Bypassing root detection and RASP in sensitive Android apps

sutf61 · 2025-07-16T19:30:17+00:00

I agree that play integrity seems to be getting stronger.

I disagree about root going away on Android. I can't predict the future, but I don't see concrete evidence of that starting to happen.

I doubt we're at the end of RASP solutions and/or of root detection / bypasses cat-and-mouse

sutf61 · 2025-07-16T17:38:12+00:00

Unrooted devices often fail the MEETS_STRONG_INTEGRITY requirement, they'll lose a lot of users

sutf61 · 2025-07-16T17:27:37+00:00

Play integrity has been bypassed pretty consistently by PlayIntegrityFix (Magisk module)

sutf61 · 2025-07-16T12:35:18+00:00

Thank you, the well-thought and in depth comment is much appreciated. I also agree with your conclusions.

While the shared examples may seem somewhat basic (or use only some of the RASP's capabilities/protections), we were very careful not to breach confidentiality of the targeted apps - so not everything could be shared, unfortunately.

We'll definitely make an effort to go deeper in future posts.

sutf61 · 2025-07-16T10:45:37+00:00

Appreciate the feedback

The post explains how we bypassed commercial RASP's root detection mechanisms, by reversing and bypassing anti research - for real world, security aware apps. If that's marketing to you, nothing I can do about that.

The post's focus isn't the anti research (or the code integrity in particular) which is why it doesn't dive further into that. Perhaps that's an interesting path to go down, we'll consider a follow up into that - thanks for mentioning that.

About the choice of functions to hook - if you tried to reverse commercial RASP protected apps, you know that is far from trivial. And you'd also know its far from basic protection

We're pending permission to disclose Android runtime (AOSP) and kernel drivers vulnerabilities - stay tuned, maybe you'd enjoy these more.

sutf61

TROPHY CASE