嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要理解文章的内容。看起来这篇文章讨论的是RASP(Runtime Application Self-Protection)如何在检测到Root痕迹后隔离设备。作者在评估Android应用时遇到了RASP触发的情况,导致设备被黑。 接下来,文章提到作者通过修改系统属性和spoof设备ID来绕过这个机制。所以总结的时候要涵盖RASP检测、触发机制、设备隔离以及绕过方法这几个关键点。 用户可能是一位安全研究人员或者开发人员,对移动应用的安全机制感兴趣。他们可能希望快速了解文章的核心内容,而不需要详细的技术细节。因此,总结需要简洁明了,抓住主要步骤和结果。 最后,确保语言流畅自然,不使用任何技术术语或复杂的句子结构,让读者一目了然。 </think> 文章描述了RASP(Runtime Application Self-Protection)在检测到多次Root痕迹后触发的设备隔离机制。通过分析RASP的工作流程和设备指纹生成过程,探讨了如何通过修改系统属性和 spoof 设备ID来绕过设备黑listed状态。 2026-3-3 06:11:24 Author: infosecwriteups.com(查看原文) 阅读量:2 收藏
Press enter or click to view image in full size
Have you ever wondered how the Runtime Application self/security Protection isolates the device once it identifies the Root traces?
During an Android application assessment, I encountered a runtime protection behavior in which repeated root detection events (observed within 3–5 attempts) triggered a RASP enforcement mechanism. The application subsequently blacklisted the device by correlating device fingerprint characteristics with unique device identifiers, effectively blocking further access from the same mobile environment.
This article does not discuss methodology for bypassing RASP protections. Instead, it focuses on post-bypass analysis scenarios where root detection has already been neutralized, but device-level blocking remains enforced by the service provider.
Technical exploitation
In Magisk’s Deny list, apply the check for the target application as shown in the below screenshot.
Press enter or click to view image in full size
Now, in Hide my applist module, configure the template and presets for the target application.
Press enter or click to view image in full size
As application has previously detected Root detection 3–5 times on the device, the runtime protection isolates the device and rather than layered dialog/toast messages for Busy box binary, SU Binary, etc., the app says “Rooting detected” as shown below. This means device has been blacklisted
Press enter or click to view image in full size
How does RASP API call works for isolating a device?
The below diagram illustrates how the mobile app integrates the RASP SDK to collect multi-layer device signals, generate a signed device fingerprint, and transmit it to the backend for risk evaluation and policy enforcement (Permission/Decision such as allow, restrict, or blacklist).
┌──────────────────────────────┐
│ Mobile Application │
│ (With RASP SDK) │
└──────────────┬───────────────┘
│
│ ① Collect Signals
▼
┌─────────────────────────────────────────┐
│ On-Device Data Collection │
│ │
│ • Build fingerprint / model / OS │
│ • Hardware profile & sensors │
│ • Baseband / telephony info │
│ • Root / hook / debugger detection │
│ • Emulator & environment indicators │
│ • App integrity & runtime state │
└──────────────┬──────────────────────────┘
│
│ ② Normalize + Hash + Sign
▼
┌─────────────────────────────────────────┐
│ Device Signature Object │
│ │
│ deviceSignature { │
│ systemProfile │
│ integrityFlags │
│ environmentSignals │
│ appMetadata │
│ } │
└──────────────┬──────────────────────────┘
│
│ ③ Secure API Transmission (TLS)
▼
┌─────────────────────────────────────────┐
│ Risk Evaluation Server │
│ │
│ • Reconstruct fingerprint │
│ • Compare with reputation database │
│ • Detect anomalies / spoofing │
│ • Apply policy rules │
│ • Calculate risk score │
└──────────────┬──────────────────────────┘
│
│ ④ Enforcement Response
▼
┌─────────────────────────────────────────┐
│ API Decision Payload │
│ │
│ riskScore │
│ deviceStatus (trusted / blocked) │
│ action (allow / restrict / blacklist) │
└──────────────┬──────────────────────────┘
│
│ ⑤ App Enforcement
▼
┌──────────────────────────────┐
│ Runtime Protection │
│ • Allow normal usage │
│ • Restrict features │
│ • Device blacklisting │
└──────────────────────────────┘To bypass this additional layer check, I had to modify and spoof the system properties one by one, listed in the below screenshot.
Press enter or click to view image in full size
Also, primarily the RASP looks for Android Device ID for blocking the device.
Get Suprit Pandurangi’s stories in your inbox
Join Medium for free to get updates from this writer.
Android Device ID is a 64-bit hex string generated when a device is first set up and tied to the device + user profile. Apps commonly use it as a stable identifier for analytics, fraud detection, and device fingerprinting.
Now, device ID was spoofed using https://github.com/sidex15/deviceidchanger and Reboot the device as shown below.
Press enter or click to view image in full size
Boom, device blacklisting was successfully bypassed.
Press enter or click to view image in full size
如有侵权请联系:admin#unsafe.sh