How to Detect and Block KernelSu and similar Rooting and Hacking Tools?

Your app. Your users’ trust. A hidden tunnel threatens them both. That tunnel is KernelSU, a powerful rooting solution granting unprecedented access to the heart of Android devices.

Think data breaches, hijacked functionalities, and rampant malware, all cloaked in the shadows of the kernel – invisible to traditional security measures. This isn’t science fiction; it’s the harsh reality for apps facing the growing threat of KernelSU-wielding attackers.

KernelSU, much like its counterpart Magisk, presents a unique set of security challenges. While this might sound like a tech enthusiast’s dream, it opens Pandora’s box of potential vulnerabilities.

Its covert operation mode not only poses a significant threat to individual apps but also to the entire ecosystem of the device, compromising user data and device integrity.

As app developers, our primary goal is to safeguard our applications and, by extension, our users. In this blog, we’ll discuss why taking proactive steps to block KernelSU is essential in this endeavor. We’ll explore practical strategies for detection and prevention, ensuring that our apps remain secure fortresses against the potential exploits that KernelSU can facilitate.

Join us as we navigate the complexities of mobile app security in a world where rooting tools like KernelSU are becoming increasingly sophisticated. 

Working of KernelSu 

At its core, KernelSU operates in kernel mode, which is essentially the deepest level of control within an Android device. This position grants it capabilities that are typically out of reach for standard applications.

Source:

Here’s a breakdown:

Imagine a skyscraper with strict security levels. KernelSU is like having the master key to every floor, including the executive penthouse (the “kernel,” where everything runs). This grants it unprecedented power to control and modify the building’s core systems i.e. root access, operating at the core of your Android device. This opens up powerful, sometimes risky, capabilities explained as under:

Hardware Breakpoints:

KernelSU can set hardware breakpoints for any process operating in kernel mode. In simpler terms, it can instruct the device’s central processing unit (CPU) to pause a specific process at a particular point. This is a powerful tool for developers for debugging, but in the wrong hands, it can be used to manipulate or analyze secure processes. Picture placing tiny sensors inside machinery. KernelSU can monitor any process by injecting “breakpoints” into its code. This lets it know whenever specific events occur, like detecting unauthorized modifications.

Memory Snooping:

It can access the physical memory of any process and do so discreetly. Physical memory refers to the RAM (Random Access Memory) where processes are actively running. Think of memory as data rooms. KernelSU can peek into any process’s memory space, even unnoticed, potentially accessing sensitive information like passwords or financial data.

System Call Hijacking:

KernelSU has the capability to intercept system calls (syscalls) within the kernel space. System calls are requests made by programs to access hardware resources or sensitive data. By intercepting these, KernelSU could potentially alter the behavior of the system or spy on data transactions. Imagine intercepting messages sent between floors. KernelSU can grab and manipulate “system calls,” the requests processes make to the core system. This allows it to alter functionalities, potentially redirecting requests or even taking control of processes.

Beyond these core abilities, KernelSU offers further tools:

Module System:

This is like adding plug-ins to the control center. KernelSU lets you load custom modules (code extensions) into the system, adding new features or tweaking existing ones. Imagine adding a security module or customizing your device’s interface. 

System Tweaking:

Think of /system as the building’s blueprints. KernelSU can subtly modify files in this crucial partition using a technique called “overlayfs.” It’s like placing transparent stickers over the blueprints, making changes without permanently altering the originals. This allows for system-level adjustments without potentially risky direct modifications.

While the above mentioned features offer exciting possibilities, they can also create security vulnerabilities if misused. Understanding how KernelSU works is crucial for both developers and users to make informed decisions and ensure responsible, secure usage.

In the next section of our blog, we turn our attention to a critical aspect- How KernelSU can be used for Application Exploitation. Understanding this is crucial for app developers and security professionals to recognize the potential threats and safeguard their applications.

How KernelSu can be used for Application Exploitation? 

Let’s break it down and explain it in simpler terms. 

Tailoring App Behavior with KernelSU’s App Profiles

Imagine a skilled tailor crafting custom suits for different occasions. KernelSU’s App Profiles offer a similar level of customization, allowing you to fine-tune how apps interact with the system, even those with root permissions. Here’s how it works:

App Profile Explained:

The App Profile in KernelSU allows for detailed customization of apps, particularly in how they interact with the system’s root functionalities. 

• Ordinary Apps: Even apps without root access can benefit from App Profiles. They act like personal stylists, guiding how the kernel and module system interact with each app.
•  Custom Behavior: You can decide whether modifications made by modules should affect specific apps. This allows for tailored experiences, like “hiding” certain changes from particular apps. 

It’s like having a specialized control panel for each app, where you can tweak various settings related to system access and permissions. 

Source

Key Concepts for Understanding App Profiles

UID, GID, and Groups: Think of these as ID badges in a high-security building. Each app has a unique UID (user ID), belongs to a primary group with a GID (group ID), and can also be part of multiple supplementary groups. These IDs determine which system resources an app can access. 

Root User (UID 0): The ultimate VIP with full system access.

Customizing Root Permissions: Root Profiles let you change the UID, GID, and groups of the root process after using “su.” 

This means you can:

• Lower a root app’s permissions to the level of an ADB shell for more control.
•  Remove the “inet” group to prevent network access, even for root apps. 

Important Note: App Profiles only control the permissions of the root process after using “su.” They don’t directly change the permissions of the app itself.

 Root Profile for Root-Enabled Apps:

These specialized App Profiles take control when an app uses “su” to gain root access. They act like security guards at a VIP party, deciding who gets full access and who has restricted privileges.

When apps have root permissions (i.e., they can use the ‘su’ command for superuser access), the App Profile is referred to as the Root Profile.  Root Profiles allow you to adjust a root app’s “uid,” “gid,” “groups,” “capabilities,” and “SELinux” rules. 

This means you can:

• Grant network permissions to firewall apps while restricting file access.
• Give shell access to freeze apps without full root privileges.

Tailor permissions for different apps based on their specific needs, following the principle of least privilege (giving apps only the permissions they truly need). 

For example, you could set it up so that only certain apps have network access, or you can limit an app to having just shell access rather than full root access. This aligns with the principle of least privilege, meaning apps only get the minimum level of access they need to function. 

Control Over Non-Root Apps: For apps without root permissions, the App Profile can still influence how the kernel and module system treat them. It can decide if changes caused by modules should affect these apps, allowing for operations akin to “hiding” certain activities from the app.

Understanding UID, GID, and Groups in Linux and Android: In Linux and Android, each user and group is assigned unique IDs (UID and GID). The root user and group have an ID of 0 and have the highest system privileges. In Android, each app acts as a separate user, with standard apps having UIDs ranging from 10000 to 19999. Work profiles are implemented by partitioning this UID range.

KernelSU’s Customization Abilities: KernelSU’s Root Profile feature allows for the customization of these UIDs and GIDs for root processes. For instance, it can set an app’s UID to that of the ADB shell level (2000) when using ‘su’. This means that when the app uses ‘su’, it operates with ADB shell level permissions. Adjusting group memberships, like removing the inet group, can restrict what the ‘su’ command can do, such as preventing network access.

Important Note: It’s crucial to note that the App Profile only controls the permissions of the root process after using ‘su’; it does not alter the app’s inherent permissions. So, if an app has network access permission, it retains that ability regardless of the Root Profile settings. The enforcement of the Root Profile is done at the kernel level, ensuring it’s not dependent on the behavior of root applications.

What are the Other Tools that can be Used for Modifying devices? 

It’s important to recognize that KernelSU is just one of several tools available for modifying Android devices. In this section of our blog, we’ll introduce and briefly discuss some other popular tools used for device modification, highlighting their capabilities and the implications for app security.

Checkra1n 

Checkra1n is a notable jailbreaking tool specifically designed for Apple’s iOS devices. It gained particular attention for its ability to jailbreak devices running iOS 13, although its compatibility extends to other iOS versions as well. Here’s a detailed look at Checkra1n and its implications: 

Think of Checkra1n as a master key, unlocking hidden functionalities within your iPhone or iPad running iOS 13. But unlike a physical key, this one operates at the core of the device’s operating system, granting access to the “kernel” – the brain that controls everything.

 What It Does:

Jailbreaking: Checkra1n bypasses security restrictions, allowing you to install apps and tweaks not officially approved by Apple. This opens a vast world of customization and functionality, from advanced themes and productivity tools to tweaks that modify core system behavior.

 Full Control: With root access, you gain control over system files, processes, and settings. This can be extremely powerful for developers and tech-savvy users who want to tinker with their devices and explore hidden capabilities.

 But Wait, There’s a Catch:

Security Risks: Bypassing security can be risky. Malicious tweaks or apps can exploit your device’s vulnerabilities, stealing data, injecting malware, or even bricking your device. Proceed with caution and only install trusted tweaks from reputable sources.

Warranty Voiding: Jailbreaking often voids your device’s warranty, leaving you responsible for any damage caused by the process or incompatible tweaks.

Technical Knowledge Required: Checkra1n is not for beginners. The process can be complex and requires some technical knowledge and comfort with computers and command-line tools.

Specifics for iOS 13:

Supported Devices: Checkra1n supports a wide range of iPhones and iPads running iOS 13, including some newer models like the iPhone XR, XS, and 11. However, check their website for a complete compatibility list.

Exploiting the Checkm8 Vulnerability: Checkra1n utilizes a hardware exploit called “checkm8,” which exists in the chips powering these devices. This makes it a permanent jailbreak solution, unlike software-based methods that become ineffective with new iOS updates. 

Unc0ver

Unc0ver is a prominent jailbreak tool that gained attention for its ability to jailbreak a wide range of iPhone models, offering extensive access and control over iOS devices.  Imagine unc0ver as a secret tunnel leading to the heart of your iPhone, bypassing Apple’s security walls and granting you access to hidden functionalities. It’s more than just a jailbreak; it’s a swiss army knife for tweaking and customizing your iOS experience. 

What It Can Do:

 Jailbreak for Any iPhone: Unlike Checkra1n, unc0ver works on a wider range of iPhones, including newer models running iOS 11 and later. This opens the door for more users to explore the world of customization.

 Full Shell Access: unc0ver grants you a “shell,” a powerful command-line interface that lets you directly control the core of your iPhone’s operating system. This puts immense power in your hands, offering advanced users unprecedented control and flexibility.

 Tweak Installation: With jailbreak privileges, you can install numerous tweaks and modifications that aren’t available in the official App Store. These tweaks range from simple cosmetic changes to functionality enhancements and even system-level tweaks. 

Important Caveats:

• Broad Compatibility and Access: Unc0ver works on any iPhone model that runs iOS 11 or later. This wide-ranging compatibility makes it a potent tool for gaining deep access to a significant number of iOS devices.
•  Physical Access Requirement: A key aspect of unc0ver is that it requires physical access to the device. The jailbreak can only be implemented when the user has direct control over an unlocked iPhone and can connect it to a computer. This requirement significantly reduces the risk of unc0ver being used for malicious purposes.
• Tailored for Non-Malicious Use: Given its need for physical access and the fact that it does not persist after a reboot, unc0ver is unlikely to be employed in most malicious scenarios, like malware attacks. Instead, it serves more as a tool for users and developers to bypass Apple’s restrictions for customizations and app installations not normally permitted on the iOS platform.
• Capabilities and Developer Interest: Unc0ver allows users to break through the limitations set by Apple, enabling the installation of apps outside of the App Store and allowing for the monitoring of OS functions. Notably, it gives users a UNIX shell with root privileges, providing the capability to execute a wide range of commands and modifications.
•  Installation Methods: The jailbreak can be installed using various methods, including AltStore, iOS development environment Xcode, or Cydia Impactor. These methods provide flexibility for users in terms of how they wish to execute the jailbreak.
•  Comparison with Checkm8: While unc0ver exploits a vulnerability in the OS kernel, it is different from Checkm8, which exploits a flaw in the physical bootloader. This distinction makes unc0ver less capable in some respects than Checkm8, like disabling or bypassing certain iOS restrictions.
•  User Risks and Developer Assurances: As with any jailbreak, using unc0ver comes with risks, such as potential data loss or the inadvertent disabling of important settings. However, the unc0ver team has provided assurances regarding the stability of the jailbreak, compatibility with major Apple services, and the ability to install future iOS updates. 

Cydia

Cydia is not a jailbreak tool itself, but rather an application Store for Jailbroken Devices. Cydia is essentially an alternative to Apple’s App Store for devices that have been jailbroken.  Think of it as a parallel universe for your iOS device, filled with apps and tweaks not found in the official App Store. It allows users to download and install software packages from repositories or sources that are not authorized by Apple. This includes a wide range of applications, tweaks, and extensions that can customize and enhance the functionality of an iOS device beyond what is officially supported. 

Here’s what you should know about Cydia:

Unlocking the Hidden Doors of iOS:

Post-Jailbreak Playground: Cydia becomes accessible once you’ve successfully jailbroken your device. With root access granted, it opens the door to a vast trove of customization options and functionalities that Apple doesn’t officially allow.

Tweak Treasure Trove: Cydia hosts thousands of tweaks that modify the look, feel, and behavior of your iOS device. These range from cosmetic changes like custom themes and icons to powerful functionality enhancements like ad blocking, system optimizations, and even accessing hidden features buried within iOS.

Download with Caution: While the possibilities are exciting, remember that not all tweaks are created equal. Some can be outdated, buggy, or even malicious. Stick to reputable sources and thoroughly research before installing any tweaks to avoid harming your device or compromising your security. 

Key features of Cydia:

User-friendly Interface: Cydia offers a curated app store experience, allowing you to browse, download, and install tweaks with ease. You can search for specific functionalities, browse by categories, and read reviews before making your choices.

Package Management: Cydia handles all the technical heavy lifting. It installs, updates, and removes tweaks while ensuring compatibility and avoiding conflicts with other software.

Community Connection: Cydia connects you to a vibrant community of developers and enthusiasts. You can access forums, tutorials, and resources to learn more about jailbreaking, find the perfect tweaks for your needs, and troubleshoot any issues you encounter.

Important Considerations:

Security Risks: Jailbreaking bypasses security restrictions, which inherently makes your device more vulnerable. Malicious tweaks can exploit vulnerabilities, steal data, inject malware, or even brick your device. Only use trusted sources and be cautious about what you install.

Warranty Voiding: Jailbreaking often voids your device’s warranty, leaving you responsible for any damage caused by the process or incompatible tweaks. 

EdXposed/ Xposed Framework 

dXposed and Xposed Framework are the two magic words for Android enthusiasts who crave customization. The Xposed Framework, along with its Magisk-compatible variant EdXposed, stands as a pivotal tool in Android customization. Xposed allows users to modify their device behavior without altering system files, acting as a bridge between the OS and installed modules. Its extensive module library offers various functionalities, from UI tweaks to performance boosts. For Magisk users, EdXposed ensures compatibility within the Magisk ecosystem. 

Think of Xposed Framework as a Swiss Army knife for your Android device. It grants you access to a hidden layer of the system, allowing you to inject code into existing apps and modify their behavior without directly altering their original code. Think of it as adding sprinkles and spices to your favorite dish without changing the recipe itself. 

What It Can Do: 

Extensive Customization: Modify system-level functionalities, change app interfaces, and unlock hidden features. Imagine activating dark mode in any app, blocking annoying ads, or customizing app notifications – the possibilities are endless.

Enhanced Control: Gain granular control over app permissions, manage background processes, and optimize performance. Take back control of your battery life and data usage!

Community-Driven Innovation: A vast library of modules, created by developers and enthusiasts, is readily available. Browse and install modules to fit your specific needs and desires. 

Different Flavors of Xposed:

dXposed: A newer fork of Xposed, compatible with Android 9 and later, addressing some limitations of the original framework.

EdXposed: Another alternative for Android 9 and 10, utilizing a different approach to achieve Xposed functionality. 

Important Caveats:

Technical Knowledge Required: Installing and using Xposed modules can be technically challenging, requiring some understanding of Android and root access on your device.

Potential Instability: Modifying system behavior can lead to unintended consequences and app crashes. Proceed with caution and test modules thoroughly before relying on them.

Security Risks: Malicious modules can exploit vulnerabilities or invade your privacy. Stick to trusted sources and thoroughly research before installing any module. 

OS Remount 

OS Remount in Android Apps” is a relatively complex topic, and understanding it requires some background knowledge about the Android file system and app permissions. OS Remount in the context of Android apps refers to the process of remounting the system partition (or other partitions) of the Android file system with different permissions.

Typically, the system partition is mounted read-only to prevent modifications. However, in certain cases, such as during system updates or for root-level modifications (often in the context of rooted devices), it may be necessary to remount this partition with write permissions. This allows for modifications to system files, which can be essential for certain types of app functionality or system customization. 

In essence, OS Remount in Android apps involves modifying the access permissions of system partitions. 

The Android file system comprises several partitions; for instance, the /system partition is read-only and houses essential system files, while the /data partition is writable for user data. 

Root access enables apps to have unrestricted file system access, including altering read-only partitions. Remounting a partition changes its access mode, allowing, for example, writing to the normally read-only /system partition. 

This is often needed for apps that modify core system functionalities. However, this process carries risks, such as potential system corruption or instability, especially if done improperly or maliciously.  

PlankFilza File System Tool

PlankFilza can be understood as a “lite” version of the popular Filza file explorer, but specifically designed for non-jailbroken iOS devices running iOS 14 to 14.3. It achieves this by utilizing a vulnerability called “cicuta_virosa” to gain limited read/write permissions to the iOS file system. 

Here’s what you can do with PlankFilza:

Read files: Access and explore files stored in various directories across your iOS device.

Write files: You can write files to specific locations, namely the /var and /tmp directories. This allows for tasks like transferring files between your device and computer or modifying specific configuration files. 

Important points to remember:

Limited functionality: Unlike a full-fledged file manager, PlankFilza has limited write capabilities due to its non-jailbroken nature.

Security vulnerability: Utilizing a vulnerability involves inherent risks. Always be cautious about installing apps from unknown sources and exercise caution when modifying files on your device. 

License considerations: The developer emphasizes that distributing the full PlankFilza.ipa file violates the licenses of Filza and ModernPwners. Stick to downloading it from Brandon Plank’s official GitHub page or approved sources. 

Overall, PlankFilza offers a unique way to interact with the iOS file system on non-jailbroken devices. However, it’s important to use it responsibly and with caution, given its limitations and potential security implications. 

What is the Impact of These Rooting Tools?

Rooting offers a unique paradox – a chance to unlock immense potential at the cost of potential security vulnerabilities. Rooting tools offer an avenue for Android users to regain comprehensive control over their devices, enabling them to customize, optimize, and secure their systems according to personal preferences. While it’s essential to acknowledge the risks, many users find the benefits of rooting to be compelling. 

 Customization and Control: Rooting allows users to overcome the default limitations set by manufacturers, offering a level of customization typically not available. Users can change themes, adjust graphics, and modify the system to fit their unique needs. This level of control is particularly appealing to those with the technical knowledge to safely navigate the potential risks.

 Efficient Use of Space: One of the practical benefits of rooting is the ability to remove bloatware. Manufacturers often pre-install applications as part of agreements with software vendors, which can take up unnecessary space. Rooting enables users to remove these apps, freeing up memory for more desired content and applications.

 Expanded App Availability: Rooting circumvents the usual restrictions on app installations, allowing users to download applications from any source, not just official platforms like the Google Play Store. This open access can lead to a broader range of apps and functionalities, though it also requires users to be more vigilant about the sources and security of downloaded apps.

 System Upgrades and Alternative OS: Rooting can breathe new life into older devices by allowing the installation of custom ROMs and alternative software kernels. Users can update their devices to newer Android versions or completely change the operating system, even if official updates are no longer provided by the manufacturer. This capability not only prolongs the device’s lifespan but can also lead to improvements in performance and battery life.

Enhanced Backup Options: With root access, users gain more flexibility over their backup solutions. Instead of relying on default Android backup services, users can choose more comprehensive and secure backup options, tailoring where and how their data is stored. 

How to avoid usage of Your app on such tools? 

Avoiding mobile apps for rooting tools altogether is a valid approach if you prioritize security and stability over customization.

 Root Detection Mechanisms: Implement checks within your app to detect if a device is rooted. Look for common indicators of rooting, such as the presence of the su binary, unusual file permissions, or the installation of known rooting apps and custom ROMs.

SafetyNet Attestation: Use Google’s SafetyNet API to assess the integrity and compatibility of the Android environment. SafetyNet can help determine whether the device has been tampered with or if it’s running a custom ROM. Based on the response, you can decide whether to restrict app functionalities.

Obfuscation and Tamper Detection: Protect your app’s code through obfuscation to make it harder for attackers to find and exploit vulnerabilities or to modify the app. Additionally, implement tamper detection mechanisms to know if the app’s code has been altered.

Secure Communication: Ensure all communications between the app and servers are encrypted and secure. Use certificate pinning to prevent man-in-the-middle attacks, which can be more common on rooted devices. 

App Shielding and Runtime Protection: Utilize app shielding solutions that offer runtime protection, detecting and reacting to threats in real time. These solutions can actively monitor the app’s environment and take action if interference is detected. 

Educating Users: Inform users of the risks associated with rooted devices and clearly communicate your app’s stance on running in such environments. Some users might not be aware of the security implications of using rooted devices. 

Regular Updates and Security Patches: Keep your app updated with the latest security patches and best practices. Regular updates can help protect against newly discovered vulnerabilities and exploits. 

Conditional Access and Feature Restriction: If rooting is detected, you might choose to allow the app to run but restrict access to sensitive features or data. For example, a banking app might allow users to view account balances on rooted devices but not to initiate transfers. 

Conclusion:

Appsealing offers comprehensive and continuous protection for mobile applications, vigilantly monitoring activities on rooted devices to maintain a fortified environment. It ensures that mobile apps retain a high level of security akin to that on non-rooted devices. As an innovative security layer, Appsealing diligently oversees the mobile app environment, safeguarding against unauthorized access to memory, file system, and firmware. It delivers these extensive protective services as a convenient Security as a Service solution.

Source

Key features that set Appsealing apart: 

•  Rooted Device Mastery: Appsealing doesn’t flinch in the face of rooted devices. It diligently monitors app behavior, safeguarding sensitive data and resources even in environments where traditional security measures falter.
• Robust Security Layer: Think of Appsealing as an impenetrable fortress around your apps. It meticulously blocks unauthorized access attempts, protecting memory, filesystems, firmware, and other critical components from intrusion.
• Security as a Service (SaaS) Simplicity: APP seamlessly integrates into your app development process, delivering comprehensive security without the hassle of complex setup or maintenance
• Unwavering Root Detection: Appsealing stays ahead of the curve, detecting even the most sophisticated rooting techniques like systemless root and Magisk. Hackers can’t hide from APP’s watchful eye. 

By implementing these strategies, developers can significantly reduce the risk of their apps being misused on rooted devices or through unauthorized modifications. It’s important to balance security measures with user experience, ensuring that legitimate users are not unduly inconvenienced by the protections put in place.