Frida Android basics

This article introduces the basics about how to use Frida on Android platform.

About Frida

Frida is a great tool working on Windows, macOS and GNU/Linux allowing you to inject snippets of code into native apps. In this tutorial we’ll use Frida to inject code into Android applications.

Frida has 2 work modes, one is client-server, the other is gadget mode.

Server mode

The server runs on the Android phone and the client on your computer. Note that you need a phone or an Android emulator that rooted.

Frida installation

Installing Frida on your computer is a super easy:

1
$ pip install frida-tools

Note that the latest Python 3 is recommended. Lets check which version is installed:

1
$ frida --version

And we need to find the architecture of you phone.

1
$ adb shell getprop ro.product.cpu.abi

Now, we need to install the server on our Android phone. Visit frida release page, and find a file named like “frida-server-XX.XX.XX-android-YYYY.xz”. ‘XX.XX.XX’ is the version of your installed frida, and YYYY is the architecture of your Android device. Note frida server version should be better to match the frida version on you computer.
We uncompress the archive and rename the server to “frida-server”
And install the server on the phone:

1
2
3
$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 777 /data/local/tmp/frida-server"

Now try to start the server.

1
adb shell "/data/local/tmp/frida-server &"

Frida test

Run the following command to list all applications on your Android device:

1
frida-ps -Uai

Gadget mode

This mode needs not a rooted android device, but need to repackage APKs you wnat to hack.

Download Gadget file

Also visit frida release page, and find a file named like “frida-gadget-XX.XX.XX-android-YYYY.so.xz”. ‘XX.XX.XX’ is the version of your installed frida, and YYYY is the architecture of your Android device.
We uncompress the archive and rename the so to “libgadget.so”

Inject libgadget.so to your APK

Try to find any native library file in you APK, and inject libgadget.so to it.
The following is a Python script to inject libgadget.so, just add libgadget.so as a dependency of a native libraries embedded in the APK.

1
2
3
4
import lief # you can install lief package with `pip install lief`
libnative = lief.parse("libnative.so") # you should replace libnative.so to you actual so file name
libnative.add_library("libgadget.so") # Injection!
libnative.write("libnative.so")

Write a gadget config file

Create a file name with ‘libgadget.config.so’. and put the following content in it:

1
2
3
4
5
6
{
"interaction": {
"type": "listen",
"on_load": "wait"
}
}

And copy this file into same directory with your patched libnative.so in.

Repackage APK file

There are many APK repackage utils. I prefer APK easy Tool

Frida test

If you install patched APK to your Android device and open it.
The app seems it sucks, don’t be worry, it’s waiting for you to run frida client to connect it.
Run the following command, you will find a process with a name ‘Gadget’.

1
frida-ps -Uai

This process just is your patched APK, and we can not see other applications, because we’re not root now

Getting started with Frida

Write a javascript file you want to inject

The content of the test javascript file (named tt.js)

1
console.log('hello world')

Inject javascript code to an Android process

Frida provides serval utils to let us life easy. One of them is ‘frida’.
Run the following command to connect to your wait process in gadget mode

1
frida -U -n Gadget -l tt.js --no-pause 

You will see a frida shell, and it print ‘hello world’
For client/server mode, you should run frida with other options:

1
frida -U -f <package name> -l tt.js --no-pause  # this command will reopen your app

or

1
frida -U -n <app title> -l tt.js --no-pause  # this command do not reopen your app

Conclusion

Now we can inject a basic javascript code into an Android app, you can refer frida Javascript documentation for more learning.