In my last post I analyzed the OWASP MSTG UnCrackable App – Android Level 1 and successfully obtained the secret string. In this post I’ll be showing how to bypass the anti-root protection that the app checks for.
If you recall from the previous post, when you attempt to launch the app in a rooted device, you get the following message, and the app exits:
Now let’s examine the decompiled code for a better understanding of how the device is checking for root. I’m picking up where I left off in the previous post, so I’m looking at this APK file decompiled with JADX and loaded into Android Studio.
The MainActivity contains the onCreate method, and immediately performs on evaluation to check for root:
If either c.a(), c.b(), or c.c() returns True, then the string “Root detected” is passed to the a() method, which looks like this:
Since this a() method only displays an error message and exits, eliminating the call to this method seems like it would be an easy way to bypass the root detection. I won’t make this change in the decompiled source code, since recompiling decompiled projects can be problematic, but will instead use APKTool to convert the Dalvik byte code to smali, and then edit the smali code.
apktool d UnCrackable-Level1.apk
This will create a new folder that will include the smali code. I want to eliminate the call to the method that forces me to exit if any of c.a, c.b, or c.c returns true. The equivalent lines of code are in Uncrackable-Level1/smali/sg/vantagepoint/uncrackable1/MainActivity.smali, and looks like this, with line 76 invoking the a() method:
Deleting line 76 and saving the file will allow me to run the app on a rooted device:
Rebuild the app with APKTool:
apktool b UnCrackable-Level1 -o uncrackable-level1_patched.apk
Generate a key and sign the APK:
keytool -genkey -v -keystore test.keystore -storepass password -alias android -keypass password -keyalg RSA -keysize 2048 -validity 10000
jarsigner.exe -verbose -keystore test.keystore -storepass password -keypass password uncrackable-level1_patched.apk android
Uninstall the original app:
adb uninstall owasp.mstg.uncrackable1
Install the patched app:
adb install uncrackable-level1_patched.apk
The app now runs on a rooted device: