Mobile Apps Pentesting : Root and Emulator Bypass

Mobile pentest .apk apps

Findings :
1. Bypass Root Detection
2. Bypass Emulator Detection
3. Bypass Login Screen
4. Get Admin Screen (Not Flag)

Tools :
1. MobSF — Static Analysis
2. RMS — Dynamic Analysis

Poc (Proof of Concept)

1. install .apk on android emulator

2. Apps can detect Root and Emulator Environment.

3. Do Static Analysis using MobSF to analysis java code, find function that detect environment root and emulator.

4. examine MainActivity because this activity will executed fist. and find function l() and isEmulator() function return boolean at OnCreate() Function.

5. Do Dynamic Analysis to learn behavior of this two functions using RMS.

6. Set Hooks on this Functions and hardcoded the return value into ‘False’ to Bypass the validation.