How does Snapchat detect XPosed Framework?
Asked Answered
P

3

7

I tried to install Snapchat on my newly rooted and Xposed smartphone. But the login is impossible as Snapchat detects Xposed Framework. I "understand" the reason of this restriction, even though I think it's a bit too much as I don't use Xposed for Snapchat.

But my question is: How do they detect the Framework ?

Perutz answered 28/10, 2016 at 7:54 Comment(3)
Do you want to know how exactly Snapchat detects Xposed or how you can detect it yourself?Finery
It's just for curiosity but the two are interesting I think.Perutz
I just wrote a method that gets the currently installed Xposed version. I installed Xposed and Snapchat hasn't restricted me in anyway. I also decompiled Snapchat and did a search for xposed and there were no results.Finery
F
10

SnapChat uses Google's SafetyNet Attestation API and does not specifically check if XPosed is installed. SnapChat runs SafetyNet the first time the app is launched.

To make sure SnapChat does not specifically check for the XPosed framework, I decompiled Snapchat and ran grep -lri xposed. The search came up with no results.

Checking if XPosed is installed:

I'm sure there are plenty of ways you could check if Xposed is installed. I wrote the following method which gets the currently installed Xposed version or returns null if the XposedBridge.jar was not found on the device:

/**
 * Get the current Xposed version installed on the device.
 * 
 * @param context The application context
 * @return The Xposed version or {@code null} if Xposed isn't installed.
 */
public static Integer getXposedVersion(Context context) {
  try {
    File xposedBridge = new File("/system/framework/XposedBridge.jar");
    if (xposedBridge.exists()) {
      File optimizedDir = context.getDir("dex", Context.MODE_PRIVATE);
      DexClassLoader dexClassLoader = new DexClassLoader(xposedBridge.getPath(),
          optimizedDir.getPath(), null, ClassLoader.getSystemClassLoader());
      Class<?> XposedBridge = dexClassLoader.loadClass("de.robv.android.xposed.XposedBridge");
      Method getXposedVersion = XposedBridge.getDeclaredMethod("getXposedVersion");
      if (!getXposedVersion.isAccessible()) getXposedVersion.setAccessible(true);
      return (Integer) getXposedVersion.invoke(null);
    }
  } catch (Exception ignored) {
  }
  return null;
}

As far as I can tell, Xposed has always had XposedBridge.jar in /system/framework so this should work for the official releases of Xposed but could break in future releases.

Finery answered 28/10, 2016 at 9:38 Comment(3)
It's exactly the method I was thinking of (check the existence of a specific file). But then, why isn't the name of that file randomized so that it becomes "nearly impossible" to detect it ?Perutz
@Perutz Because it doesn't make it any harder to detect. Other methods of detecting Xposed include throwing a dummy exception and checking if Xposed methods are in the stacktrace, and checking for the presence of the Xposed Installer. Also, if the JAR file name is randomized, how would Xposed know where to find it?Pneumatology
Can't it be hooked theoretically?Birdwatcher
R
2

I believe Snapchat uses SafetyNet, the API which also protects Android Pay and Pokemon GO.

Recidivate answered 5/1, 2017 at 18:14 Comment(0)
J
0

Xposed can be checked by reflect,in class XposedHelper

public class XposedHelper {
    private static final String LOGTAG = "XposedHelpers";
    private static final HashMap<String, Field> fieldCache = new HashMap<>();
    private static final HashMap<String, Method> methodCache = new HashMap<>();
    private static final HashMap<String, Constructor<?>> constructorCache = new HashMap<>();
    private static final WeakHashMap<Object, HashMap<String, Object>> additionalFields = new WeakHashMap<>();
    private static final HashMap<String, ThreadLocal<AtomicInteger>> sMethodDepth = new HashMap<>();
}

check if contains your app info in these parameter.

Jataka answered 4/9, 2019 at 3:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.