Root detected on unrooted AVD system images

[brycethorup]

I have added freeRASP to my app and I can confirm that root is detected on a rooted API 31 level system image using an android emulator. I can also confirm that android emulators using unrooted system images with API level 31 or higher do not get detected, as I would expect. The trouble is that any android emulator running an unrooted system image with API level 30 or lower (I've tested down to API level 27) always get detected as a rooted device.

Here is the main.dart I used for testing:

import 'package:flutter/material.dart';
import 'package:freerasp/talsec_app.dart';

void main() {
  runApp(const MyApp());
  initFreeRASP();
}

void initFreeRASP() {
  final callback = TalsecCallback(
    androidCallback: AndroidCallback(
      onRootDetected: () => print('ROOT DETECTED'),
    ),
    iosCallback: const IOSCallback(),
  );
  final app = TalsecApp(
    config: TalsecConfig(
      watcherMail: '[email protected]',
      androidConfig: AndroidConfig(
        expectedPackageName: 'abc',
        expectedSigningCertificateHash:
            'YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=',
      ),
      iosConfig: const IOSconfig(
        appBundleId: 'abc',
        appTeamId: 'abc123',
      ),
    ),
    callback: callback,
  );
  app.start();
}

class MyApp extends StatelessWidget {
  const MyApp({Key? key}) : super(key: key);

  @override
  Widget build(BuildContext context) => Container();
}

Here are the android emulator configurations I have tested (all unrooted):

• Pixel 5 API 30
• Pixel 4a API 30
• Pixel 3a XL API 29
• Pixel 3 XL API 28
• Pixel 3 XL API 27

[talsec-app]

Hello @brycethorup ,
It's a common trap - these images are, in fact, equipped with a su file. With a started emulator, open your terminal and run this command:

adb shell 'ls /system/xbin'

You should get output like this:

...
simpleperf
strace
su <---here it is
taskstats
tcpdump

Hope it helps you!

Let us know if you need anything,
Talsec Team

[brycethorup]

I can confirm that the images that were being detected as being rooted to have the su executable. This raises a new concern though, as all of the images that weren't being detected as being rooted also have su binaries in the /system/xbin directory. The one common characteristic I am seeing is that the images that aren't detected as being rooted are x86_64 images (except for the image that I explicitly rooted) and the ones that are being detected as being rooted have x86 images.

Would your recommendation be to not use an android emulator to test root detection?

[talsec-app]

Thank you for the confirmation. We will inspect the issue and try to clarify the recommended steps.

[talsec-app]

Hello @brycethorup ,

we have further investigated the issue and can confirm that we were able to reproduce the behaviour that you have mentioned. To clarify a bit, we are able to detect "su" images in "system/xbin" directory even on "x86_64" images but not on "x86_64" images with API level 31 and newer. We would like to again thank you for bringing this to our attention and we will try to address and fix this issue in the future releases.

We do still believe that checking whether the "su" binary is present on the device is a valid way of detecting root, our recommendation would therefore be to use clean, i.e. without "su" binary, device or emulator if you do not want it to be detected as rooted.

Hope it helps.
Kind regards,
Talsec Team