Listen to this Post
Introduction:
In the evolving landscape of mobile application security, dynamic analysis has become a cornerstone for identifying runtime vulnerabilities. It allows security professionals to inspect and manipulate an application’s behavior in real-time, uncovering flaws that static analysis might miss. This article provides a technical walkthrough for setting up Frida and Objection, two powerful tools for dynamic analysis, on both rooted emulators and non-rooted Android devices, enabling testers to bypass security controls and perform effective runtime instrumentation.
Learning Objectives:
- Understand the role of Frida and Objection in mobile application security testing.
- Learn to set up a dynamic analysis environment on rooted Android emulators.
- Master the configuration of Frida and Objection on non-rooted Android devices.
- Acquire practical skills to perform hooking and bypass common security mechanisms.
You Should Know:
- Setting Up Frida on a Rooted Android Emulator
This section extends the original post’s guidance, providing a detailed setup for a rooted environment, which is the most common starting point for dynamic analysis. We will use an Android Virtual Device (AVD) with root access.
Step‑by‑step guide explaining what this does and how to use it:
- Create a Rooted Emulator: In Android Studio, create an AVD with a Google APIs Intel Atom (x86) system image. These images typically have root access. Start the emulator.
- Verify Root Access: Open a shell on the emulator using
adb shell. Once inside, run the `su` command. If the prompt changes from `$` to “, you have root access.adb shell su
- Download the Frida Server: From the official Frida releases page, download the correct Frida server binary for the emulator’s architecture (usually `frida-server-x.x.x-android-x86.xz` for x86 emulators). Extract the binary.
Example for a specific version (adjust as needed) wget https://github.com/frida/frida/releases/download/x.x.x/frida-server-x.x.x-android-x86.xz xz -d frida-server-x.x.x-android-x86.xz
- Push and Run Frida Server: Push the binary to the device and make it executable.
adb push frida-server-x.x.x-android-x86 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server"
- Start Frida Server: In your `adb shell` with root (“), run the server in the background.
/data/local/tmp/frida-server &
- Port Forwarding (Optional but Recommended): On your host machine, forward the port to communicate with the Frida server.
adb forward tcp:27042 tcp:27042
- Verify Installation: On your host machine, run
frida-ps -U. You should see a list of running processes on the emulator. This confirms Frida is working. -
Setting Up Frida on a Non-Rooted Android Device
Testing on a non-rooted device presents more challenges, as Frida cannot run as a system service. The solution is to embed the Frida gadget into the application itself.
Step‑by‑step guide explaining what this does and how to use it:
- Prepare the APK: Obtain the target application’s APK file. You will need to repackage it with the Frida gadget.
- Download Frida Gadget: From the same Frida releases page, download the `frida-gadget-x.x.x-android-
.so` file matching your device’s architecture (e.g., arm64).
3. Repackage the APK with apktool:
Decompile the APK: `apktool d target_app.apk -o target_app/`
Copy the Frida gadget `.so` file into the appropriate library folder within the decompiled project (e.g., `target_app/lib/armeabi-v7a/` for 32-bit ARM).
Edit the AndroidManifest.xml to add the `android:extractNativeLibs=”true”` attribute to the `
Rebuild the APK: `apktool b target_app/ -o target_app_repackaged.apk`
4. Sign the APK: Repackaged APKs need to be signed to be installed. Use `jarsigner` or apksigner.
Generate a keystore if you don't have one keytool -genkey -v -keystore my.keystore -alias my_alias -keyalg RSA -keysize 2048 -validity 10000 Sign the APK jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore target_app_repackaged.apk my_alias
5. Install and Run: Install the repackaged, signed APK on your non-rooted device. When you launch the app, the Frida gadget will be loaded, allowing you to connect to it.
6. Connect with Frida: By default, the gadget listens on a local socket. Use Frida with the `-R` flag to connect.
frida-ps -R frida -R -f com.example.app
3. Using Objection for Runtime Exploration
Objection is a runtime mobile exploration toolkit powered by Frida. It simplifies many common dynamic analysis tasks.
Step‑by‑step guide explaining what this does and how to use it:
- Install Objection: It’s a Python tool, so install it via pip.
pip3 install objection
- Explore a Running App: Connect to a Frida server (e.g., on a rooted device/emulator). First, identify the package name.
frida-ps -U | grep -i appname objection -g com.example.app explore
- Common Objection Commands: Once inside the Objection REPL, you can run numerous commands.
`env` – Show the application’s environment.
`ios hooking list classes` or `android hooking list classes` – List loaded classes.
`android hooking list class_methods com.example.targetclass` – List methods of a specific class.
`android hooking watch class_method com.example.targetclass.secretMethod –dump-args –dump-return` – Hook a method and dump its arguments and return value.
`android sslpinning disable` – Attempt to bypass certificate pinning.
`android root disable` – Attempt to bypass root detection.
4. Bypassing Certificate Pinning with Frida
Certificate pinning is a common security control that dynamic analysis must often bypass to intercept HTTPS traffic.
Step‑by‑step guide explaining what this does and how to use it:
- Find or Write a Frida Script: The community has created many scripts to bypass pinning. A simple script for Android might involve hooking the `checkServerTrusted` method of common `TrustManager` implementations.
2. Sample Frida Script (universal-android-ssl-pinning-bypass.js):
// This is a simplified conceptual snippet. Full scripts are available on GitHub (e.g., from Ftrace).
Java.perform(function() {
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
TrustManagerImpl.verifyChain.implementation = function(chain, authType, host, clientAuth, ocspData, tlsSctData) {
console.log('[+] Bypassing certificate verification for: ' + host);
return chain; // Simply return the chain without full verification
};
});
3. Run the Script with Frida:
frida -U -f com.example.app -l universal-android-ssl-pinning-bypass.js --no-pause
This command launches the app (-f), loads the script (-l), and starts immediately. You can now intercept traffic in a proxy like Burp Suite.
What Undercode Say:
- Dynamic analysis tools like Frida and Objection are indispensable for modern mobile app security assessments, revealing hidden runtime behaviors.
- The choice between rooted and non-rooted setups significantly impacts the testing methodology and complexity; mastering both is crucial for a comprehensive evaluation.
- Bypassing client-side controls like root detection and certificate pinning is often the first step in a successful dynamic analysis engagement, enabling testers to uncover deeper server-side or logic flaws.
Prediction:
As mobile apps become more intertwined with AI and cloud services, dynamic analysis will evolve to intercept and manipulate encrypted machine learning models on-device and API calls to cloud endpoints. Tools like Frida will likely integrate more deeply with cloud security frameworks and AI interpretability libraries, shifting the focus from simple control bypasses to complex, cross-platform runtime intelligence gathering to secure the entire mobile+cloud ecosystem.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Vaibhavi V – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
