Skip to content
Platform
android
MASVS v1 MSTG-RESILIENCE-4
MASVS v2 MASVS-RESILIENCE-4
Last updated: May 08, 2023

Testing Reverse Engineering Tools Detection

Effectiveness Assessment

Launch the app with various reverse engineering tools and frameworks installed in your test device. Include at least the following: Frida, Xposed, Substrate for Android, RootCloak, Android SSL Trust Killer.

The app should respond in some way to the presence of those tools. For example by:

  • Alerting the user and asking for accepting liability.
  • Preventing execution by gracefully terminating.
  • Securely wiping any sensitive data stored on the device.
  • Reporting to a backend server, e.g, for fraud detection.

Next, work on bypassing the detection of the reverse engineering tools and answer the following questions:

  • Can the mechanisms be bypassed trivially (e.g., by hooking a single API function)?
  • How difficult is identifying the anti reverse engineering code via static and dynamic analysis?
  • Did you need to write custom code to disable the defenses? How much time did you need?
  • What is your assessment of the difficulty of bypassing the mechanisms?

The following steps should guide you when bypassing detection of reverse engineering tools:

  1. Patch the anti reverse engineering functionality. Disable the unwanted behavior by simply overwriting the associated bytecode or native code with NOP instructions.
  2. Use Frida or Xposed to hook file system APIs on the Java and native layers. Return a handle to the original file, not the modified file.
  3. Use a kernel module to intercept file-related system calls. When the process attempts to open the modified file, return a file descriptor for the unmodified version of the file.

Refer to the "Tampering and Reverse Engineering on Android" chapter for examples of patching, code injection, and kernel modules.