Root detection not working as expected, delayed hook detection

[shahmharsh]

Describe the bug
I have integrated the freeRasp SDK in my flutter app. I am mainly interested in the root detection and hook detection capabilities. On testing I have observed that I am able to run on my rooted android emulator (no callback), and when I try to dump the memory there is a delay in getting a onHooks callback.

To Reproduce

1. Here's how I've integrated the SDK

class MyApp extends StatefulWidget {
  const MyApp(this.environment, {super.key});
  final Environment environment;

  @override
  State<StatefulWidget> createState() => _MyAppState();
}

class _MyAppState extends State<MyApp> {

  final _callback = ThreatCallback(
    onHooks: () => _exitApp(),
    onPrivilegedAccess: () => _exitApp(),
  );

  @override
  void initState() {
    super.initState();
    _initializeRasp(widget.environment);
  }

 @override
  Widget build(BuildContext context) {
    return const MaterialApp(
      title: 'Demo app',
      home: SplashPage(),
    );
  }

  Future<void> _initializeRasp(Environment environment) async {
    final config = TalsecConfig(
      androidConfig: AndroidConfig(
        packageName: AppConfig.getPackageName,
        signingCertHashes: [
          hashConverter.fromSha256toBase64(AppConfig.androidSha256)
        ],
      ),
      iosConfig: IOSConfig(
        bundleIds: [AppConfig.getPackageName],
        teamId: AppConfig.iosTeamId,
      ),
      watcherMail: '[email protected]', // TODO: Update this email address
      isProd: true,
    );

    Talsec.instance.attachListener(_callback);

    await Talsec.instance.start(config);
  }

  static void _exitApp() async {
    await SystemChannels.platform.invokeMethod<void>('SystemNavigator.pop');
  }
}

2. For rooting the emulator, I have used adb root command

> adb root  
adbd is already running as root

3. For heap dump, I am using fridadump and have followed the steps mentioned here. When I pull the dump, it takes a few seconds for the onHooks callback to be called.

Expected behavior

1. Application should exit as soon as its launched on a rooted device
2. onHooks should be called immediately (or during execution of) when python3 fridump.py -U -s MyApp is executed

Please complete the following information:

• Device: Pixel 6 Pro (emulator, without playstore)
• OS version: API 31
• Version of freeRASP: 6.6.0

[msikyna]

Hello @shahmharsh,

thank you for reporting the issue, we will look at it.

Kind regards,
Talsec team

[rakesh0689]

I am also facing this issue in my production application and because of that it has affected my new deployment as well. Is there a solution for this issue? I have tried adding a delay after starting the talsec engine but still issue is coming and hooking/root detection can be bypassed using Magisk/Frida etc. If a solution can be provided as soon as possible it will be really helpful.

[yardexx]

Hello @shahmharsh,

Thank you for reporting this issue.

Root Issue
After further investigation, I've been able to reproduce the issue with adb root rooting. We will work on a fix for this. Please note that other forms of root detection are not impacted by this bug and will continue to function correctly.

Hooking Issue
I've also reproduced the hooking issue. The challenge with this detection is conceptual. freeRASP relies on periodic checks rather than proactive protection due to the nature of mobile platforms. Mobile platforms have limited computing power and energy resources mean that proactive detection could make app slower and/or significantly drain the battery.

freeRASP performs security checks at startup and then periodically after a set interval. This creates a time window that could be exploited for an attack. If you start the app directly with frida, it will be detected. However, if you run the app and then attach frida within this time window, frida won't be detected until the next periodic check.

BusinessRASP+ offers the option to adjust the length of this period, allowing for more or less frequent checks.

We will add this issue to our backlog and work on improvements for the future.

Best regards,
Jaroslav from Talsec

---

Closing this issue and dividing it into bug issue and enhancement issue.