Emulator Detection / Root detection on Android emulator

talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.

https://github.com/talsec/Free-RASP-Community

MIT License

194 stars 20 forks source link

Emulator Detection / Root detection on Android emulator #95

Closed timobaehr closed 1 year ago

timobaehr commented 1 year ago

Describe the bug

If I start the Talsec instance on an Android emulator, the callback onSimulator is not called.
If the folder /system/xbin contains the executable su (adb shell 'ls /system/xbin'), the callback onPrivilegedAccess is not called.

To Reproduce Start the App with Talsec code on arm64-v8a Nougat Android 7.0 image or arm64-v8a API 34 Android 14 image.

Expected behavior

If I start the Talsec instance on an Android emulator, then I expect the callback onSimulator to get called.
If the folder /system/xbin contains the executable su (adb shell 'ls /system/xbin'), then I expect onPrivilegedAccess to get called.

Please complete the following information:

Device: Android arm64 emulator
OS version: Android 7, Android 14
Version of freeRASP: 6.3.0

SirionRazzer commented 1 year ago

Hi @timobaehr, Thanks for the details. I tried to reproduce it:

Simulator Development emulators bundled with Android Studio should be easily detectable. It worked as expected for me. The unsuccessful simulator detection could be due to confusion between dev/release configuration (isProd = false/true) -> https://github.com/talsec/Free-RASP-Flutter#dev-vs-release-version Could you please double check it is configured properly and works as expected on other emulators (i.e. different Android version, architecture)?

Privileged access This is a tricky one and needs to be explained in the documentation. The situation with su files on Android emulators was explained in this older issue. TL;DR: It seems su can't be detected on emulator images based on API level >=31 (it works for lower API levels).

timobaehr commented 1 year ago

Hi @SirionRazzer,

thanks for your answer and efforts.

With isProd: true on a real Android device:

App integrity
Debugging
Unofficial store
Obfuscation issues

With isProd: false on a real Android device: No callback is called.

With isProd: false on a emulator:

Secure hardware not available
Passcode not set

With isProd: true on a emulator:

Debugging
Passcode not set
Secure hardware not available

Documentation:

  /// Whether the SDK should be running in release mode.
  final bool isProd;

SirionRazzer commented 1 year ago

Hi @timobaehr , I could not reproduce it. Both Android 7 and Android 14 emulators (although x86_64) + latest freeRASP work as expected for me.