Skip to content

Port MASTG-TEST-0045: Testing Root Detection (android) #3136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0045: Testing Root Detection (android) #3136

wants to merge 13 commits into from

Conversation

martinzigrai
Copy link
Collaborator

This PR closes #3021

@cpholguera cpholguera changed the title MASTG-TEST-0045: Testing Root Detection (android) Port MASTG-TEST-0045: Testing Root Detection (android) Feb 3, 2025
githubrlloyd
githubrlloyd reviewed Feb 4, 2025
View reviewed changes
Copy link
Collaborator

@githubrlloyd githubrlloyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proposal here focuses on a demo which illustrates some basic checks that can be implemented to detect root, but the purpose of the TEST is to test whether root devices are detected by an app.

I'm not sure the usefulness of the DEMO in that regard. If someone implements these basic checks, I think they will not meaningfully address the weakness.

I think the TEST should remain focused on what good root detection characteristics are. (resilience to dynamic bypasses, breadth of root scenarios detected, effectiveness of detections, as described in the TEST).

the other valuable contribution to this TEST would be examples of how to test for those characteristics. e.g. how to setup a wide enough range of root scenarios, how to test bypassing a root detection, etc..

@cpholguera
Copy link
Collaborator

cpholguera commented Feb 12, 2025
edited
Loading

Thanks for the PR @martinzigrai.

The new MASTG tests aim at consistency (in code, content, language and structure) and reproducibility, so, before we start with the actual review, please make sure that everything is in line with our guidelines and other recently added demos (go here and sort the list, the highest numbers indicate more recent demos).

For example:

  • You have to use the official application: https://github.com/cpholguera/MASTestApp-Android (please read the README)
  • You need to include the reversed code as a file and in the markdown, using specific filenames.
  • For Android, unless the test/demo is about C code, we don't use r2, you can use semgrep.
  • Use the same language as in other test/demos for Observations and Evaluation, e.g. "The test fails if ..." as indicated in our guidelines.

Please check the latest tests and demos and read the following:

If you have any questions, I'll be happy to help. Thank you very much!

@cpholguera cpholguera requested a review from serek8 June 9, 2025 09:21
serek8
serek8 suggested changes Jun 9, 2025
View reviewed changes
Copy link
Collaborator

@serek8 serek8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a couple of suggestions to make it more consistent with the rest of the v2.

@martinzigrai
Copy link
Collaborator Author

Hi @serek8,

Thanks a lot for the feedback. The suggestions are very substantive and really improve the clarity and consistency.

I'll apply all of them.

Thanks!

TheDauntless
TheDauntless reviewed Jun 26, 2025
View reviewed changes
Copy link
Collaborator

@TheDauntless TheDauntless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the submission! Just two small comments :)

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0245.md Outdated

The testing process involves analyzing the device environment to identify common indicators of root access. This includes checking for the presence of:

- root management tools - e.g. Magisk, SuperSU
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is SuperSU still relevant? Maybe we should go for Magisk, KernelSU ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the feedback. It is a valid point, and I will update the pull request accordingly.

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0033/MASTG-DEMO-0033.md

### Evaluation

The test fails because the app relies on only one root detection method.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The output.txt does indeed only include one hit, but the application checks for root using Runtime.exec and File.exists. So the detection rule should be improved?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a fair question. The detection rule is actually working as intended. It uses a pattern-either logic, so it's designed to report success as soon as it finds the first match in the code, which is why you only see one hit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheDauntless TheDauntless TheDauntless left review comments

@githubrlloyd githubrlloyd githubrlloyd left review comments

@serek8 serek8 serek8 requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Android changes-done MASTG Refactor MASVS-RESILIENCE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0045: Testing Root Detection (android)
5 participants
@martinzigrai @cpholguera @TheDauntless @serek8 @githubrlloyd