineering method.
What do you need?
- a rooted emulator – if you do not have one, check our tutorial here to create one
- An apk signer (ex. Uber apk signer)
- ADB (Android Debug Bridge)
How to start?
Firstly, we have to decompile the application apk. We can use apktool with the following command:
Apktool d application.apk
Decompiling the apk, we can access the smali code. Search for “Rootbeer” and you can find the RootBeer.smali file. In a closer analysis, we can see that there are two boolean functions that check the root, as shown in the picture below.
One of the functions is isRooted(), which returns the value of v0 – 0x0(false) if the device is not rooted or 0x1(true) if the device is rooted.
The second function is: isRootedWithBusyBoxCheck() which does the same thing.
What we have to do?
Change the value of v0 in order to return only 0x0(false) all the time as in the picture below for both functions.
Changing the value 0x1 to 0x0, the root detection functions will always return false, which means that if the device/emulator is rooted, these functions cannot detect it.
Now save the changes. It is time to compile the source code back.
We will use again the apktool but this time with the following command:
apktool b apk_folder -o new.apk
Next step is to sign the new apk. You can use, for example uber apk signer with the following command:
java -jar uber-apk-signer.jar --apks new.apk
The new application is ready to be installed.
This is the reverse engineering method to bypass RootBeer root detection functions. Easy right?
Well, you have to know that sometimes the checks for root detection can be multiple functions in different smali files besides these two functions in RootBeer.smali. So pay attention and search keywords such as “supersu”, “rooted” etc. in all classes and discover all the functions in the source code. Usually, they are all boolean functions so it is easy to change the behavior but it is important to detect them all.
Hope this article will help you! Happy hacking!