Go Back   UPNetwork > General Forums > Anime

Thread Tools
Old 11-25-2018, 04:20 PM   #1
Doppleganger's Avatar
Join Date: Mar 2007
Location: Yukinomiya City, Fukushima Prefecture
Posts: 12,993
Send a message via AIM to Doppleganger
Fate/Grand Order exploits Android vulnerability to detect root

I spend a lot of time on XDA Developers, but not for news. However, one news article did catch my eye!

Originally Posted by XDA Developers
The mobile Android operating system is used on over 2 billion devices each month by both regular consumers and tech enthusiasts. Although the number of people who unlock the bootloader and root their smartphones is relatively small when compared to the overall population of Android users, there’s still a lot of us out there on forums like XDA and Reddit. Magisk is an indispensable tool for the tinkering community. It provides systemless root access and has tools like MagiskHide to enable rooted users to continue using the apps, games, and services they enjoy without restrictions. However, a popular Anime game has been cleverly abusing a system security vulnerability to bypass Magisk’s anti-root detection. Here’s how that works and which devices are affected by this security vulnerability.


A popular Anime game called Fate/Grand Order blocks rooted users from attempting to play the game. XDA Recognized Developer topjohnwu, the lead developer of Magisk, previously discovered a way to bypass Fate/Grand Order’s root detection, but his solution was not working on his OnePlus 6 despite his best efforts. Determined not to give up, the developer analyzed Fate/Grand Order to figure out how it was still detecting root on his OnePlus device. As he explains in his Medium post, this led him to the discovery of a security vulnerability that Fate/Grand Order was seemingly abusing to continue detecting root access on OnePlus devices.

On Unix-based operating systems, there’s a special filesystem called “procfs” containing information on processes (think apps) such as their memory usage (think RAM), status (whether the process is running, sleeping, etc.). On most Unix-based operating systems, the user and apps have easy access to procfs to see what kinds of apps and services are running on their system (think of it like Window’s Task Manager.) However, Google began to lock down access to procfs starting in Android 7.0 Nougat. Before Android Nougat, apps like SystemPanel were able to collect data on what apps were running without needing any special permissions. After Android Nougat, apps need to use APIs like UsageStats or AccessibilityService, both of which are gated by permissions that must be granted by the user.

Google prevents apps from reading the status of other apps via procfs by mounting /proc with the flag “hidepid=2.” By mounting procfs with hidepid=2, apps can only see the status of their own process. Thus, an app would need to use the accepted APIs like UsageStats or AccessibilityService to gain information on what apps and services are running on the device.


What if procfs isn’t mounted with hidepid=2? Well, then apps would freely be able to read the status of other apps (and mount points) running on the system without needing any extra permissions*. Google mounts procfs with hidepid=2 on their own devices, but they don’t enforce this requirement on devices from other manufacturers. Several devices from LG, OnePlus, Huawei/Honor, Xiaomi, and others have not been mounting procfs with hidepid=2, which is what apps like Fate/Grand Order take advantage of to detect whether Magisk is present on the device.

*A security change in Android 9 Pie prevents apps from reading information outside of their own “SELinux context” because every app is now isolated individually. SELinux is a kernel module that acts as a gatekeeper of sorts, blocking apps and services from accessing files they’re not supposed to. A SELinux context is like a label for a file which has information like the user and role. Apps with the same SELinux context can read information about other apps in the same context if the hidepid=2 flag is not enabled for procfs. On devices running Android 9 Pie, only apps that are built targeting Android Pie will have Android Pie’s new SELinux changes apply to them. Apps that target Android 8.1 Oreo or below will use the old SELinux rules, allowing them to access information about processes in the same SELinux context so long as procfs is mounted without hidepid=2. Most apps running on your device should at least be targeting Android 8.0 Oreo thanks to new Google Play requirements, but many won’t have been updated to target Android Pie just yet.

How bad is this?

If we were to compare this system vulnerability to exploits like Fusée Gelée, Blueborne, KRACK, and Meltdown/Spectre, then this bug pales in comparison. Apps can’t use this to gain root access or steal your passwords. Your banking accounts are safe, and so are your credit cards. The worst an app can do is tell whether another app is running on your device, which has very limited uses. Remember that this is standard behavior on many GNU/Linux distributions and that Google only recently started blocking access to procfs with Android Nougat. This bug allows apps to bypass needing certain permissions to monitor other processes, but they still can’t break Android’s sandbox and steal data from other apps. Regardless, this is unintended behavior and breaks a privacy feature of Android, so it must be fixed.
今 信じあえる
あきらめない 心かさね
Doppleganger is offline   Reply With Quote

Lower Navigation
Go Back   UPNetwork > General Forums > Anime

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 04:00 AM.

Design By: Miner Skinz.com
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.