From b71502a78055e12227f83359cda7d51874e312de Mon Sep 17 00:00:00 2001 From: Fi5t Date: Wed, 15 Jul 2020 23:47:49 +0300 Subject: [PATCH 1/9] Add additional dangerous apps packages (#145) Looks good to me, thanks! --- .../java/com/scottyab/rootbeer/Const.java | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/rootbeerlib/src/main/java/com/scottyab/rootbeer/Const.java b/rootbeerlib/src/main/java/com/scottyab/rootbeer/Const.java index ca76d8c..1ccb727 100644 --- a/rootbeerlib/src/main/java/com/scottyab/rootbeer/Const.java +++ b/rootbeerlib/src/main/java/com/scottyab/rootbeer/Const.java @@ -38,7 +38,26 @@ private Const() throws InstantiationException { "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.android.vending.billing.InAppBillingService.COIN", - "com.chelpus.luckypatcher" + "com.android.vending.billing.InAppBillingService.LUCK", + "com.chelpus.luckypatcher", + "com.blackmartalpha", + "org.blackmart.market", + "com.allinone.free", + "com.repodroid.app", + "org.creeplays.hack", + "com.baseappfull.fwd", + "com.zmapp", + "com.dv.marketmod.installer", + "org.mobilism.android", + "com.android.wp.net.log", + "com.android.camera.update", + "cc.madkite.freedom", + "com.solohsu.android.edxp.manager", + "org.meowcat.edxposed.manager", + "com.xmodgame", + "com.cih.game_cih", + "com.charles.lpoqasert", + "catch_.me_.if_.you_.can_" }; public static final String[] knownRootCloakingPackages = { From 08d57fa9589b952e92724032adcc907ed41a321d Mon Sep 17 00:00:00 2001 From: Roberto Gonzalez Date: Fri, 17 Jul 2020 10:05:44 +0200 Subject: [PATCH 2/9] Add fstack protector. (#136) --- rootbeerlib/src/main/jni/Android.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/rootbeerlib/src/main/jni/Android.mk b/rootbeerlib/src/main/jni/Android.mk index 404e54b..e75f763 100644 --- a/rootbeerlib/src/main/jni/Android.mk +++ b/rootbeerlib/src/main/jni/Android.mk @@ -25,5 +25,6 @@ include $(CLEAR_VARS) LOCAL_MODULE := tool-checker LOCAL_SRC_FILES := toolChecker.cpp LOCAL_LDLIBS := -llog +LOCAL_CPPFLAGS := -fstack-protector-all include $(BUILD_SHARED_LIBRARY) From bb43b749ed81657ee8a2bdcfe0770e4499966a36 Mon Sep 17 00:00:00 2001 From: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com> Date: Tue, 21 Jul 2020 14:10:44 +0100 Subject: [PATCH 3/9] Fixed documentation to fix issue #144 (#146) Co-authored-by: stealthcopter --- .../src/main/java/com/scottyab/rootbeer/RootBeer.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java b/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java index b019fa8..194f480 100644 --- a/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java +++ b/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java @@ -35,9 +35,7 @@ public RootBeer(Context context) { } /** - * Run all the checks. - * To run the same check but without looking for the busybox binary to avoid a false positive for certain devices please - * see {@link #isRootedWithoutBusyBoxCheck() isRootedWithoutBusyBoxCheck} + * Run all the root detection checks. * * @return true, we think there's a good *indication* of root | false good *indication* of no root (could still be cloaked) */ @@ -52,12 +50,13 @@ public boolean isRooted() { * @deprecated This method is deprecated as checking without the busybox binary is now the * default. This is because many manufacturers leave this binary on production devices. */ + @Deprecated public boolean isRootedWithoutBusyBoxCheck() { return isRooted(); } /** - * Run all the checks apart including checking for the busybox binary. + * Run all the checks including checking for the busybox binary. * Warning: Busybox binary is not always an indication of root, many manufacturers leave this * binary on production devices * @return true, we think there's a good *indication* of root | false good *indication* of no root (could still be cloaked) From f9ec6c9ab1e6ee1ff1274f6bfe3aa1ba7f4f68f1 Mon Sep 17 00:00:00 2001 From: Slim Namouchi Date: Tue, 21 Jul 2020 14:19:44 +0100 Subject: [PATCH 4/9] Update RootBeer.java (#142) Mount command line has different outputs according to the running Android version. The output has been changed since Android Nougat as follow : <(fs_mntopts)> where : - fs_spec describes the block device or remote filesystem to be mounted. - fs_file: describes the mount point for the filesystem. - fs_vfs_type: describes the type of the filesystem. - fs_mntopts: describes the mount options associated with the filesystem. (E.g. "(rw,seclabel,nosuid,nodev,relatime)" ) --- .../java/com/scottyab/rootbeer/RootBeer.java | 59 +++++++++++++++++-- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java b/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java index 194f480..11063c7 100644 --- a/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java +++ b/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java @@ -296,7 +296,8 @@ public boolean checkForDangerousProps() { public boolean checkForRWPaths() { boolean result = false; - + + //Run the command "mount" to retrieve all mounted directories String[] lines = mountReader(); if (lines == null){ @@ -304,23 +305,73 @@ public boolean checkForRWPaths() { return false; } + //The SDK version of the software currently running on this hardware device. + int sdkVersion = android.os.Build.VERSION.SDK_INT; + + /** + * + * In devices that are running Android 6 and less, the mount command line has an output as follow: + * + * + * + * where : + * - fs_spec_path: describes the path of the device or remote filesystem to be mounted. + * - fs_file: describes the mount point for the filesystem. + * - fs_spec describes the block device or remote filesystem to be mounted. + * - fs_mntopts: describes the mount options associated with the filesystem. (E.g. "rw,nosuid,nodev" ) + * + */ + + /** In devices running Android which is greater than Marshmallow, the mount command output is as follow: + * + * <(fs_mntopts)> + * + * where : + * - fs_spec describes the block device or remote filesystem to be mounted. + * - fs_file: describes the mount point for the filesystem. + * - fs_vfs_type: describes the type of the filesystem. + * - fs_mntopts: describes the mount options associated with the filesystem. (E.g. "(rw,seclabel,nosuid,nodev,relatime)" ) + */ + for (String line : lines) { // Split lines into parts String[] args = line.split(" "); - if (args.length < 4){ + if ((sdkVersion <= android.os.Build.VERSION_CODES.M && args.length < 4) + || (sdkVersion > android.os.Build.VERSION_CODES.M && args.length < 6)) { // If we don't have enough options per line, skip this and log an error QLog.e("Error formatting mount line: "+line); continue; } - String mountPoint = args[1]; - String mountOptions = args[3]; + String mountPoint; + String mountOptions; + + /** + * To check if the device is running Android version higher than Marshmallow or not + */ + if (sdkVersion > android.os.Build.VERSION_CODES.M) { + mountPoint = args[2]; + mountOptions = args[5]; + } else { + mountPoint = args[1]; + mountOptions = args[3]; + } for(String pathToCheck: Const.pathsThatShouldNotBeWritable) { if (mountPoint.equalsIgnoreCase(pathToCheck)) { + /** + * If the device is running an Android version above Marshmallow, + * need to remove parentheses from options parameter; + */ + if (android.os.Build.VERSION.SDK_INT > android.os.Build.VERSION_CODES.M) { + mountOptions = mountOptions.replace("(", ""); + mountOptions = mountOptions.replace(")", ""); + + } + // Split options out and compare against "rw" to avoid false positives for (String option : mountOptions.split(",")){ From 03b7ecb5e7380d3d7fbf8aeefa94298f6102bc9b Mon Sep 17 00:00:00 2001 From: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com> Date: Tue, 21 Jul 2020 14:58:39 +0100 Subject: [PATCH 5/9] Added appbrain shield to readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4451bf5..3303775 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # RootBeer ![image](./app/src/main/res/mipmap-xhdpi/ic_launcher.png) +[![RootBeer](https://www.appbrain.com/stats/libraries/shield/rootbeer.svg)](https://www.appbrain.com/stats/libraries/details/rootbeer/rootbeer) + A tasty root checker library and sample app. We've scoured the internets for different methods of answering that age old question... **Has this device got root?** # Root checks From db127ad336689e4b1b8de8f060c44de04163c2d6 Mon Sep 17 00:00:00 2001 From: Stefan M Date: Wed, 22 Jul 2020 13:25:49 +0200 Subject: [PATCH 6/9] Delete strings.xml (#149) --- rootbeerlib/src/main/res/values/strings.xml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 rootbeerlib/src/main/res/values/strings.xml diff --git a/rootbeerlib/src/main/res/values/strings.xml b/rootbeerlib/src/main/res/values/strings.xml deleted file mode 100644 index 7f900c7..0000000 --- a/rootbeerlib/src/main/res/values/strings.xml +++ /dev/null @@ -1,3 +0,0 @@ - - RootBeerLib - From 5fef9f62f96cdd67b38871bbe4b40557ca007620 Mon Sep 17 00:00:00 2001 From: Prempal Singh Date: Tue, 28 Jul 2020 00:20:09 +0530 Subject: [PATCH 7/9] add advice to use background thread in README (#150) thanks @prempalsingh --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3303775..82712ca 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ if (rootBeer.isRooted()) { } ``` -You can also call each of the checks individually as the sample app does. +You can also call each of the checks individually as the sample app does. It is advisable to call `isRooted()` from a background thread as it involves disk I/O. ### False positives From 2989cba895e9b120bf4e58e5acc6de094e9af7f5 Mon Sep 17 00:00:00 2001 From: Scott Alexander-Bown Date: Tue, 4 May 2021 07:47:42 +0100 Subject: [PATCH 8/9] Change log and increment version to 0.0.9 --- changes.md | 8 ++++++++ gradle.properties | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/changes.md b/changes.md index 1f5c167..26228f5 100644 --- a/changes.md +++ b/changes.md @@ -1,3 +1,11 @@ +Change Log + +#v0.0.9 + +* Support for Android TV devices #129 @deepakpk009 +* Add additional dangerous apps packages #145 @Fi5t +* Add fstack protector #136 @slawert + #v0.0.8 * Removed busybox from the default root checking methods diff --git a/gradle.properties b/gradle.properties index 052f505..0da5c23 100644 --- a/gradle.properties +++ b/gradle.properties @@ -24,8 +24,8 @@ android.useAndroidX=true # Automatically convert third-party libraries to use AndroidX android.enableJetifier=true -VERSION_NAME=0.0.8 -VERSION_CODE=8 +VERSION_NAME=0.0.9 +VERSION_CODE=9 GROUP=com.scottyab From 95821ecec2e77d7e7c0bb0676ec9548c67c7ad1b Mon Sep 17 00:00:00 2001 From: Scott Alexander-Bown Date: Tue, 4 May 2021 08:04:38 +0100 Subject: [PATCH 9/9] Update readme to clarify when the root cloak tests we valid --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 82712ca..8e90b1a 100644 --- a/README.md +++ b/README.md @@ -28,15 +28,16 @@ We call through to our native root checker to run some of its own checks. Native ## Disclaimer and limitations! -We love root! both [Scott](https://github.com/scottyab) and [Mat](https://github.com/stealthcopter) (the main contributors) use rooted devices. But we appreciate sometimes you might want to have a indication your app is running on a rooted handset. Plus we wanted to see if we could beat the root cloakers. So that's what this library gives you, an *indication* of root. +We love root! both [Scott](https://github.com/scottyab) and [Mat](https://github.com/stealthcopter) (the creators) own and use rooted devices (albeit not as daily driver). However we appreciate it can be useful to have an indication your app is running on a rooted device. Plus as hackday style project we wanted to see if we could beat the root cloakers at the time in 2015. -Remember **root==god**, so there's no 100% way to check for root. +Remember **root==god**, so there's no 100% guaranteed way to check for root! treat this as an *indication* of root. ### Root cloakers -We've tested the Rootbeer lib and it shows an indication of root when testing with the following root cloak apps. However Rootbeer is defeated when using a combination of the root cloakers activated at the same time. + +In **2015** we successfully tested Rootbeer and it flagged an indication of root when testing with the following root cloak apps. However Rootbeer was defeated when using a combination of the root cloakers activated at the same time. Tested cloakers: @@ -77,7 +78,7 @@ Available on [maven central](https://search.maven.org/#search%7Cga%7C1%7Ca%3A%22 ```java dependencies { - implementation 'com.scottyab:rootbeer-lib:0.0.8' + implementation 'com.scottyab:rootbeer-lib:0.0.9' } ```