diff --git a/README.md b/README.md index 7cfc239..0303781 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ The scripts can automatically handle: * Injecting a given CA certificate into the system trust stores so they're trusted in connections by default. * Patching many (all?) known certificate pinning and certificate transparency tools, to allow interception by your CA certificate even when this is actively blocked. * On Android, as a fallback: auto-detection of remaining pinning failures, to attempt auto-patching of obfuscated certificate pinning (in fully obfuscated apps, the first request may fail, but this will trigger additional patching so that all subsequent requests work correctly). +* Disabling many common root & jailbreak detections. ## Android Getting Started Guide @@ -38,6 +39,7 @@ The scripts can automatically handle: -l ./android/android-system-certificate-injection.js \ -l ./android/android-certificate-unpinning.js \ -l ./android/android-certificate-unpinning-fallback.js \ + -l ./android/disable-root-detection.js \ -f $PACKAGE_ID ``` 7. Explore, examine & modify all the traffic you're interested in! If you have any problems, please [open an issue](https://github.com/httptoolkit/frida-interception-and-unpinning/issues/new) and help make these scripts even better. @@ -61,6 +63,7 @@ The scripts can automatically handle: frida -U \ -l ./config.js \ -l ./ios/ios-connect-hook.js \ + -l ./ios/ios-disable-detection.js \ -l ./native-tls-hook.js \ -l ./native-connect-hook.js \ -f $APP_ID @@ -127,6 +130,14 @@ Each script includes detailed documentation on what it does and how it works in Detects unhandled certificate validation failures, and attempts to handle unknown unrecognized cases with auto-generated fallback patches. This is more experimental and could be slightly unpredictable, but is very helpful for obfuscated cases, and in general will either fix pinning issues (after one initial failure) or will at least highlight code for further reverse engineering in the Frida log output. This script shares some logic with `android-certificate-unpinning.js`, and cannot be used standalone - if you want to use this script, you'll need to include the non-fallback unpinning script too. + * `android-disable-root-detection.js` + + Disables common root detection checks across native and Java layers to prevent detection of rooted Android devices. + + This script intercepts file system access, shell commands, and package lookups for known root indicators (like `su`, Magisk, and related apps), and fakes key system properties (`ro.secure`, `ro.debuggable`, etc.) to simulate a production environment. + + It blocks suspicious behavior like file existence checks and shell command execution, helping evade detection in apps using both standard and advanced root checks. + * `ios/` * `ios-connect-hook.js` @@ -135,13 +146,16 @@ Each script includes detailed documentation on what it does and how it works in This is a low-level hook that applies to _all_ network connections. This ensures that all connections are forcibly redirected to the target proxy server, even those which ignore proxy settings or make other raw socket connections. + * `ios-disable-detection.js` + + Disables JailMonkey jailbreak detection. + * `utilities/test-ip-connectivity.js` You probably don't want to use this normally as part of interception itself, but it can be very useful as part of your configuration setup. This script allows you to configure a list of possible IP addresses and a target port, and have the process test each address, and send a message to the Frida client for the first reachable address provided. This can be useful for automated configuration processes, if you don't know which IP address is best to use to reach the proxy server (your computer) from the target device (your phone). ---- These scripts are part of [a broader HTTP Toolkit project](https://httptoolkit.com/blog/frida-mobile-interception-funding/), funded through the [NGI Zero Entrust Fund](https://nlnet.nl/entrust), established by [NLnet](https://nlnet.nl) with financial support from the European Commission's [Next Generation Internet](https://ngi.eu) program. Learn more on the [NLnet project page](https://nlnet.nl/project/F3-AppInterception#ack). diff --git a/android/android-disable-root-detection.js b/android/android-disable-root-detection.js new file mode 100644 index 0000000..017931e --- /dev/null +++ b/android/android-disable-root-detection.js @@ -0,0 +1,394 @@ +/************************************************************************************************** + * + * This script defines a large set of root detection bypasses for Android. Hooks included here + * block detection of many known root indicators, including file paths, package names, commands, + * notably binaries, and system properties. + * + * Enable DEBUG_MODE to see debug output for each bypassed check. + * + * Source available at https://github.com/httptoolkit/frida-interception-and-unpinning/ + * SPDX-License-Identifier: AGPL-3.0-or-later + * SPDX-FileCopyrightText: Tim Perry + * SPDX-FileCopyrightText: Riyad Mondal + * + *************************************************************************************************/ + +(() => { + let loggedRootDetectionWarning = false; + function logFirstRootDetection() { + if (!loggedRootDetectionWarning) { + console.log(" => Blocked possible root detection checks. Enable DEBUG_MODE for more details."); + loggedRootDetectionWarning = true; + } + } + + const BUILD_FINGERPRINT_REGEX = /^([\w.-]+\/[\w.-]+\/[\w.-]+):([\w.]+\/[\w.-]+\/[\w.-]+):(\w+\/[\w,.-]+)$/; + + const CONFIG = { + secureProps: { + "ro.secure": "1", + "ro.debuggable": "0", + "ro.build.type": "user", + "ro.build.tags": "release-keys" + } + }; + + const ROOT_INDICATORS = { + paths: new Set([ + "/data/local/bin/su", + "/data/local/su", + "/data/local/xbin/su", + "/dev/com.koushikdutta.superuser.daemon/", + "/sbin/su", + "/su/bin/su", + "/system/bin/su", + "/system/xbin/su", + "/system/sbin/su", + "/vendor/bin/su", + "/data/adb/su/bin/su", + "/system/bin/failsafe/su", + "/system/bin/.ext/.su", + "/system/bin/.ext/su", + "/system/bin/failsafe/su", + "/system/sd/xbin/su", + "/system/usr/we-need-root/su", + "/cache/su", + "/data/su", + "/dev/su", + "/data/adb/magisk", + "/sbin/.magisk", + "/cache/.disable_magisk", + "/dev/.magisk.unblock", + "/cache/magisk.log", + "/data/adb/magisk.img", + "/data/adb/magisk.db", + "/data/adb/magisk_simple", + "/init.magisk.rc", + "/system/app/Superuser.apk", + "/system/etc/init.d/99SuperSUDaemon", + "/system/xbin/daemonsu", + "/system/xbin/ku.sud", + "/data/adb/ksu", + "/data/adb/ksud", + "/system/xbin/busybox", + "/system/app/Kinguser.apk" + ]), + + packages: new Set([ + "com.noshufou.android.su", + "com.noshufou.android.su.elite", + "eu.chainfire.supersu", + "com.koushikdutta.superuser", + "com.thirdparty.superuser", + "com.yellowes.su", + "com.koushikdutta.rommanager", + "com.koushikdutta.rommanager.license", + "com.dimonvideo.luckypatcher", + "com.chelpus.lackypatch", + "com.ramdroid.appquarantine", + "com.ramdroid.appquarantinepro", + "com.topjohnwu.magisk", + "me.weishu.kernelsu" + ]), + + commands: new Set([ + "su", + "which su", + "whereis su", + "locate su", + "find / -name su", + "mount", + "magisk", + "/system/bin/su", + "/system/xbin/su", + "/sbin/su", + "/su/bin/su" + ]), + + binaries: new Set([ + "su", + "busybox", + "magisk", + "supersu", + "ksud", + "daemonsu" + ]) + }; + + function bypassNativeFileCheck() { + const fopen = Module.findExportByName("libc.so", "fopen"); + if (fopen) { + Interceptor.attach(fopen, { + onEnter(args) { + this.path = args[0].readUtf8String(); + }, + onLeave(retval) { + if (retval.toInt32() !== 0) { + const path = this.path.toLowerCase(); + if (ROOT_INDICATORS.paths.has(this.path) || path.includes("magisk") || path.includes("/su") || path.endsWith("/su")) { + if (DEBUG_MODE) { + console.log(`Blocked possible root-detection: fopen ${this.path}`); + } else logFirstRootDetection(); + retval.replace(ptr(0x0)); + } + } + } + }); + } + + const access = Module.findExportByName("libc.so", "access"); + if (access) { + Interceptor.attach(access, { + onEnter(args) { + this.path = args[0].readUtf8String(); + }, + onLeave(retval) { + if (retval.toInt32() === 0) { + const path = this.path.toLowerCase(); + if (ROOT_INDICATORS.paths.has(this.path) || path.includes("magisk") || path.includes("/su") || path.endsWith("/su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: access ${this.path}`); + } else logFirstRootDetection(); + retval.replace(ptr(-1)); + } + } + } + }); + } + + const stat = Module.findExportByName("libc.so", "stat"); + if (stat) { + Interceptor.attach(stat, { + onEnter(args) { + this.path = args[0].readUtf8String(); + }, + onLeave(retval) { + const path = this.path.toLowerCase(); + if (ROOT_INDICATORS.paths.has(this.path) || path.includes("magisk") || path.includes("/su") || path.endsWith("/su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: stat ${this.path}`); + } else logFirstRootDetection(); + retval.replace(ptr(-1)); + } + } + }); + } + + const lstat = Module.findExportByName("libc.so", "lstat"); + if (lstat) { + Interceptor.attach(lstat, { + onEnter(args) { + this.path = args[0].readUtf8String(); + }, + onLeave(retval) { + const path = this.path.toLowerCase(); + if (ROOT_INDICATORS.paths.has(this.path) || path.includes("magisk") || path.includes("/su") || path.endsWith("/su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: lstat ${this.path}`); + } else logFirstRootDetection(); + retval.replace(ptr(-1)); + } + } + }); + } + } + + function bypassJavaFileCheck() { + const UnixFileSystem = Java.use("java.io.UnixFileSystem"); + UnixFileSystem.checkAccess.implementation = function(file, access) { + const filename = file.getAbsolutePath(); + if (ROOT_INDICATORS.paths.has(filename) || filename.includes("magisk") || filename.includes("su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: filesystem access check for ${filename}`); + } else logFirstRootDetection(); + return false; + } + return this.checkAccess(file, access); + }; + + const File = Java.use("java.io.File"); + File.exists.implementation = function() { + const filename = this.getAbsolutePath(); + if (ROOT_INDICATORS.paths.has(filename) || filename.includes("magisk") || filename.includes("su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: file exists check for ${filename}`); + } else logFirstRootDetection(); + return false; + } + return this.exists(); + }; + + File.length.implementation = function() { + const filename = this.getAbsolutePath(); + if (ROOT_INDICATORS.paths.has(filename) || filename.includes("magisk") || filename.includes("su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: file length check for ${filename}`); + } else logFirstRootDetection(); + return 0; + } + return this.length(); + }; + + const FileInputStream = Java.use("java.io.FileInputStream"); + FileInputStream.$init.overload('java.io.File').implementation = function(file) { + const filename = file.getAbsolutePath(); + if (ROOT_INDICATORS.paths.has(filename) || filename.includes("magisk") || filename.includes("su")) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: file stream for ${filename}`); + } else logFirstRootDetection(); + throw new Java.use("java.io.FileNotFoundException").$new(filename); + } + return this.$init(file); + }; + } + + function setProp() { + const Build = Java.use("android.os.Build"); + + // We do a little work to make the minimum changes required to hide in the BUILD fingerprint, + // but otherwise keep matching the real device wherever possible. + const realFingerprint = Build.FINGERPRINT.value; + + const fingerprintMatch = BUILD_FINGERPRINT_REGEX.exec(realFingerprint); + let fixedFingerprint; + if (fingerprintMatch) { + let [, device, versions, tags] = BUILD_FINGERPRINT_REGEX.exec(realFingerprint); + tags = 'user/release-keys'; // Should always be the case in production builds + if (device.includes('generic') || device.includes('sdk') || device.includes('lineage')) { + device = 'google/raven/raven'; + } + + fixedFingerprint = `${device}:${versions}:${tags}`; + } else { + console.warn(`Unexpected BUILD fingerprint format: ${realFingerprint}`); + // This should never happen in theory (the format is standard), but just in case, + // we use this fallback fingerprint: + fixedFingerprint = "google/crosshatch/crosshatch:10/QQ3A.200805.001/6578210:user/release-keys"; + } + + const fields = { + "TAGS": "release-keys", + "TYPE": "user", + "FINGERPRINT": fixedFingerprint + }; + + Object.entries(fields).forEach(([field, value]) => { + const fieldObj = Build.class.getDeclaredField(field); + fieldObj.setAccessible(true); + fieldObj.set(null, value); + }); + + const system_property_get = Module.findExportByName("libc.so", "__system_property_get"); + if (system_property_get) { + Interceptor.attach(system_property_get, { + onEnter(args) { + this.key = args[0].readCString(); + this.ret = args[1]; + }, + onLeave(retval) { + const secureValue = CONFIG.secureProps[this.key]; + if (secureValue !== undefined) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: system_property_get ${this.key}`); + } else logFirstRootDetection(); + const valuePtr = Memory.allocUtf8String(secureValue); + Memory.copy(this.ret, valuePtr, secureValue.length + 1); + } + } + }); + } + + const Runtime = Java.use('java.lang.Runtime'); + Runtime.exec.overload('java.lang.String').implementation = function(cmd) { + if (cmd.startsWith("getprop ")) { + const prop = cmd.split(" ")[1]; + if (CONFIG.secureProps[prop]) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: getprop ${prop}`); + } else logFirstRootDetection(); + return null; + } + } + return this.exec(cmd); + }; + } + + function bypassRootPackageCheck() { + const ApplicationPackageManager = Java.use("android.app.ApplicationPackageManager"); + + ApplicationPackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(str, i) { + if (ROOT_INDICATORS.packages.has(str)) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: package info for ${str}`); + } else logFirstRootDetection(); + str = "invalid.example.nonexistent.package"; + } + return this.getPackageInfo(str, i); + }; + + ApplicationPackageManager.getInstalledPackages.overload('int').implementation = function(flags) { + const packages = this.getInstalledPackages(flags); + const packageList = packages.toArray(); + const filteredPackages = packageList.filter(pkg => !ROOT_INDICATORS.packages.has(pkg.packageName.value)); + return Java.use("java.util.ArrayList").$new(filteredPackages); + }; + } + + function bypassShellCommands() { + const ProcessBuilder = Java.use('java.lang.ProcessBuilder'); + ProcessBuilder.command.overload('java.util.List').implementation = function(commands) { + const cmdArray = commands.toArray(); + if (cmdArray.length > 0) { + const cmd = cmdArray[0].toString(); + if (ROOT_INDICATORS.commands.has(cmd) || (cmdArray.length > 1 && ROOT_INDICATORS.binaries.has(cmdArray[1].toString()))) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: ProcessBuilder with ${cmdArray.join(' ')}`); + } else logFirstRootDetection(); + return this.command(Java.use("java.util.Arrays").asList([""])); + } + } + return this.command(commands); + }; + + const Runtime = Java.use('java.lang.Runtime'); + Runtime.exec.overload('[Ljava.lang.String;').implementation = function(cmdArray) { + if (cmdArray.length > 0) { + const cmd = cmdArray[0]; + if (ROOT_INDICATORS.commands.has(cmd) || (cmdArray.length > 1 && ROOT_INDICATORS.binaries.has(cmdArray[1]))) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: Runtime.exec for ${cmdArray.join(' ')}`); + } else logFirstRootDetection(); + return this.exec([""]); + } + } + return this.exec(cmdArray); + }; + + const ProcessImpl = Java.use("java.lang.ProcessImpl"); + ProcessImpl.start.implementation = function(cmdArray, env, dir, redirects, redirectErrorStream) { + if (cmdArray.length > 0) { + const cmd = cmdArray[0].toString(); + const arg = cmdArray.length > 1 ? cmdArray[1].toString() : ""; + + if (ROOT_INDICATORS.commands.has(cmd) || ROOT_INDICATORS.binaries.has(arg)) { + if (DEBUG_MODE) { + console.debug(`Blocked possible root detection: ProcessImpl.start for ${cmdArray.join(' ')}`); + } else logFirstRootDetection(); + return ProcessImpl.start.call(this, [Java.use("java.lang.String").$new("")], env, dir, redirects, redirectErrorStream); + } + } + return ProcessImpl.start.call(this, cmdArray, env, dir, redirects, redirectErrorStream); + }; + } + + try { + bypassNativeFileCheck(); + bypassJavaFileCheck(); + setProp(); + bypassRootPackageCheck(); + bypassShellCommands(); + console.log("== Disabled Android root detection =="); + } catch (error) { + console.error("\n !!! Error setting up root detection bypass !!!", error); + } +})();