← Back

UnCrackable Level 1 - Mobile Security Writeup

By Shay Mordechai | April 22, 2026

The `onCreate` method immediately executes Root and Debug detection checks. The Root checks analyze the `PATH` environment for the `su` binary, check the ROM signature (`Build.TAGS` for `test-keys`), and utilize JNI `exists()` syscalls to silently verify restricted files[cite: 15].

AES Validation: The validation logic relies on `AES/ECB/PKCS7Padding` to decrypt a hardcoded string and compare it to user input[cite: 15].

Bypass: I wrote a Frida script to hijack the return values of the root/debug classes to always return `false`. I implemented a "Spy" Hook on the decryption wrapper class, dynamically extracting the plaintext Secret Key directly from the JVM memory prior to validation[cite: 15].