MagiskHide - issue in mount namespace hiding for isolated processes

[kam821]

First of all, I would like to say that I am aware of the fact that raising the issue of MagiskHide is usually irritable and I will understand if my thread will be ignored.

I recently read an article: https://darvincitech.wordpress.com/2019/11/04/detecting-magisk-hide/

It describes issue in MagiskHide mount points hiding for isolated processes - and detect Magisk by exploiting this issue.

I tested it on my own by activating MagiskHide for Brave and all subprocesses.

For every sandboxed_processX, the mount list looks like MagiskHide is off, other processes (like main/privileged_processX) are property hidden.

Main process - mountstats: https://pastebin.com/6t1p1wxs

Sandboxed_process - mountstats: https://pastebin.com/YasyF3tV

Magisk/Magisk Manager: 20.4-ed58cf95. Xiaomi Mi 8 / Android 10 / xiaomi.eu 20.1.21

Regards.

[skittles9823]

Yea I just built the app myself and gave it a test and it successfully found magisk on the latest canary build.

[surbiks]

yea i tested in latest release and detect magisk

[djechelon]

Go ahead @kam821 and discuss! The main purpose of #1152 is to prevent crowds from opening tickets to certain apps, which should be chaffed, analyzed and decompiled to find out more. And maybe find (like the linked banking ticket) that the OP was do dumb that they never actually changed Magisk package name in the first chance.

This ticket discuss a novel technique of Magisk-busting, with a reproducibile case and is focused on the anti-root approach.

There is a huge difference between the two kinds of issues.

[kam821]

@djechelon I know what's the point of #1152 ;) Too many "weneta fix" and "I didnt do anything to prevent Magisk detecting and X app detects Magisk, why?" But I understand that MagiskHide itself is not a priority Magisk feature, but rather a very useful addition.

Unfortunately, at the moment I am not familiar enough with all the Magisk and Android mechanisms, so I can't do anything more than report it :(

[goodwin]

@topjohnwu Are you aware of that issue? Looks like HCE has already this check implemented, and I see other apps using the same check for detecting Magisk - so, this becomes as common detection method that breaks Hide in the root

[Kovur]

Why removed? The problem is still here. I can't use government application, because it detects Magisk. SafetyNet passed, hide enabled, package and app renamed - not helping.

[djechelon]

@Kovur removing the "bug" label doesn't mean "the bug is removed from code". Means that @topjohnwu confirmed the issue and might be working on it.

Also, even if you disclosed your "government app"'s name:

• They could be detecting Magisk by other means: other than THIS ONE
• They could have recorded that your phone ID is rooted, so even if you block SafetyNet and stuff, they know "who your phone is" (ref https://github.com/topjohnwu/Magisk/issues/985#issuecomment-588066231)

So, please, do not comment on this post basing that "one app is detecting root", because #1152

[Kovur]

Sorry, my bad. The application is: https://play.google.com/store/apps/details?id=ua.gov.diia.app It's already decompiled and the detection code is found: https://4pda.ru/forum/index.php?showtopic=976919&st=540#entry95456892 It's in Russian, so I'll translate it: "It's the well-known Magisk flaw (mount leak). It sits in smali / ua / gov / diia / app / e.smali Line: const-string v0, "/ proc /% d / mounts"

[djechelon]

That is ok. You shall wait at least until the issue is marked closed. When the author releases a new version of Magisk, they will tag this issue in the change log. Until then, your Ukrainian app won't still work because a patch for this has not been released.

[mthnry]

Can confirm the DKB Tan2go app also manages to detect root on the latest versions. The banking app doesn't though or at least still works.

[Didgeridoohan]

@mthnry That's got nothing to do with the method described here. I've tested v2.5.1 of DKB Tan2go and Magisk can hide from it just fine. You've got something else going on, but this is not the place for it.

[mthnry]

For what I've seen so far is there are other users experiencing problems with Tan2go 2.5.1. It worked fine until the latest update to the app, so I'm not blaming my configuration.

[Andreychik32]

The issue is still present. Is maintainer aware of it and doing something or still ignoring?

[Didgeridoohan]

The issue is still present. Is maintainer aware of it and doing something or still ignoring?

Such a trolly way of getting a response... But I'll bite. The issue is still marked as open, which means it's still on the to-do list. It'll get addressed one way or another at some point, not a moment sooner. Cheers.

[piekay-zz]

@mthnry S-pushTan is detecting Magisk 20.4 (propably using this method)

[mthnry]

@mthnry S-pushTan is detecting Magisk 20.4 (propably using this method)

It doesn't detect Magisk canary, at least DKB doesn't.

[topjohnwu]

FYI for all those are concerned: hiding isolated process is non-trivial, and don't expect to see a fix for this in the near future. I do have big plans which makes hiding isolated processes possible, but that is still in the early planning stages.

[androidacy-user]

@topjohnwu

if isolatedProcess = true ;
then do hideRootPlus ;
else hideRoot ;
fi

If only right 🙃

Sent from my Pixel 3 XL using FastHub

[vvb2060]

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Download: https://github.com/vvb2060/magisk_files Source code: https://github.com/vvb2060/Magisk Before installation, all modules must be disabled/removed!! Then, you can only use Magisk Lite's Magisk Manager.

Test detection app: https://github.com/vvb2060/MagiskDetector/releases/latest

[zx900930]

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Download: https://github.com/vvb2060/magisk_files Source code: https://github.com/vvb2060/Magisk Before installation, all modules must be disabled/removed!! Then, you can only use Magisk Lite's Magisk Manager.

Test detection app: https://github.com/vvb2060/MagiskDetector/releases/latest

Tested and working！ Before(The 20.4 version): app package: com.stove.epic7.google

After install your magisk lite version, app can start with no problem.

Can you also upload the uninstaller.zip please? I can't flash back to the 20.4 version now. It shows "unsupported boot image."

[Santhu195]

@vvb2060 the magisk you mentioned in new repo without modules seems not working with my Huawei emui 9 device, i could flash it but it is not booting into magisk system, rather it boots to recovery or system without magisk

[tn-17]

@zx900930 Did you have to turn on magisk hide for epic seven as well? I can't get magisk hide to keep the on switch for the game.

[zx900930]

@tnguyenseo keep it OFF for epic seven. keep it ON for the apps need root.

[vvb2060]

@zx900930 Lite version is sync with the Canary version, uninstaller.zip can directly uses official uninstaller.zip. see https://github.com/vvb2060/magisk_files/blob/master/lite.json

@Santhu195 Lite version is sync with the Canary version, it did not modify what you said.

[zx900930]

@vvb2060 thanks a lot! Looks like more and more apps(Like banking apps and games) using this bug to detect Magisk hide.

[stakaz]

Since it should be fixed in your branch, would it be possible to get it into official release as well? I was unable to install the vvb2060 but anyway would be nice to have it fixed in the master branch.

[sidamos]

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Unfortunately, did not help for the German Sparkasse Push-TAN app. I have to use an older version of this app and that one also works with Magisk 20.4. stable. One other thing: This Magisk version was only active every other boot. And the apps with root allowed showed up under Magisk Hide also.

[cawidtu]

Unfortunately, did not help for the German Sparkasse Push-TAN app. I have to use an older version of this app and that one also works with Magisk 20.4. stable.

The Sparkasse app detects various versions of Magisk Manager even in repackaged state. Try deleting the Manager or use the latest Canary Manager.

[sidamos]

The Sparkasse app detects various versions of Magisk Manager even in repackaged state. Try deleting the Manager or use the latest Canary Manager.

The latest Canary Manager did help for a while until it did not anymore. I guess, the Sparkasse Push TAN app is downloading code from the Internet for detection. I am now using the previous version of the app, which even works with Magisk stable 20.4.

[akumaburn]

I wonder if it'd resolve the issue if Magisk transitioned into a whitelist("MagiskAllow") instead of a blacklist(MagiskHide).

[djechelon]

The author already commented that a good-list approach would mean a complete rewrite of the whole Magisk architecture.

MagiskHide project is doomed to death, because Google's hardware attestation will ultimately kill root-hiding. There is no point at rewtiting an entire project that may be killed at any time

Disclaimer: even after the BLM facts, I disagree on the deprecation of certain CS terminology (white/black lists, master/slave etc) but I still deprecate such wordings

[akumaburn]

The author already commented that a good-list approach would mean a complete rewrite of the whole Magisk architecture.

Bummer, as in my understanding it would make detection of Magisk significantly more difficult. Its a lot easier to hide if you hide from everything as your default.

Disclaimer: even after the BLM facts, I disagree on the deprecation of certain CS terminology (white/black lists, master/slave etc) but I still deprecate such wordings

I wasn't aware there were people in the programming community whom were actually offended by those terms. However, I don't have a problem with using other terms. Perhaps AllowList and DenyList are more appropriate though.

I still have the terms WhiteList and BlackList ingrained in my memory from earlier days of configuring firewalls but I will try to avoid using them from now on.

MagiskHide project is doomed to death, because Google's hardware attestation will ultimately kill root-hiding. There is no point at rewtiting an entire project that may be killed at any time

If the console world is any indication, there will always be a possible bypass. Whether it is hijacking the call or utilizing some kind of overflow, someone will find a way around it. That being said I do realize that eventually it may become too difficult to support.

It'd be nice if there was a hardware manufacturer who supports root out of the box though.

[djechelon]

I still have the terms WhiteList and BlackList ingrained in my memory from earlier days of configuring firewalls but I will try to avoid using them from now on.

Me too, that's why I disagree. Those are hardcoded into my brain, and worse I am not a native English speaker, so 1. I use those English words verbatim and 2. in my language there is absolutely no offense in the direct translation of those terms (because white and black are adjectives and not nouns, in English they have same wording). But looks like a large part of the community is demanding that, and we should pay respect to everyone.

[akumaburn]

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Download: https://github.com/vvb2060/magisk_files Source code: https://github.com/vvb2060/Magisk Before installation, all modules must be disabled/removed!! Then, you can only use Magisk Lite's Magisk Manager.

Test detection app: https://github.com/vvb2060/MagiskDetector/releases/latest

I can add another confirmation that this version is indeed working with MagiskHide OFF and the package renamed.

[QkiZMR]

The author already commented that a good-list approach would mean a complete rewrite of the whole Magisk architecture.

MagiskHide project is doomed to death, because Google's hardware attestation will ultimately kill root-hiding. There is no point at rewtiting an entire project that may be killed at any time

Using MagiskHide after full hardware attestation will be needed for application that not use SafetyNet but using own checks like seeking for su binary. MagiskHide will be necessary after that still.

[iAmPhilo]

There is a way to fix it, credit to mrspeccy, I don't know how to build a clone Magisk, so it be great if someone could and post it here. The fix is below.

• Cloned the Magisk project from GitHub (https://github.com/topjohnwu/Magisk)
• Switched to commit 0b41cd85642d21a2e9bde6a07d3df5146fe0055e, followed by git submodule update
• Ran the following three commands to replace the relevant paths in the source files:

find . -name ".sh" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} \; find . -name ".h" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} \; find . -name "*.kt" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} \;

[vvb2060]

@iAmPhilo What are you kidding. If you want to test, you can use this app. Its first check item is for this issue.

[zx900930]

@iAmPhilo replace the foldername from .magisk to .magiks won't change anything:sweat_smile:

[iAmPhilo]

@iAmPhilo replace the foldername from .magisk to .magiks won't change anything😅

It does, the app Santander and Epic Seven are detecting .magisk, but it doesn't detect it because its called .magiks now, people have confirmed it working on threads.

@iAmPhilo What are you kidding. If you want to test, you can use this app. Its first check item is for this issue.

I'm not sure but it does work. Other has used it as well and the banking app (Santander) and Epic Seven are working fine after and not being detected. Post below, as mentioned before, its not my work but mrspeccy and it 'is' working and not being detected.

https://forum.xda-developers.com/showpost.php?p=83204935&postcount=25 https://forum.xda-developers.com/apps/magisk/santander-app-custom-rom-root-device-t3794753/page30 https://forum.xda-developers.com/apps/magisk/how-to-bypass-lloyds-root-detection-t3837206

[amanenk]

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Download: https://github.com/vvb2060/magisk_files Source code: https://github.com/vvb2060/Magisk Before installation, all modules must be disabled/removed!! Then, you can only use Magisk Lite's Magisk Manager.

Test detection app: https://github.com/vvb2060/MagiskDetector/releases/latest

I've tried to install it but after zip installation via twrp magisk app does not see magisk installed. I removed original magisk before installing this one and diia app started working but google pay stopped. My phone is Sony xz1 compact with linageos 17.1 I don't need root. Is there a way to make diia and google pay work at the same time?

[iAmPhilo]

Which folder name please write in detail if it works

It something you have to do in the source and it works at the moment, at least on my private build.

The root detection is called mount leak that is still possible with the latest canary build. However, by changing the path where Magisk resides you can circumvent this detection as I've tested and its working fine regardless what other are saying.

[febryanasaperdana]

Does recent Magisk version already solve this "mount leak" issue? Thanks.

[amanenk]

There is a way to fix it, credit to mrspeccy, I don't know how to build a clone Magisk, so it be great if someone could and post it here. The fix is below.

* Cloned the Magisk project from GitHub (https://github.com/topjohnwu/Magisk)

* Switched to commit [0b41cd8](https://github.com/topjohnwu/Magisk/commit/0b41cd85642d21a2e9bde6a07d3df5146fe0055e), followed by git submodule update

* Ran the following three commands to replace the relevant paths in the source files:

find . -name ".sh" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} ; find . -name ".h" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} ; find . -name "*.kt" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} ;

I tried this one. Magisk has built successfully. I have installed zip via TWRP but diia app still does not want to start.

[febryanasaperdana]

There is a way to fix it, credit to mrspeccy, I don't know how to build a clone Magisk, so it be great if someone could and post it here. The fix is below.

* Cloned the Magisk project from GitHub (https://github.com/topjohnwu/Magisk)

* Switched to commit [0b41cd8](https://github.com/topjohnwu/Magisk/commit/0b41cd85642d21a2e9bde6a07d3df5146fe0055e), followed by git submodule update

* Ran the following three commands to replace the relevant paths in the source files:

find . -name ".sh" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} ; find . -name ".h" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} ; find . -name "*.kt" -exec sed -i 's|/sbin/.magisk|/sbin/.magiks|g' {} ;

I tried this one. Magisk has built successfully. I have installed zip via TWRP but diia app still does not want to start.

I think just changing where Magisk resides can not defeat an app that can detect Magisk using other mechanisms. It's not reliable. But I take the word for it, since the root hiding is actually a cat and mice game. One tries to hide, and one tries to capture.

[vgropp]

@mthnry S-pushTan is detecting Magisk 20.4 (propably using this method)

It doesn't detect Magisk canary, at least DKB doesn't.

can confirm this, tan2go starts again on android11 magisk canary d6dbab53 (20427), manager hidden and renamed, systemless hosts

[sidamos]

So, this problem is fixed by the new stable/beta Magisk? Newest S-pushTan version can't detect Magisk anymore?

[Displax]

@sidamos This issue still open, so obviously not.

[sTiKyt]

App called "Dia" by Ministry of Digital Transformation of Ukraine uses this problem to detect root even when magisk hide is enabled for app. For now people just patch "Dia" using Lucky Patcher, but I hope this is going to be fixed in the future.

[chrismin13]

Adding on to the list of apps with this issue: Winbank Mobile by Peireaus Bank in Greece also detects Magisk through I believe this method. More specifically: it disables NFC payments with a message that says RootNotSupported. No patch is currently available asa workaround. Is there any way to ensure that this detection method is how the app knows about Magisk?

By the way, the app is stupid enough to not look at SafetyNet or any other forms of SU, only Magisk. So I'm sticking to older SU methods for now...

[sTiKyt]

Sorry, my bad. The application is: https://play.google.com/store/apps/details?id=ua.gov.diia.app It's already decompiled and the detection code is found: https://4pda.ru/forum/index.php?showtopic=976919&st=540#entry95456892 It's in Russian, so I'll translate it:

Well, it's not in Russian, it's in Ukrainian, stop misinforming people please, English community thinks Ukraine is part of Russia because of that.

Sorry for off-topic, everyone.