Port MASTG-TEST-0045: Testing Root Detection (android)

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0022/MASTG-DEMO-0022.md

@@ -0,0 +1,32 @@
+---
+platform: android
+title: Uses of Root Detection Techniques with r2
+code: [kotlin]
+id: MASTG-DEMO-0022
+test: MASTG-TEST-0245
+---
+
+### Sample
+
+The following code shows an example of root detection on a device.
+
+{{ RootDetection.kt }}
+
+### Steps
+
+1. Unzip the APK package and locate the main binary file (@MASTG-TECH-0007), which in this case is the classes.dex.
+2. Open the application's binary file using @MASTG-TOOL-0028 with the -i option to run this script.
+
+{{ root_detection.r2 }}
+
+{{ run.sh }}
+
+### Observation
+
+The output should include information about detected root indicators, such as the presence of su binaries or modified system properties.
+
+### Evaluation
+
+The demo is considered successful if the rooted device is correctly identified, and the application does not mistakenly flag a non-rooted device as rooted. Furthermore, the bypass techniques should not allow complete circumvention of the root detection.
+
+On the other hand, the demo fails if the rooted device is not detected, a non-rooted device is falsely flagged as rooted, or if any of the bypass techniques successfully bypass the root detection mechanism.

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0022/RootDetection.kt

@@ -0,0 +1,50 @@
+object RootDetector {
+   fun isDeviceRooted(): Boolean {
+       return checkRootFiles() || checkSuperUserApk() || checkSuCommand()
+   }
+
+   internal fun checkRootFiles(): Boolean {
+       val rootPaths = listOf(
+           "/system/app/Superuser.apk",
+           "/system/xbin/su",
+           "/system/bin/su",
+           "/sbin/su",
+           "/system/sd/xbin/su",
+           "/system/bin/.ext/.su",
+           "/system/usr/we-need-root/su-backup",
+           "/system/xbin/mu"
+       )
+       rootPaths.forEach { path ->
+           if (File(path).exists()) {
+               Log.d("RootCheck", "Found root file: $path")
+           }
+       }
+       return rootPaths.any { path -> File(path).exists() }
+   }
+
+   private fun checkSuperUserApk(): Boolean {
+       val superUserApk = File("/system/app/Superuser.apk")
+       if (superUserApk.exists()) {
+           Log.d("RootCheck", "Found Superuser.apk")
+       }
+       return superUserApk.exists()
+   }
+
+   internal fun checkSuCommand(): Boolean {
+       return try {
+           val process = Runtime.getRuntime().exec(arrayOf("which", "su"))
+           val reader = BufferedReader(InputStreamReader(process.inputStream))
+           val result = reader.readLine()
+           if (result != null) {
+               Log.d("RootCheck", "su command found at: $result")
+               true
+           } else {
+               Log.d("RootCheck", "su command not found")
+               false
+           }
+       } catch (e: IOException) {
+           Log.d("RootCheck", "Error checking su command: ${e.message}")
+           false
+       }
+   }
+}

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0022/root_detection.r2

@@ -0,0 +1,50 @@
+# jailbreak_detection.r2
+e asm.bytes=false
+e scr.color=false
+e asm.var=false
+
+?e
+
+?e search for root path:
+
+/ /system/app/Superuser.apk
+/ /system/xbin/daemonsu
+/ /system/xbin/su
+/ /sbin/su
+/ /system/bin/su
+/ /system/sd/xbin/su
+/ /system/bin/failsafe/su
+/ /data/local/su
+/ /data/local/xbin/su
+/ /data/local/bin/su
+
+?e
+
+?e search for urlSchemes:
+
+/ supersu://
+/ magisk://
+
+?e
+
+?e search for suspiciousEnvVars:
+
+/ LD_PRELOAD
+/ LD_LIBRARY_PATH
+
+?e
+
+?e Searching for Root output:
+
+iz~+root
+
+?e
+
+?e xrefs to Root strings:
+axt 0x10011db00
+
+?e
+
+?e Disassembled Root function:
+
+pdf @ 0x100008c14

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0022/run.sh

@@ -0,0 +1 @@
+r2 -q -i root_detection.r2 -A classes.dex > output.asm

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0245.md

@@ -0,0 +1,42 @@
+---
+title: Root Indicators Detection
+platform: android
+id: MASTG-TEST-0245
+type: [static]
+weakness: MASWE-0097
+best-practices: []
+---
+
+## Overview
+
+This test is specifically designed to evaluate the effectiveness of root detection mechanisms. Its goal is to ensure that rooted devices are accurately identified so that any associated security risks can be addressed, ultimately safeguarding the integrity of the device and protecting user data.
+
+The testing process involves analyzing the device environment to identify common indicators of root access. This includes checking for the presence of root management tools, suspicious files or directories, and modified system properties on the device itself. It does so by statically analyzing the device for [common root detection checks](../../../Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#root-etection-and-common-root-detection-methods). 
+
+## Steps
+
+1. **Check for root indicators:**
+
+   - Look for files such as Superuser.apk, /sbin/su, /system/bin/su, /system/xbin/su.
+   - Check for presence of root management apps such as Magisk, SuperSu that are commonly used to manage root access.
+
+2. **Check for modified system properties:**
+   - ro.secure=0 (should be 1 on production devices).
+   - ro.debuggable=1 (indicates the device is in debug mode).
+   - Look for properties like ro.allow.mock.location=1 or persist.sys.usb.config=adb which can indicate modifications related to root.
+3. **Check for modifications to critical system directories:**
+   - Look for attempts to modify files or settings in directories such as /data or /system, which should remain immutable on an unrooted device.
+4. **Check for non-standard system behavior:**
+   - Look for processes that shouldn’t normally be running, like su or sh, which are typically used by root management tools.
+   - Analyze running processes for any unusual or unauthorized apps, such as root management tools, that should not be running on a non-rooted device.
+5. **Analyze and report findings.**
+
+## Observation
+
+The output should contain a comprehensive set of findings that demonstrate the accuracy of the root detection mechanisms on the device. Specifically, it should include traces of any root indicators, such as the presence of root management tools, suspicious system files, and modified system properties. The output should also include evidence of any attempts to modify critical system directories or processes that are not normally running on a non-rooted device.
+
+## Evaluation
+
+The test passes if the root detection mechanisms successfully identify signs of rooting on the device, such as the presence of root management tools, suspicious system files, or modified system properties. The test is considered unsuccessful if a rooted device is not properly detected, if a non-rooted device is mistakenly flagged as rooted (false positive), or if any bypass technique is able to completely circumvent the detection mechanism.
+
+To enhance the reliability of root detection, a combination of static and dynamic analysis methods should be used, such as checking system properties along with monitoring runtime behavior.

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0246.md

@@ -0,0 +1,39 @@
+---
+title: Root Detection Resilience Testing
+platform: android
+id: MASTG-TEST-0245
+type: [dynamic]
+weakness: MASWE-0097
+best-practices: []
+---
+
+## Overview
+
+This test is designed to evaluate the effectiveness of root detection mechanisms. Its goal is to ensure that rooted devices are accurately identified so that any associated security risks can be addressed, ultimately safeguarding the integrity of the device and protecting user data.
+
+The testing process involves running the app on a non-rooted and a rooted device to observe how the root detection mechanisms work. This includes monitoring system interactions, detecting access to root-specific files or binaries, and analyzing API calls commonly used for root detection. Additionally, various bypass techniques are tested to determine the robustness of the implemented security measures. It does so by dynamically analyzing the app binary for [common root detection checks](../../../Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#root-etection-and-common-root-detection-methods).
+
+## Steps
+
+1. **Prepare the test environment:**
+   - Set up the non-rooted and rooted device to compare their behaviour.
+2. **Run application which implements root detection on the non-rooted device:**
+   - Verify that the detection works as expected.
+3. **Monitor Application Behaviour:**
+   - Use tools like strace or DDMS to trace what the app does when it checks for root. Look for interactions with the system, such as attempts to open su or check running processes. This will help you understand how the app is detecting root and might expose weaknesses in its implementation.
+4. **Run the application on a rooted device:**
+   - Check if root detection alerts appear.
+5. **Test bypass techniques:**
+   - Use tools like MagiskHide, RootCloak or UnRootBeer to see if root detection can be bypassed.
+   - Experiment with techniques such as renaming binaries or using Frida/Xposed to hook into APIs.
+6. **Analyze and report findings.**
+
+## Observation
+
+The main purpose of this test is to evaluate the accuracy of implemented root detection mechanisms. This means we want to see if the root detection mechanisms are effective at identifying devices that have been modified while minimizing instances where non-rooted devices are mistakenly flagged as rooted. The outcome should provide a comprehensive understanding of how effectively the application’s root detection mechanisms function. 
+
+## Evaluation
+
+The test passes if the root detection mechanisms successfully identify any signs of rooting on the device. The test is considered unsuccessful if a rooted device is not properly detected, if a non-rooted device is incorrectly flagged as rooted, or if any bypass technique allows complete circumvention of the detection mechanism.
+
+To enhance the reliability of root detection, a combination of static and dynamic analysis methods should be used, such as checking system properties along with monitoring runtime behavior.

tests/android/MASVS-RESILIENCE/MASTG-TEST-0045.md

@@ -7,6 +7,9 @@ platform: android
 title: Testing Root Detection
 masvs_v1_levels:
 - R
+status: deprecated
+covered_by: [MASTG-TEST-0245, MASTG-TEST-0246]
+deprecation_note: New version available in MASTG V2
 ---
 
 ## Bypassing Root Detection