search

aimardcr / AndroidNativeGuard

All-in-one android application protection
164 stars 37 forks source link

False positive in detectSuBinaries function #10

Closed sangcx5 closed 2 months ago

sangcx5 commented 3 months ago

The detectSuBinaries function check a binary exists by make a call to SecureAPI::openat(AT_FDCWD, suBinary, O_RDONLY, 0)

bool RootDetect::detectSuBinaries() {
    for (const char *suBinary : suBinaries) {
        int fd = SecureAPI::openat(AT_FDCWD, suBinary, O_RDONLY, 0);
        if (fd < 0) {
            LOGI("RootDetect::execute su binary detected: %s", suBinary);
            SecureAPI::close(fd);
            return true;
        }
       ...
}

But with a file that not exist, SecureAPI::openat(AT_FDCWD, suBinary, O_RDONLY, 0) return -2 so if device doesn't have any file in this list, your code will indicate that the device is rooted

static const char *suBinaries[] = {
    "/data/local/su",
    "/data/local/bin/su",
    "/data/local/xbin/su",
    "/sbin/su",
    "/su/bin/su",
    "/system/bin/su",
    "/system/bin/.ext/su",
    "/system/bin/failsafe/su",
    "/system/sd/xbin/su",
    "/system/usr/we-need-root/su",
    "/system/xbin/su",
    "/cache/su",
    "/data/su",
    "/dev/su"
};

So please recheck and update root detection logic POC: image

aimardcr commented 3 months ago

Hi, this is a known issue and will be updated as soon as possible.

sangcx5 commented 3 months ago

Hi, this is a known issue and will be updated as soon as possible.

ah okay, thank you

priyaji1 commented 2 months ago

@aimardcr Does false positive in detectSuBinaries function is fixed as i am using the code but it is saying a non rooted device as rooted , can you confirm one more thing that this rooted check will work when app is in Zygisk denylist?

aimardcr commented 2 months ago

HI, the false positive is WIP. I haven't tried myself on the Zygisk denylist.

priyaji1 commented 2 months ago

Can you please let me know how I could detect that my app is in zygisk denylist.

On Fri, 6 Sept, 2024, 1:01 am Aimar Adhitya, @.***> wrote:

HI, the false positive is WIP. I haven't tried myself on the Zygisk denylist.

— Reply to this email directly, view it on GitHub https://github.com/aimardcr/AndroidNativeGuard/issues/10#issuecomment-2332487208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKFL6JOLZSENN2L6UY7NXLDZVCWRTAVCNFSM6AAAAABLHNORL2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZSGQ4DOMRQHA . You are receiving this because you commented.Message ID: @.***>

aimardcr commented 2 months ago

Fixed in ef5c80a0a7f80380c3befa5581af361c3871d06e.

priyaji1 commented 1 month ago

Thank you so much @aimar so you have added check for zygisk denylist also?

On Wed, 11 Sept, 2024, 11:02 am Aimar Adhitya, @.***> wrote:

Fixed in ef5c80a https://github.com/aimardcr/AndroidNativeGuard/commit/ef5c80a0a7f80380c3befa5581af361c3871d06e .

— Reply to this email directly, view it on GitHub https://github.com/aimardcr/AndroidNativeGuard/issues/10#issuecomment-2342658783, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKFL6JLDW32UCPTWZPZ6AULZV7IXLAVCNFSM6AAAAABLHNORL2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBSGY2TQNZYGM . You are receiving this because you commented.Message ID: @.***>