The content of the article
Today in the release: bypassing protection for access to hidden methods, discovering root rights bypassing Magisk Hide, a story about how Google calculates malicious applications on Google Play, breaking myths about techniques for optimizing application performance, a guide to protecting application communication channels, application examples extension functions in Kotlin. As well as a selection of Pentester tools and developer libraries.
How to bypass protection for access to hidden methods
Developers: It’s super easy to bypass Android’s hidden API restrictions – A detailed story on how to get around protection for access to hidden methods in Android 9 and higher.
Like any other OS, Android gives developers access to an extensive API that allows you to call certain OS functions. This API includes a number of hidden, but sometimes very useful functions, such as the ability to expand the status bar. Calling these functions directly will not work, because they simply do not exist in the SDK. But you can use a modified SDK (difficult) or reflection (very simple).
Reflection allows you to reach any methods and fields of classes, which, of course, can be used for not quite legal activities. Therefore, starting with Android 9, Google has created a blacklist of methods and fields that are not accessible for calling with reflection. If the application tries to call them, it will either be forced to stop or receive a warning (in the case of methods from the gray list).
But there is one problem with this protection – it is based on checking the name of the calling process. This means that if we do not call the method directly, but ask the system itself to do this for us, the check will give the go-ahead (it cannot forbid itself).
So, the standard way to call a hidden method using reflection (does not work, the application terminates):
val someHiddenClass = Class.forName("android.some.hidden.Class")val someHiddenMethod = someHiddenClass.getMethod("someHiddenMethod", String::class.java)someHiddenMethod.invoke(null, "some important string")
A new way to call a hidden method with double reflection (it works because the method is called not by our application, but by the system itself):
val forName = Class::class.java.getMethod("forName", String::class.java)val getMethod = Class::class.java.getMethod("getMethod", String::class.java, arrayOf
>()::class.java)val someHiddenClass = forName.invoke(null, "android.some.hidden.Class") as Class<*>val someHiddenMethod = getMethod.invoke(someHiddenClass, "someHiddenMethod", String::class.java)someHiddenMethod.invoke(null, "some important string")
But that’s not all: with this trick we can call a very interesting hidden method
setHiddenApiExemptions, which allows (bam!) to add the methods we need to the exceptions and call them using simple reflection.
The following code tells the system to add all hidden methods to exceptions in general:
val forName = Class::class.java.getDeclaredMethod("forName", String::class.java)val getDeclaredMethod = Class::class.java.getDeclaredMethod("getDeclaredMethod", String::class.java, arrayOf
>()::class.java)val vmRuntimeClass = forName.invoke(null, "dalvik.system.VMRuntime") as Class<*>val getRuntime = getDeclaredMethod.invoke(vmRuntimeClass, "getRuntime", null) as Methodval setHiddenApiExemptions = getDeclaredMethod.invoke(vmRuntimeClass, "setHiddenApiExemptions", arrayOf(arrayOf ()::class.java)) as Methodval vmRuntime = getRuntime.invoke(null)setHiddenApiExemptions.invoke(vmRuntime, arrayOf("L"))
It is worth noting that Google is aware of this problem. They rejected a bug report about the possibility of calling hidden methods under the pretext that this is protection against fools, and not a security feature.
How to detect Magisk
Detecting Magisk Hide – an article on how to detect the presence of Magisk (and, as a result, root rights) on the device.
Magisk is a well-known, and recently the only tool for systemless device rooting. It allows you to obtain root privileges without changing the system partition, as well as apply various system tweaks. One of the widely used features of Magisk is the Magisk Hide function, which allows you to completely hide Magisk itself and the presence of root rights on the device from the selected applications.
The principle of operation of Magisk is based on connecting, on top of the file system, the system partition of another file system (overlay) containing the binary su file (necessary to obtain root privileges) and the components necessary for its operation. The connection occurs in the early stages of the download, but if Magisk Hide is activated, it disables the overlay for the selected applications. In other words, regular applications will see the content of the overlay, but those specified in the Magisk Hide settings will not. From their point of view, the smartphone will not be rutted.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru