Bypassing Root Detection in Three InTouch

Three recently released “InTouch”, an application for Android and iOS that allows you to use a WiFi network to send/receive phone calls and text messages, meaning that you can continue to use your phone as a phone without having a cellular network connection.

Unfortunately for me, Three decided not to allow rooted devices to use the application – launching the app on a rooted device resulted in a “It seems that the device is rooted. This application can not run on rooted device” error.

Screenshot_2014-10-16-14-48-57

 

Not wanting to miss out on being able to use their application (my house is a signal deadzone), and being unwilling to un-root my phone, I decided to explore other avenues.

Firstly, I downloaded the APK file from my phone using adb:

adb pull /data/app/com.hutchison3g.threeintouch-1.apk

I then decompiled the application into Smali using apktool, by running the following command:

apktool d com.hutchison3g.threeintouch-1.apk

This created a new folder with the same name as the APK file. Inside that folder was another folder called “smali’, which contains the smali disassembly of the APK.

A simple grep for the string “root” was all that was needed to find the sections of the disassembly responsible for root detection:

The relevant lines were those containing “device is rooted” – in this case, “v.smali” and “FgVoIP.smali”. Opening up FgVoIP.smali and searching for the line containing the word “root” gave me some context:

Screen Shot 2014-10-16 at 15.21.09

Line 4193 is an if statement, checking if the register v0 is equal to zero. The value of v0 is return value of the method invoked on line 4189. In the case that v0 is equal to zero, execution jumps to whatever is at the label :cond_2 – if v0 is anything other than 0, then a string mentioning “device is rooted” is defined, and passed to another method. With that in mind, it’s fair to say that a() in the FgVoIP class is probably their “root checking” method.

An easy way to patch this root detection out is to modify the if statement on 4193 to make it unconditional. I did this by replacing “if-eqz v0, :cond_2” with “goto :cond_2”:

Screen Shot 2014-10-16 at 15.27.21

I then repeated a similar process on “v.smali”.

Once I had modified the two smali files to skip the root detection, I needed to re-compile the apk file so that I could install it on my device. I accomplished this by running:

apktool b com.hutchison3g.threeintouch-1 -o com.hutchison3g.threeintouch-1-patched.apk

However, the resultant APK was un-signed. In order to install the APK onto my device, I needed to generate a key and sign the APK. I did this by following the instructions for “Signing Your App Manually” on the Android SDK documentation.

Once I had signed my app, I was able to install it by running “adb install com.hutchison3g.threeintouch-1-patched.apk”. I was then able to launch and use the Three InTouch app without any problems.

Screenshot_2014-10-16-15-40-16

 

It’s worth noting that I did this as a learning exercise, and don’t recommend that you necessarily go out there and do this yourself. Similar techniques can be used to bypass root detection in many Android Applications.

 

43 thoughts on “Bypassing Root Detection in Three InTouch

  1. Well done Sir! Three like a lot of companies are a PITA for root-blocking. Had to root my S4 as Kit Kat has blocked the ability to use a decent file manager like ES3 for saving files to my external SDCard. And then released an app that doesn’t work on rooted phone grrrr.
    I’m up for having a go at following you procedure…
    2 quick questions:
    1 – the line “goto :cond_2” does that replace the line 4193 “#if-eqz v0 :cond_2”? I ask as on you screen cap it appears as line 4194.
    2 – you would become world renowned [or at least with Three UK users with rooted phones that is 😛 ] if you were to upload the root-check-bypassed version of this apk!

    1. Hey Andy, sorry for the delay. It is frustrating… I can see the reasons under certain circumstances (like banking apps), but I’m not totally sure of the rationale behind this decision.

      In response to your questions:
      1. Yes, the “goto :cond_2” replaces the if statement – it removes the condition that the “is-rooted” method returned false. I suspect that mine is on a different line because I added some whitespace/a comment above it somewhere 🙂
      2. Haha, I had considered it… but I’d rather not have to deal with the potential legal repercussions of re-distrubuting Three’s software – providing more generic instructions seemed the best compromise.

      1. joe, is there any chance you could point me to this modified app again please? 3 intouch was updated yesterday and my phone wont work again.
        Best Regards
        Brian

  2. You should look into Xposed 🙂 It’s awesome for many reasons (search for GravityBox for example) but it allowed me to achieve this result without even modifying the patch itself.

    Just at runtime the Xposed modules executes

    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
    param.setResult(false);
    }

    Which sets the root checking method to false before it even gets to run, all without touching Three’s code itself, and no need for repackaging or signing 🙂

    1. Hi Dave. Thanks for the comment. I had considered using Xposed or Substrate or something along those lines – but I chose to do it this way for the learning experience 🙂 Next time I might try your way.

  3. Thanks – worked a charm.
    I have a OnePlus One – runs CM11 but not rooted.
    Three InTouch app was failing, claiming phone was rooted – even though other apps like Good and First Direct Banking are OK with the root status.

    I didn’t want to go the root/xposed or other rooting/cloaking methods as modifying one app, rather than root masking multiple apps seems the way to go (not to mention my employer’s acceptable use policy for Good explicitly mentions devices must not be rooted).

  4. Indeed a good tutorial. I thought I might give it a go but then would have to read up on the signing and so on. In the end I went with the quick fix but this is definitly a good reference for tweaking things.

    As this is the only post that shows up on search results I’ll second the Xposed option but I used the module RootCloak, for those that want the easy option.

    Install module and enable, reboot.
    Force Close inTouch to be sure, open the RootCloak module and add the app to the list already there.

  5. I’m really glad I found this and I’ve managed to modify the FgVoIP.smali file, but could you show us the modifications needed for v.smalli, please? I’m unable to see, clearly, what needs to change here.

    1. Hi Justin,

      Line 44 of v.smali is what you need to change. It should previously have read “if-eqz v0, :cond_0”, and needs to be changed to “goto :cond_0”. Hope that helps!

      (edited to s/v0/:cond_0/g my error)

      1. Hurrah! Got it working! Thank you very much 🙂

        It was actually: goto :cond_0 not v0 but now I can use my phone at work and elsewhere. Suh-weet!

        If you’ve an Amazon wishlist, ping me and I’ll grant you something 🙂

    1. I’ve decided against including a link to the patched APK – not sure how that works from a legal stand-point. There are some patched InTouch APKs out there, a Google Search should turn them up.

      1. Great thanks. Cracked it. Had some problems signing it but got that sorted, deleted the original three app as it would not install the patched app with the original app present, but great! thank you!

  6. Thank you so very much. I was about to shoot myself. Xposed would not work in my case as the phone is not rooted. Out of interest, what should we do if Three offer an update?

    1. No worries Brian – It seems that InTouch falsely detects a few phones as having been rooted.

      If Three offer an update, and you apply it, then you’ll loose the modifications. However, as this APK will not have been installed through Google Play, the normal update notification system probably won’t work. If they added some features to the official version that you wanted, you’d have to repeat this process on the new APK – unless they modified those two classes specifically, the same process should apply. If they modified them, then it will be a similar task but probably with slightly different line numbers.

  7. Can someone just upload the modified apk somewhere. Or email it to me, I really don’t have the time to piss about with it.

  8. I found fgvoip.smali and made the change, however I the v.smali in that same folder doesn’t have the code that needs to be changed. Am I missing something?

    thanks in advance.

  9. Don’t seem to get this to work on Android L. I can pull the file but its inside adb pull /data/app/com.hutchison3g.threeintouch-1/base.apk. Is that right ?

  10. Thanks for your help . I think i’m moving forward.slowly!
    ok so I have decompiled the base.apk and its has created a folder base and inside is a smali folder (as well as others (assets,lib,res folders ) and a andoridmanifest and a apktool.yml. So I go into the smali folder and find 4 other folders which are android,com,net and org. do you just run a grep or in my case findstr (windows) on . I have tried at the root of smali folder to find any “root” but windows displays none found.
    What do you think? Shall I give up now.
    I cant use Xposed etc because it wont work with Android L. Nightmare!

    1. Hi Bob,

      I’ve just checked the usage for findstr – are you passing the s flag, so that subdirectories are also searched? The files you need to modify are in subdirectories of the smali folder. It should work without any problems under Windows once you’ve found exactly which files need editing.

  11. Hello, thank you for posting this.

    I don’t know much about mobile technology. Would you be able to explain the first step:

    “Firstly, I downloaded the APK file from my phone using adb”

    Thank you

    1. Of course. You’ll need to download the Android SDK, which is used by developers to make Android Applications. This set of tools includes a program called “adb”, which stands for Android Debug Bridge, and lets you interact with Android Devices (and Android Emulators).

      Running the command ‘adb pull /data/app/com.hutchison3g.threeintouch-1.apk’ instructs ADB to connect to your phone, and download the file at the path “/data/app/com.hutchison3g.threeintouch-1.apk” to your current directory on your computer.

      Hope that helps. Any more questions, fire away.

  12. hi im currently trying to get the new stan apk to work on my kogan tv but it comes up with the same msg as you got at the top of the page. i was going to try this method out on the stan app and see if i could get it to run but every thing i have done to try follow your method fails not really that good when comes to using command prompt. would you be willing to send me through a email to try help out?

    thanks

      1. Hi, is it possible for you to send me the ‘fixed’ apk file so I can also load on my kogan tv?
        Would be very grateful.

        Cheers,
        Tom

  13. Hi Joseph,
    I have an apk that has a whole separate smali dedicated to checking for root in at least 10 different but fairly basic ways, I don’t really know much code although ‘sublime text editor’ with the smali syntax plugin and good colour scheme has helped me a bit.

    I don’t want an unrooted phone but I’d love to use this app…
    Could you email me if you are interested in looking over the file and giving me some pointers?

    Cheers,
    Guido

  14. Just a question. Is there a way to remove the sim change check?

    If there was I can see potentially having 2 numbers on the phone for calls / texts.

Leave a Reply

Your email address will not be published. Required fields are marked *