# 3.2 Bypass detections ## 3.2.1 SSL PINNING {% hint style="info" %} **TBD soon** {% endhint %} ## 3.2.2 ROOT DETECTION {% hint style="info" %} **TBD soon** {% endhint %} ## 3.2.3 EMULATOR DETECTION ### Identify any detection ``` grep -Ei "isEmulator" -Ei "root" -Ei "carrierNameFromTelephonyManager" -Ei "smellsLikeAnEmulator" -Ei "SystemProperties" -R . ``` ``` grep -Ei "build.fingerprint" -Ei "build.hardware" -Ei "product.kernel" -Ei "product.brand" -Ei "product.name" -Ei "product.model" -Ei "product.manufacturer" -Ei "product.device" -Ei "Emulator" -Ei "qemu.hw.mainkeys" -Ei "bootloader" -Ei "bootmode" -Ei "secure" -Ei "build.version.sdk" -R . ``` ``` grep -Ei "generic" -Ei "unknown" -Ei "google_sdk" -Ei "Android SDK built for x86" -Ei "Genymotion" -Ei "google_sdk" -Ei "goldfish" -R . ``` {% hint style="info" %} A lot of applications try detecting an emulator by querying known system values. {% endhint %} ### Know your own environmental values ``` adb shell getprop ro.product.name ``` ``` adb shell getprop ro.product.device ``` ``` adb shell getprop ro.product.model ``` ``` adb shell getprop ro.kernel.qemu ``` ``` adb shell getprop ro.hardware ``` ``` adb shell getprop qemu.hw.mainkeys ``` ``` adb shell getprop ro.bootloader ``` ``` adb shell getprop ro.bootmode ``` ``` adb shell getprop ro.secure ``` ``` adb shell getprop ro.build.fingerprint ``` ``` adb shell getprop ro.build.version.sdk ``` {% hint style="info" %} In order to bypass it: 1. Know your values (have a look above) 2. Modify the code accordingly, so YOUR device's values pass the validation 3. Recompile project 4. Sign apk 5. Install and give it a try {% endhint %} **Recompile**: ``` apktool b ./modified_app_project_dir ``` **Sign apk** (key-creation + signing): ``` keytool -genkey -v -keystore my-release-key.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000 ``` ``` /home//Android/Sdk/build-tools/<27.0.3_OR_CHECK_YOUR_USED_VERSION>/apksigner sign --ks my-release-key.keystore ./modified_app_project_dir/dist/modified_app.apk ``` **Install apk**: ``` adb install /path/to/modified_app.apk ``` ### INFO {% hint style="info" %} * No 100% success guaranteed * There might be fancy solutions out there (appreciate any input here) * If it is heavily obfuscated -> good luck with that * Emulator detection usually comes w/ root detection as well (give it a try, before you cry) * The grep commands above do search for known method-names or values which might get executed/checked on app-startup {% endhint %} ### THINGS TO REPORT {% hint style="danger" %} **If bypassing the emulator detection by simple code-tampering is possible!** {% endhint %} ### MORE DETAILS * [Bypassing Android Emulator Part I](https://www.juanurs.com/Bypassing-Android-Anti-Emulation-Part-I/) * [Bypassing Android Emulator Part II](https://www.juanurs.com/Bypassing-Android-Anti-Emulation-Part-II/) * [Bypassing Android Emulator Part III](https://www.juanurs.com/Bypassing-Android-Anti-Emulation-Part-III/)