[SOLVED] Protect the app from bypassing the root detection (Frida Server)

Protect the app from bypassing the root detection (Frida Server)

I saw a post on bypassing the root detection for android app by using frida server. When i following these steps, root detection is not working. Any one have an idea to protect the root detection from bypassing using Frida server/any other

Solution

Check for root in a shared library and launch an activity saying, the device is rooted from the shared lib itself clearing the back stack. The native binaries are difficult to reverse engineer (They need function name to manipulate on Frida).

Also you can prevent frida from attaching to your app. From frida docs we can see that frida uses ptrace

Frida needs in a first step to inject an agent in the targeted >application so that it is in the memory space of the process.

On Android and Linux such injection is done with ptrace by attaching or spawning a process and then injecting the agent. Once the agent is injected, it communicates with its server through a pipe.

When the ptrace system call is used to attach to a process, the "TracerPid" field in the status file of the debugged process shows the PID of the attaching process. The default value of "TracerPid" is 0 (no process attached). Consequently, finding anything other than 0 in that field is a sign of debugging or other ptrace shenanigans. The following implementation is from Tim Strazzere's Anti-Emulator project:

#include <jni.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <pthread.h>

static int child_pid;

void *monitor_pid() {

    int status;

    waitpid(child_pid, &status, 0);

    /* Child status should never change. */

    _exit(0); // Commit seppuku

}

void anti_debug() {

    child_pid = fork();

    if (child_pid == 0)
    {
        int ppid = getppid();
        int status;

        if (ptrace(PTRACE_ATTACH, ppid, NULL, NULL) == 0)
        {
            waitpid(ppid, &status, 0);

            ptrace(PTRACE_CONT, ppid, NULL, NULL);

            while (waitpid(ppid, &status, 0)) {

                if (WIFSTOPPED(status)) {
                    ptrace(PTRACE_CONT, ppid, NULL, NULL);
                } else {
                    // Process has exited
                    _exit(0);
                }
            }
        }

    } else {
        pthread_t t;

        /* Start the monitoring thread */
        pthread_create(&t, NULL, monitor_pid, (void *)NULL);
    }
}

JNIEXPORT void JNICALL
Java_sg_vantagepoint_antidebug_MainActivity_antidebug(JNIEnv *env, jobject instance) {

    anti_debug();
}

Please refer to this guide for anti-debugging tricks by vantagepoint. There is a specific section in this guide which addresses frida

Also https://github.com/b-mueller/frida-detection-demo

Otherwise, you can use the service of Appdome (IPaaS) to block frida from attaching to your app