By this point you have a working mobile lab, you can hook methods, bypass pinning, and probe the backend API. The final step is defeating apps that push back — hardened root/jailbreak detection, integrity checks, code obfuscation, anti-debug, and RASP (Runtime Application Self Protection) frameworks. This module covers the tricks for each and the methodology for chaining findings into a demo exploit that lands with leadership.

Why apps harden

Protect IP (proprietary algorithms, DRM, anti-piracy)
Prevent account abuse (mobile games, streaming, ad-supported apps)
Regulatory (banking, payment apps must resist tampering under PCI-DSS / local regulators)
Supply-chain risk reduction (stop malware repackaging)

From a pentester’s view: if the app is hardened, the bar to bypass it is part of what the customer pays for. Document every layer defeated.

Root/Jailbreak detection — patterns and bypasses

Common detection patterns (stack from simple to hard):

File existence checks — looking for su, Magisk, Cydia, Sileo binaries. Bypass: rename binaries, use Magisk Hide / Shamiko to hide from target
Package checks — Android: getInstalledPackages for known root apps. iOS: checking for /Applications/Cydia.app. Bypass: hook PackageManager; use Magisk Hide denylist
System property checks — ro.debuggable, ro.secure. Bypass: hook System.getProperty
exec() fingerprinting — running commands like which su, checking output. Bypass: hook Runtime.exec / ProcessBuilder
Mount point inspection — looking for /system remounted rw. Bypass: kernel-level hooks, Zygisk modules
Native detection — C/C++ code in JNI libraries that replicates checks. Bypass: Frida Interceptor on native functions, often stat, fopen, access
Attestation APIs — Google Play Integrity API, Apple DeviceCheck/AppAttest. These check with the vendor server whether the device/app is untampered. Bypass: hook the attestation call and return a cached valid token (works until the token expires or the server rotates keys), or move testing to Corellium (not jailbroken in the detectable way)

A layered bypass script

// frida-hardening-bypass.js
Java.perform(function() {
  // File.exists checks
  var File = Java.use('java.io.File');
  File.exists.implementation = function() {
    var path = this.getAbsolutePath();
    if (path.match(/su|magisk|xposed|substrate/i)) {
      console.log('[BYPASS] File.exists blocked: ' + path);
      return false;
    }
    return this.exists();
  };

  // Runtime.exec
  var Runtime = Java.use('java.lang.Runtime');
  Runtime.exec.overload('java.lang.String').implementation = function(cmd) {
    if (cmd.includes('which') || cmd.includes('su')) {
      console.log('[BYPASS] Runtime.exec blocked: ' + cmd);
      throw Java.use('java.io.IOException').$new('not found');
    }
    return this.exec(cmd);
  };

  // System.getProperty
  var System = Java.use('java.lang.System');
  System.getProperty.overload('java.lang.String').implementation = function(key) {
    if (key === 'ro.debuggable') return '0';
    if (key === 'ro.secure') return '1';
    return this.getProperty(key);
  };
});

Anti-debug

Common anti-debug checks:

Android: Debug.isDebuggerConnected(), ptrace checks in native, looking for /proc/self/status TracerPid
iOS: ptrace(PT_DENY_ATTACH), sysctl(KERN_PROC) to check P_TRACED flag

Bypass approaches: Frida’s own -p attach does not use ptrace on recent versions so many checks simply don’t fire. For stricter apps, hook the syscall:

// iOS anti-anti-debug
var ptrace = Module.findExportByName('libsystem_kernel.dylib', 'ptrace');
Interceptor.replace(ptrace, new NativeCallback(function(request, pid, addr, data) {
  if (request === 31) { // PT_DENY_ATTACH
    console.log('[BYPASS] PT_DENY_ATTACH blocked');
    return 0;
  }
  return 0; // original not important; this is read-only-ish
}, 'int', ['int','int','pointer','int']));

Integrity checks (RASP)

RASP frameworks (Guardsquare DexGuard, Appdome, Promon Shield, Digital.ai) wrap the app with self-checks that detect tampering and exit. Characteristic signals:

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 23% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

7 more sections locked below

Module 5 · Bypassing Mobile Hardening & Exploit Chaining 🔒

Why apps harden

Root/Jailbreak detection — patterns and bypasses

A layered bypass script

Anti-debug

Integrity checks (RASP)

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 1 · Mobile App Security Threat Model <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 2 · Android Pentesting with Objection & Frida <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 3 · iOS Pentesting Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>