An app I am working on at work was recently pen tested. One of the risks that came back in the report was that it has no proper Hook detection. I had implemented the RootBeer library but that was easily avoided.

A Frida script was created by the tester for the Android application to modify the root detection logic at run time. The script hooked into the System.exit method to return false instead of true. This prevented the application from exiting after the application detected that the device has been rooted.

It was recommended by the pen testers that we implement as many different checks as possible in order to deter reverse engineers.

One of those checks is to get the Android application to scan its own memory map file located at

/proc/<pid>/maps

where

<pid>

is the app’s process ID (PID).

I have checked the Android docs and can only find info on handling memory but nothing on scanning the memory. eg. https://developer.android.com/topic/performance/memory

I see you can "get a MemoryInfo object for the device's current memory status". But this only shows the available memory on the system.

Does anyone have a solution to this problem?

Many techniques exist for detecting reverse engineering tools like Frida and Xposed. Most effective according to OWASP's Guide to Android Anti-Reversing Defenses is by "Scanning Process Memory for Known Artifacts". Details and other methods for detection of reverse engineering tools can be found in OWASP-mastg.

Brief Overview

Since Android OS is based on Linux kernel you will be able find /proc in root directory. It contains all runtime system information, including the system memory information. /proc is basically a virtual filesystem which is a unix term. More information about /proc can be found here.

By opening up terminal using any terminal application or by using adb shell, you will be able to list all the processes by using

 ls /proc

Inside you can further access information of any running process my navigating to

ls /proc/{Process-Id}

According to Linux kernel implementation found here, we can access currently running process by reading content inside

/proc/self

Memory maps to executables and library files of currently running process can be found under.

/proc/self/maps

By viewing memory maps, libraries of Xposed and Frida that are of file type .so and .jar can be traced and hence inspected for signatures. Output of /proc/self/maps can be viewed and inspected with Android Termial via adb shell or with some terminal application.

cat /proc/self/maps

Kotlin

Here is method I have written in kotlin that returns true if Xposed or Frida is found in Android App memory.

 private fun detectHooking(): Boolean{
  val libraries: MutableSet<String> = mutableSetOf("")
  var mapsFilename : String
  mapsFilename= "/proc/" + Process.myPid() + "/maps"
  val file = File(mapsFilename)
  var n : Int
  var lineSubstring: String

try {
  file.bufferedReader().forEachLine {
    if(it != null){
      if ((it.endsWith(".so") || it.endsWith(".jar"))) {
        n = it.lastIndexOf(" ")
        lineSubstring = it.substring(n + 1)
        libraries.add(lineSubstring)
      }
    }

  }
  for (library in libraries) {
    if (library.contains("XposedBridge.jar")) {
      Log.wtf("HookDetection", "Xposed JAR found: $library")
      return true
    }
    if (library.contains("frida") || library.contains("LIBFRIDA")) {
      Log.wtf("Frida Detection: ", "Frida Artifact Found : $library")
      return true
    }
  }

} catch (e: Exception) {
  return false
}
return false    
}

Please note that the techniques for detecting opensource tools becomes obsolete with time. An experienced Reverse Engineer can bypass most detection methods but when these detection methods are combined, it only becomes harder and not impossible.

Good Luck :)