BOI Mobile Banking - Root Access

subway wrote: »

not sure if thats it, i denied the app root access and it continues to work just fine.

As to be expected, as if you denied it access, then as far as its concerned, the device is not rooted as it wasn't able to switch to the root user when it tried. There is no other reason why it should think the device is rooted if you manually blocked it.

subway wrote: »

it wouldnt make much sense if it was that easy to circumvent its root detection

You most likely used Superuser to deny it root access?. You can be rooted without having Superuser to provide some control on what apps can actually "su" (switch user). This can be a dangerous scenario however. Its a free for all for apps.

subway wrote: »

there are other ways to check for root, ones that actually work...

Such as?

Checking for the presence of binaries on the file system doesn't necessary mean an app can switch to root user. Also BOI's method works. You just used an app called Superuser or similar to block it. Which is the idea of Superuser in the first place.

In my opinion, the most reliable way to see if a device is rooted, is if an app tried to switch to root user. If they get root access, then they are rooted. If they don't, then they don't. If its blocked, they app will just think they don't have root access, but really it just means the user has an app to protect what gets root access or not.

The reason it would check for root access, is if it "gets" root access. Then it can assume other apps can get root access. For whatever reason, only their code can tell..

Here is what that BOI app is doing: Note the de-compilation is not necessary 100% syntax correct code!

public M_DataManagement(Context paramContext, WebView paramWebView)
  {
...
truncated
...
    if (isDeviceRooted())
    {
      M_Utils.Log_Warning("M_DataManagement", "Device appears to be rooted.");
      setsecure("0", "Integrity");
      String str2 = getInputMethod();
      setsecure(str2, "InputMethod");
      M_Utils.Log_Debug("M_DataManagement", "Input method: " + str2);
      if (!isInputMethodCustom())
        break label249;
      M_Utils.Log_Warning("M_DataManagement", "The input method is custom.");
      setsecure("1", "CustomInputMethod");
    }
    while (true)
    {
      return;
      M_Utils.Log_Debug("M_DataManagement", "Device appears to be not rooted.");
      setsecure("1", "Integrity");
      break;
      label249: M_Utils.Log_Debug("M_DataManagement", "The input method is system.");
      setsecure("0", "CustomInputMethod");
    }
  }

private boolean isDeviceRooted()
  {
    int i = 0;
    while (true)
    {
      try
      {
        String str = (String)System.getenv().get("PATH");
        if (str != null)
          continue;
        M_Utils.Log_Error("M_DataManagement", "System path is null");
        break label179;
        String[] arrayOfString = str.split(":");
        if (arrayOfString.length != 0)
          break label181;
        M_Utils.Log_Error("M_DataManagement", "System path is empty");
        break label181;
        if (j >= arrayOfString.length)
          continue;
        boolean bool = new File(arrayOfString[j] + "/su").exists();
        if (!bool)
          continue;
        try
        {
          Runtime.getRuntime().exec("su").destroy();
          i = 1;
        }
        catch (Exception localException2)
        {
        }
        j++;
        continue;
      }
      catch (Exception localException1)
      {
        M_Utils.Log_Error("M_DataManagement", "Exception while detecting device integrity: " + localException1.getClass().toString() + " - " + localException1.getMessage());
        M_Utils.Log_Warning("M_DataManagement", "Cannot detect the device integrity");
      }
      label179: return i;
      label181: int j = 0;
    }
  }

private boolean isInputMethodCustom()
  {
    int i = 0;
    List localList = ((InputMethodManager)this.mCtx.getSystemService("input_method")).getEnabledInputMethodList();
    int j = localList.size();
    String str = Settings.Secure.getString(this.mCtx.getContentResolver(), "default_input_method");
    int k = 0;
    if (k < j)
    {
      InputMethodInfo localInputMethodInfo = (InputMethodInfo)localList.get(k);
      if (localInputMethodInfo.getId().equals(str))
        if ((0x1 & localInputMethodInfo.getServiceInfo().applicationInfo.flags) == 0)
          i = 1;
    }
    while (true)
    {
      return i;
      k++;
      break;
      M_Utils.Log_Error("M_DataManagement", "Default input method cannot be found: " + str);
    }
  }

To me it looks like its trying to switch to root, if it can, then gets a list of all input methods. See's which ones are custom (most likely, ones not standard with the OS). If its custom, sets some security parameters. Possibly to flag potential key logger, or to restrict/disable some features? I dunno.. I haven't dug any deeper.

No no, it only checks for non standard input methods, if it was able to get root access. It doesn't need root access to perform this check, it only does this check if it was able to gain root access.

Possibly they were trying some malware/key logger blocking attempt.

They store the security parameters in the "SharedPreferences" for their app.

public void setsecure(String paramString1, String paramString2)
  {
    SharedPreferences.Editor localEditor = secureStore.edit();
    if ((paramString2 != null) && (!paramString2.equals("")))
    {
      if ((paramString1 != null) && (!paramString1.equals("")))
        break label63;
      localEditor.remove(paramString2);
    }
    while (true)
    {
      if (!localEditor.commit())
        M_Utils.Log_Error("M_DataManagement", "Data storage failed.");
      return;
      label63: localEditor.putString(paramString2, paramString1);
    }
  }

However I cannot see it been accessed anywhere else in the app.

There is another part where they just check the input method again, without checking for root, or without reading/writing from/to the SharedPreferences:

public void checkForCustomInputMethods(Vector<String> paramVector, Hashtable<String, String> paramHashtable)
  {
    M_Utils.Log_Debug("UIControls", "Checking if user is using a custom keyboard...");
    List localList = ((InputMethodManager)this.mCtx.getSystemService("input_method")).getEnabledInputMethodList();
    int i = localList.size();
    for (int j = 0; ; j++)
    {
      if (j < i)
      {
        InputMethodInfo localInputMethodInfo = (InputMethodInfo)localList.get(j);
        if ((!localInputMethodInfo.getId().equals(Settings.Secure.getString(this.mCtx.getContentResolver(), "default_input_method"))) || ((0x1 & localInputMethodInfo.getServiceInfo().applicationInfo.flags) != 0))
          continue;
        AlertDialog localAlertDialog = new AlertDialog.Builder(this.mCtx).create();
        M_DataManagement localM_DataManagement = new M_DataManagement(this.mCtx, null);
        localAlertDialog.setTitle(localM_DataManagement.getPrompt("Error", "warning_general_heading"));
        localAlertDialog.setMessage(localM_DataManagement.getPrompt("Error", "errNonSystemKeyboard"));
        localAlertDialog.setButton(localM_DataManagement.getPrompt("General", "btnOK"), new DialogInterface.OnClickListener(localAlertDialog)
        {
          public void onClick(DialogInterface paramDialogInterface, int paramInt)
          {
            this.val$alertDialog.hide();
          }
        });
        localAlertDialog.show();
      }
      return;
    }
  }

Which looks to popup a warning dialog. I guess a default input method is any keyboard you have set as default, be it one you downloaded or one that came with the phone, and a non standard one is something else?? malware overlay, or I dunno!