kevlar-kt / kevlar Goto Github PK

Bug description

I'm seeing false positive results with some of my users for rooting checks.
I have a small dataset for now, but something is not right at this point for sure.

The following devices are 100% confirmed to be false-positives:

• Android One 11, Xiaomi Mi A3, dev opts unknown
• Redmi note 8 pro, miui 11, dev options enabled, adb debugging ON, SafetyNet checks pass out of the box
• Redmi Note 8 Pro, Android 11, dev opts enabled

But I've seen some strange results on the backend. Some devices previously shown as non-rooted, ended up being rooted anyways after some time (I run checks periodically in the background). I'm investigating into this as this may be an issue on my side. My hypothesis for now is that there's something intermittent that may affect the testing results.

Here's the KevlarRooting configuration:

KevlarRooting {
    targets {
        root()
        magisk()
        busybox()
        toybox()
        xposed()
    }
    
    status {
        emulator()
        testKeys()
        selinux {
            flagPermissive()
        }
    }
    
    allowRootCheck()
}

Out of all those, the selinux permissive flag looks the most suspicious. I think that some devices may have selinux permissive set to true. But the emulator() flag is my second best guess. My app doesn't have the QUERY_ALL_PACKAGES permission so the magisk/busybox/toybox/xposed checks may be useless.

Reproduction steps

Unable to reproduce as all of my devices are rooted and/or emulators

I will update this issue as I get more data. I expect no more than the average amount of users to be rooted which is 7.6% according to Kaspersky lab research data for 2017. (adding some probability margins here and there)

UPD1: I just learned that bootloader is unlocked out of the box on Redmi Note 8 Pro, but the user says they don't have magisk installed.
Running getenforce on the target device yields command not found

Bug description

Google play does not allow the QUERY_ALL_PACKAGES permission if your app is not a launcher app.

Reproduction steps

1. Build a non-launcher app
2. Declare QUERY_ALL_PACKAGES in your app's manifest
3. Submit a release build
4. Watch your app update get rejected and app removed from the play store

Expected behavior

The library either specifies its <queries> string in the manifest of the module, or provides documentation on what strings to include in the <queries> string when having QUERY_ALL_PACKAGES is not an option.

Actual behavior

Nothing, and a single mention in the docs that assumes anyone may add the permission as they please

Feature description

I'm unable to publish to maven local because there is no developer guide, and to build it I had to dig through the build file source code (which is unnecessarily complicated by the way), and searching for missing property, env variables and other stuff that breaks publishing. The library also uses in memory pgp signature instead of pushing keys to a popular pgp key repo.

Use cases

I want to maintain my own fork of the library and contribute

Bug description

In Android Marshmallow, toybox binary was included in the system
https://android.googlesource.com/platform/external/toybox/
https://lwn.net/Articles/629362/

This results in rooting checks fail for ALL devices above Android 6.0 as non-rooted terminal shell now responds positively for the toybox binary.

Reproduction steps

Run which toybox on a device without root on Android 6.0+.

Expected behavior

Toybox is not included in the attestation at all.

Actual behavior

Result will be present, and the attestation will fail.

We shouldn't check for toybox anymore.

Bug description

I compiled a (yet unpublished) 1.1.0 version and pushed it to maven local.
When I tried to build the project, I got 10 compiler errors

Reproduction steps

1. Set up Kevlar 1.0
2. Upgrade Kevlar version to 1.1.0
3. Project doesn't build anymore

Expected behavior

As this is a minor version change (x.Y.x) I expected there to be no significant breaking changes to the API.
For API changes. Major or alpha versions should be used/changed.

This is more of a question because I'm stuck on finding a solution for the problem.

The guide on Integrity outlines that in order to get the app signature, a viable method would be to use the KevlarIntegrity.obtainCurrentAppSignature method. Turns out, for developers using the Play App Signing API, the signature that is being used to distribute the APK to devices is managed by google, and is not accessible to developers. The only signature we actually have access to is the signature that is used for uploading the release (the upload signature).

Is there another way to get the actual play store app signature except for adding a log method call to a release build of the app, then uploading this compromised build to play store, obtaining the apk and then examining the output of a rooted device's logcat output?

Even if the signature is going to be obtained, then we still would need to create a separate build config value or a product flavor just to set this signature string, because distributing using an upload signature will now trigger the KevlarIntegrity check fail. Another option is to be stuck with the google play's app signature and upload then download a release from their servers to be able to distribute it to other channels...

The information we do have is the play app signing's certificate fingerprints, and using those seems more appropriate to me, but is it possible inside of the app?

See #1, if an application is distributed by the play store using multiple signing keys there should be a way for kevlar to have multiple valid signatures

Bug description

I''m using Kevlar Rooting v1.1.0 and i'm getting this error when attestate targets

java.lang.NoClassDefFoundError: Failed resolution of: Lcom/topjohnwu/superuser/Shell;
at com.kevlar.rooting.shell.DumperKt$BinaryDump$2$shellId$3.invokeSuspend(Dumper.kt:120)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)

To solve this error I had to implement this library (libsu)
I have seen in the code that this library is implemented but the Maven version does not have it as a dependency
https://mvnrepository.com/artifact/io.github.kevlar-kt/rooting/1.1.0

Release 1.1.0 is missing

https://ipv6.repo1.maven.org/maven2/io/github/kevlar-kt/antipiracy/