TheDauntless
commented
5 years ago Hardly.
What kind of works is getting an application listing and checking the app names. The package name is randomised, but the application name (Magisk Manager) isn't.
Open galapogos opened 5 years ago
TheDauntless
commented
5 years ago Hardly.
What kind of works is getting an application listing and checking the app names. The package name is randomised, but the application name (Magisk Manager) isn't.
galapogos
commented
5 years ago AFAIK, along with randomizing the package name, the app name is also renamed to simply "Manager". Detecting this may increase false positives due to its generic nature.
On Tue, Mar 5, 2019, 18:39 Jeroen Beckers notifications@github.com wrote:
Hardly.
What kind of works is getting an application listing and checking the app names. The package name is randomised, but the application name (Magisk Manager) isn't.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-mstg/issues/1146#issuecomment-469631226, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoXgpl2gjkh19nGJ3xrWGEVc4dKpIRrks5vTklggaJpZM4bR3JS .
TheDauntless
commented
5 years ago I did not verify, so this is possible :). It would indeed increase FP rate.
But detecting Magisk itself is very difficult. The author has stated that he knows of several ways to do it, but he will only add those defences once SafetyNet finds them. (Quote from at least a year ago)
galapogos
commented
5 years ago Thanks. Referencing V8 of OWASP_Mobile_AppSec_Verification_Standard_1.1.3_Document, there is a line that says "For any of the controls in the list below to be effective, the app must fulfil at least all of MASVS-L1 (i.e., solid security controls must be in place), as well as all lower-numbered requirements in V8. For examples, the obfuscation controls listed in under "impede comprehension" must be combined with "impede dynamic analysis and tampering" and "device binding".". However, without a method to detect Magisk, how will any app pass V8.1 of the MSTG checklist?
commjoen
commented
5 years ago Good point :), i guess this will be a cat and mouse game that can be played :).
Ingan121
commented
5 years ago It looks like Uncrackable Level 3 can detect latest Magisk (19.0).
commjoen
commented
5 years ago Seems like a nice possibility to extend the writeup based on lvl 3? Who wants in :) ?
galapogos
commented
5 years ago It looks like Uncrackable Level 3 can detect latest Magisk (19.0).
Any idea how they do it? And does it detect Magisk Hide + "Hide Magisk Manager"?
Ingan121
commented
5 years ago It beats those two at least for me... but it might not be a problem related to Magisk root since there are 3 root checks, integrity checks (is app debuggable), and library tamper check, which call the same dialog. I looked into those 3 root detections, but all of them should be hidden by MagiskHide or not present in normal Magisk installation. Also, the level 2 uses the same root detection technique, but it can be bypassed.
TheDauntless
commented
5 years ago Level 3 doesn't detect Magisk, it's just broken.
04-09 12:21:48.936 5731 5731 UnCrackable3 V CRC[lib/arm64-v8a/libfoo.so] = 2268200259 04-09 12:21:48.936 5731 5731 UnCrackable3 V CRC[lib/x86_64/libfoo.so] = 1483140570 04-09 12:21:48.937 5731 5731 UnCrackable3 V CRC[lib/armeabi-v7a/libfoo.so] = 2867094050 04-09 12:21:48.937 5731 5731 UnCrackable3 V CRC[lib/x86/libfoo.so] = 3242540510 04-09 12:21:48.937 5731 5731 UnCrackable3 V CRC[classes.dex] = 660503288 04-09 12:21:48.937 5731 5731 UnCrackable3 V classes.dex: crc = 660503288, supposed to be 1999877287
The CRC of classes.dex is 660503288 (=275e7af8) if you unpack the apk and calculate the crc:
~/Downloads » crc32 classes.dex 275e7af8
When @commjoen updated this one and asked me to verify that it worked, I honestly only tested it on a rooted device and I saw that the check went off, so I assumed it worked. Sorry :).
I tested it on my non-rooted S8 with Android 9 and it also gives the root detected warning. I'll open a new ticket for this.
commjoen
commented
5 years ago So i guess we have to fix it... will not have time to validate now unfortunately, hope to find time soon! See #1171
commjoen
commented
5 years ago Fixing might take a little longer, sorry for that. But i guess we will get somewhere before or during the upcoming open-security summit ...
commjoen
commented
5 years ago So we fixed #1171 and level3 does not detect magisk-hide.
commjoen
commented
5 years ago Given the complexity and the cat-and-mouse-game for detecting magisk, we rather move it to 1.3 . If someone wants to pick it up: feel free to do this earlier :).
commjoen
commented
4 years ago Given https://twitter.com/mobilesecurity_/status/1216128610970587139, who wants to pick it up :) ?
darvincisec
commented
3 years ago The above link points to my github project on magisk hide detection. If you think it is still relevant to add this, can you assign it to me ?
sushi2k
commented
3 years ago Hi @darvincisec. Thanks for reaching out. After internal discussion on our side, you could add an introduction paragraph into the following chapter: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#programmatic-detection
A generic introduction into the section that summarises the detection mechanisms (/proc etc.). Your project can then be a reference as an example for root detection. A lot of the details are explained in the paragraphs below, so please check to avoid redundancies.
Directly after "Programmatic Detection". We can also discuss further in Slack.
Describe the issue The test cases for root detection do not seem to be able to detect the latest Magisk (18.1) with Magisk Hide and Hide Magisk Manager enabled. Are there any ways to detect this?