android – Root detection can be bypassed using Magisk hide: how to mitigate?

SafetyNet’s hardware-backed attestation hasn’t been defeated yet and the way it works, it is infeasible to defeat it by software. Universal SafetyNet Fix Magisk module downgrades evaluation type to BASIC which is software based evaluation that is defeated by Magisk.

All Google apps licensed android 8+ devices are provisioned with TEE so all of them support hardware-backed attestation. You don’t have to implement your own detection techniques. Use SafetyNet API and check on your web service if evalType is hardware-backed in the attestation response. You can deny the service to the client if the android version is 8+ and evaluation type is basic.

You have to make exception for the lower android versions because those devices either may not have TEE or their TEE’s public key is not certified by Google root certificate authority. Also make an exception for OnePlus7, despite android 8+, it’s hardware backed attestation is broken so SafetyNet fallsback to basic evaluation type.

An app with root access can extract secrets of your app by using code injection, memory dump and impersonating your app. TEE cannot prevent compromise of the host OS.

systemless root – What are the changes made to Magisk?

References:

  1. State of Magisk: 2021 by John Wu (you need a medium account to access (free)
  2. Explanation by Chris Renshaw (better known as osm0sis on XDA)
  3. Magisk is dropping support for hiding root access from apps – XDA blog

John Wu is working with Google (after interning with Apple!) and there have been no updates to Magisk since then, because his job is working with Android security.There is therefore a clear conflict of interest (he has full access to source code) which prompted changes(below). As asked in the question the explanation in the answer is for a non-technical user (like me).

This was always a hide and seek game as explained here Magisk will fail Safety-Net hereafter. Why?.

  • Magisk hide will retain a minor subset of infrastructure for apps to fully “opt-out” of modding(1), which is explained

MagiskHide is gone but will be replaced by a module, most likely very soon, which by the way can be even more powerful now thanks to
@topjohnwu
implementing a “Zygisk” hooking API a la Xposed.(2)

Basically, MagiskHide will no longer be hiding root access from apps and will instead be used to ensure that user-selected apps won’t be modified. Making it easier to revert changes will also speed up testing on emulators, as developers will no longer have to reboot or patch emulator images.(3)

Zygisk? What’s that?

Zygisk is Magisk in Zygote. This will run parts of Magisk in the zygote process to make Magisk modules even more powerful(1)

Zygote is the OS process that handles forking each application process, so running parts of Magisk in the zygote process will make modules even more robust (including making root-hiding even more powerful).(3)

Modules aren’t gone, just the official repo module list won’t be shown in the app anymore. The official repo will change hands, but still exist and be maintained. The app will eventually allow adding multiple module repos, so you’ll be able to add the former official back.(2)

Another upcoming change to Magisk is the removal of the Magisk module repo from the app. The integration of the Magisk-Modules-Repo into the Magisk app is what currently allows users to search and download modules from within the app. Its removal will mean that users will have to manually download module ZIP files and install them from within the app, which is a little inconvenient compared to the existing solution but not difficult at all to do. Plus, apps that come with a Magisk module component can easily install the module for the user by running the magisk --install-module ZIP command, taking the manual step out of the equation for users.(3)

The bigger loss, though, is for discoverability of new modules through the centralized, curated repo, but topjohnwu says the Magisk-Modules-Repo will be transferred to “trusted community members” soon. This means the repo itself won’t be gone, but the app won’t point to it for now. Eventually, though, topjohnwu does want to let users point the Magisk app to whatever online module source they want, kind of like F-Droid, but this isn’t a high priority for him to implement at the moment.(3)

Root access in apps, and terminal root prompts with su will remain working, as always.(2)

systemless root – What are the changes in Magisk?

References:

  1. State of Magisk: 2021 by John Wu (you need a medium account to access (free)
  2. Explanation by Chris Renshaw (better known as osm0sis on XDA)
  3. Magisk is dropping support for hiding root access from apps – XDA blog

John Wu is working with Google (after interning with Apple!) and there have been no updates to Magisk since then, because his job is working with Android security.There is therefore a clear conflict of interest (he has full access to source code) which prompted changes(below). As asked in the question the explanation in the answer is for a non-technical user (like me).

This was always a hide and seek game as explained here Magisk will fail Safety-Net hereafter. Why?.

  • Magisk hide will retain a minor subset of infrastructure for apps to fully “opt-out” of modding(1), which is explained

MagiskHide is gone but will be replaced by a module, most likely very soon, which by the way can be even more powerful now thanks to
@topjohnwu
implementing a “Zygisk” hooking API a la Xposed.(2)

Basically, MagiskHide will no longer be hiding root access from apps and will instead be used to ensure that user-selected apps won’t be modified. Making it easier to revert changes will also speed up testing on emulators, as developers will no longer have to reboot or patch emulator images.(3)

Zygisk? What’s that?

Zygisk is Magisk in Zygote. This will run parts of Magisk in the zygote process to make Magisk modules even more powerful(1)

Zygote is the OS process that handles forking each application process, so running parts of Magisk in the zygote process will make modules even more robust (including making root-hiding even more powerful).(3)

Modules aren’t gone, just the official repo module list won’t be shown in the app anymore. The official repo will change hands, but still exist and be maintained. The app will eventually allow adding multiple module repos, so you’ll be able to add the former official back.(2)

Another upcoming change to Magisk is the removal of the Magisk module repo from the app. The integration of the Magisk-Modules-Repo into the Magisk app is what currently allows users to search and download modules from within the app. Its removal will mean that users will have to manually download module ZIP files and install them from within the app, which is a little inconvenient compared to the existing solution but not difficult at all to do. Plus, apps that come with a Magisk module component can easily install the module for the user by running the magisk --install-module ZIP command, taking the manual step out of the equation for users.(3)

The bigger loss, though, is for discoverability of new modules through the centralized, curated repo, but topjohnwu says the Magisk-Modules-Repo will be transferred to “trusted community members” soon. This means the repo itself won’t be gone, but the app won’t point to it for now. Eventually, though, topjohnwu does want to let users point the Magisk app to whatever online module source they want, kind of like F-Droid, but this isn’t a high priority for him to implement at the moment.(3)

Root access in apps, and terminal root prompts with su will remain working, as always.(2)

penetration test – Root detection Implementation can be bypassed using Magisk hide : Android App vulnerability

I have recently have been assigned new security fix for my Android App:
This time Vulnerability Assessment and Penetration Testing (VAPT) team using Magisk and Magisk hide to bypass the Android root detection implementation.

Description given by VAPT team: Root detection is checked based on package name and availability of su binary.

Hack they have done to bypass Root detection:

  1. Set Magisk application package name to random.
  2. Next Apply Magisk hide settings. It will hide su binary from Application.
    So, Application work as normal. The means Magisk Hide lets you use apps without letting it know that it is the rooted device.

Root detection implementation on App:

  1. Currently on Android App we have “Root Bear” and “Root Tool” library integrated for Root detection on Android device.
  2. All App data are stored in encrypted database on Android App.

I have also checked possible way to fix like SafetyNet’s Hardware Attestation but I found that it is also not enough.
Here I found link which says they are able to bypass Safety net detection also:

  1. https://nooberinfo.com/magisk-hide-not-working-on-banking-apps-2021-magisk-hide-not-working-2021-android-11/#19-method-6-updating-magisk-to-magisk-canary-version-to-fix-safetynet-issue-in-android-11
  2. https://www.thecustomdroid.com/fix-safetynet-hardware-attestation-guide/

Questions regarding this scenario:

  1. In case if root detection is bypassed, As database is encrypted
    there should be no chance to any app data leak.
    If root detection is bypassed, is encypted database is secure enlugh to prevent app from data leak ?

  2. Is there any currently known mitigations available to detect Magisk and Magisk hide on Android app?

  3. If There is new method to bypass and hide root then there is need to integrate new Root detection library on Android App which in turn increases Android APK size each time. Is it always a good idea to integrate new library for root detection ?

magisk – Is it possible to install android 12 quick settings panel and animations on a rooted Android 11 device?

New Android 12’s animations are silky and smooth. Also, the quick settings panel looks cool with those rectangular-shaped tiles. I wish to install them on a rooted android 11 which has Pixel Experience ROM.

Is there a magisk module that can do it? Or any other way?

Thanks in advance

samsung – Stock rom after magisk

I have got samsung galaxy a8 2018 device. I rooted my phone with this video: https://www.youtube.com/watch?v=uYYyxWH3xew
Several days later I downloaded stock rom in sammobile. I flashed stock rom to my phone with odin (I didn’t remove the magisk first, I mean I didn’t run magisk_uninstaller.zip or didn’t remove it via magisk app)but I choosed home_csc file and when flashing was completed, it rebooted itself and stuck on samsung page. I closed phone and went to recovery mode. After that, I wiped data with Wipe data/factory reset. Finally the phone was opened. Now, when I’m in odin mode, I see

current binary: samsung offical 
FRP lock: On
Oem lock: On

In recovery mode:

#Reboot Recovery Cause is (BL:Recovery Mode Set by key)#

Support SINGLE-SKU
File-Based OTA
Supported API: 3
E:unknown volume for path (/odm)
E:unknown volume for path (/vendor)
E:unknown volume for path (/odm)
E:unknown volume for path (/vendor)

#MANUAL MODE v1.0.0#

remove failed dir ‘/system/carrier/ATT/priv-app/AttIqi_ATT’ (No such file or dictionary)
Successfully generated dm-verity hash tree.
E:(libfs_mgr)is_dt_compatible(): firmware info was not valid : ‘/proc/device-tree/firmware/android/compatible’: No such file or dictionary

I can get OTA updates and the phone status in settings is Official.
But I’m not sure if the magisk was completely removed. Maybe some files were left inside the phone. Or maybe it is running in the background. Please help me.

Thank you in advance

twrp – Invalid zip file format – Magisk 22.1

I have OnePlus 5t, Twrp 3.5.2_9-0-cheeseburger_dumpling, and when I’m trying to flash the magisk zip it’s tell me: Invalid zip file format.

I searched google and found that I need the least TWRP version, but I have the least version… What can I do?

Edit:

In V22.1 (least) the only zip file is called “Source code (zip)”, and in the TWRP its says Invalid zip file format. Same in V22.0. The next version available is 21.4, in V21.4 the link name is not “Source code (zip)”, the link name is: “Magisk-v21.4.zip”, and in the TWRP it’s working well and flash into the system! Why it is like that? And what I don’t understand?

Link to all versions: https://github.com/topjohnwu/Magisk/releases

6.0 marshmallow – Magisk manager not detecting magisk installation

Device: itel A11, Android 6

Before the installation of magisk v22, my magisk installation was working fine, so I updated the magisk through direct installation and rebooted my phone but magisk manager wasn’t detecting magisk.
I tried flashing magisk on my boot image and flashed the patched image with fastboot and spd flash tool but magisk manager wasn’t still detecting magisk.
I updated to the latest canary version and tried the same thing but to no avail, so I tried flashing my stock ROM but replaced my boot image with the patched boot image still nothing.
Today I came across this thread Magisk issue :Device rooted but Magisk not installed that shows exactly the problem I have and he solved the problem by uninstalling the repackaged magisk manager, but now my problem is I flashed my phone and I doubt if the repackaged magisk manager will still be in the phone but why is magisk manager not still detecting magisk magisk app screenshot

magisk – É possível alterar o ID do Android com acesso root? (No Android 10)

Tenho um telefone Android 10 (Motorola Moto G9 Play) e quero alterar o ID do Android (acho que é isso que os apps usam para identificá-lo às vezes).
Possuo celular com: ROOT + Magisk + EdXposed
Sempre mudei meu “Android ID” utilizando o “Titanium Backup”. Mas atualmente não aparece a opção de alterar.
É possível alterar o “ID do Android” apenas usando algumas ferramentas, linha de comando, aplicativos, algo que possa modificar o “Android ID”?
Por favor, eu preciso muito.
Motivo: Alguns aplicativos quando vão banir as contas, eles bloqueiam o “Android ID” e eu preciso modificar ele e depois utilizar novamente!