kevlar-kt / kevlar Goto Github PK
View Code? Open in Web Editor NEWAndroid Security Toolkit & Framework
Home Page: https://kevlar-kt.github.io/kevlar
License: Apache License 2.0
Android Security Toolkit & Framework
Home Page: https://kevlar-kt.github.io/kevlar
License: Apache License 2.0
I'm seeing false positive results with some of my users for rooting checks.
I have a small dataset for now, but something is not right at this point for sure.
The following devices are 100% confirmed to be false-positives:
But I've seen some strange results on the backend. Some devices previously shown as non-rooted, ended up being rooted anyways after some time (I run checks periodically in the background). I'm investigating into this as this may be an issue on my side. My hypothesis for now is that there's something intermittent that may affect the testing results.
Here's the KevlarRooting
configuration:
KevlarRooting {
targets {
root()
magisk()
busybox()
toybox()
xposed()
}
status {
emulator()
testKeys()
selinux {
flagPermissive()
}
}
allowRootCheck()
}
Out of all those, the selinux permissive flag looks the most suspicious. I think that some devices may have selinux permissive set to true. But the emulator() flag is my second best guess. My app doesn't have the QUERY_ALL_PACKAGES permission so the magisk/busybox/toybox/xposed checks may be useless.
Unable to reproduce as all of my devices are rooted and/or emulators
I will update this issue as I get more data. I expect no more than the average amount of users to be rooted which is 7.6% according to Kaspersky lab research data for 2017. (adding some probability margins here and there)
UPD1: I just learned that bootloader is unlocked out of the box on Redmi Note 8 Pro, but the user says they don't have magisk installed.
Running getenforce
on the target device yields command not found
Google play does not allow the QUERY_ALL_PACKAGES permission if your app is not a launcher app.
The library either specifies its <queries>
string in the manifest of the module, or provides documentation on what strings to include in the <queries>
string when having QUERY_ALL_PACKAGES is not an option.
Nothing, and a single mention in the docs that assumes anyone may add the permission as they please
I'm unable to publish to maven local because there is no developer guide, and to build it I had to dig through the build file source code (which is unnecessarily complicated by the way), and searching for missing property, env variables and other stuff that breaks publishing. The library also uses in memory pgp signature instead of pushing keys to a popular pgp key repo.
I want to maintain my own fork of the library and contribute
In Android Marshmallow, toybox binary was included in the system
https://android.googlesource.com/platform/external/toybox/
https://lwn.net/Articles/629362/
This results in rooting checks fail for ALL devices above Android 6.0 as non-rooted terminal shell now responds positively for the toybox binary.
Run which toybox
on a device without root on Android 6.0+.
Toybox is not included in the attestation at all.
Result will be present, and the attestation will fail.
We shouldn't check for toybox anymore.
I compiled a (yet unpublished) 1.1.0 version and pushed it to maven local.
When I tried to build the project, I got 10 compiler errors
As this is a minor version change (x.Y.x) I expected there to be no significant breaking changes to the API.
For API changes. Major or alpha versions should be used/changed.
This is more of a question because I'm stuck on finding a solution for the problem.
The guide on Integrity outlines that in order to get the app signature, a viable method would be to use the KevlarIntegrity.obtainCurrentAppSignature
method. Turns out, for developers using the Play App Signing API, the signature that is being used to distribute the APK to devices is managed by google, and is not accessible to developers. The only signature we actually have access to is the signature that is used for uploading the release (the upload signature).
Is there another way to get the actual play store app signature except for adding a log method call to a release build of the app, then uploading this compromised build to play store, obtaining the apk and then examining the output of a rooted device's logcat output?
Even if the signature is going to be obtained, then we still would need to create a separate build config value or a product flavor just to set this signature string, because distributing using an upload signature will now trigger the KevlarIntegrity check fail. Another option is to be stuck with the google play's app signature and upload then download a release from their servers to be able to distribute it to other channels...
The information we do have is the play app signing's certificate fingerprints, and using those seems more appropriate to me, but is it possible inside of the app?
See #1, if an application is distributed by the play store using multiple signing keys there should be a way for kevlar to have multiple valid signatures
I''m using Kevlar Rooting v1.1.0 and i'm getting this error when attestate targets
java.lang.NoClassDefFoundError: Failed resolution of: Lcom/topjohnwu/superuser/Shell;
at com.kevlar.rooting.shell.DumperKt$BinaryDump$2$shellId$3.invokeSuspend(Dumper.kt:120)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
To solve this error I had to implement this library (libsu)
I have seen in the code that this library is implemented but the Maven version does not have it as a dependency
https://mvnrepository.com/artifact/io.github.kevlar-kt/rooting/1.1.0
Release 1.1.0 is missing
https://ipv6.repo1.maven.org/maven2/io/github/kevlar-kt/antipiracy/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.