LogoLogo
HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website
  • Introduction
  • articles
    • AI Device Risk Summary Demo | Threat Protection | Risk Scoring | Malware Detection | Android & iOS
    • Podcast: iOS Keychain vs Android Keystore
    • Obfuscation of Mobile Apps
    • OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart
    • Simple Root Detection: Implementation and verification
    • OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart
    • OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter
    • OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter
    • OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter
    • OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter
    • Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
    • Emulators in Gaming: Threats and Detections
    • Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs
    • 🚀A Developer’s Guide to Implement End-to-End Encryption in Mobile Apps 🛡️
    • How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps
    • Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources
    • How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]
    • How to implement Secure Storage in Flutter?
    • User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE
    • Fact about the origin of the Talsec name
    • React Native Secure Boilerplate 2024: Ignite with freeRASP
    • Flutter CTO Report 2024: Flutter App Security Trends
    • Mobile API Anti-abuse Protection with AppiCrypt®: A New Play Integrity and DeviceCheck Alternative
    • Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise
    • Detect system VPNs with freeRASP
    • Introducing Talsec’s advanced malware protection!
    • Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
    • Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️
    • Safeguarding Your Data in React Native: Secure Storage Solutions
    • Secure Storage: What Flutter can do, what Flutter could do
    • 🔒 Flutter Plugin Attack: Mechanics and Prevention
    • Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft
    • Build secure apps in React Native
    • How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)
    • How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)
    • How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
    • freeRASP meets Cordova
    • Philosophizing security in a mobile-first world
    • 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
    • Missing Hero of Flutter World
Powered by GitBook
LogoLogo

Company

  • General Terms and Conditions

Stay Connected

  • LinkedIn
  • X
  • YouTube
On this page
  • Introduction
  • What is Frida?
  • Using Frida
  • The power of Frida
  • Bypassing Root checks
  • Bypassing emulator checks
  • Bypassing SSL pinning:
  • Developments in Frida
  • Frida CodeShare
  • Tools based on Frida
  • Runtime Mobile Security tool
  • Medusa
  • Objection
  • freeRASP Protection
  • Frida detection with freeRASP
  • Conclusion

Was this helpful?

  1. articles

Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back

PreviousOWASP Top 10 For Flutter - M1: Mastering Credential Security in FlutterNextEmulators in Gaming: Threats and Detections

Last updated 3 months ago

Was this helpful?

Let's dive into Akshit Singh's insights on how Frida works, the risks it poses to mobile apps, and why effective Frida detection is crucial. This article highlights Talsec’s freeRASP as the #1 RASP solution by popularity, showcasing its advanced Frida-server detection and other security features that provide a robust defense against app tampering, ensuring real-time protection and resilience.

Introduction

In today's mobile security landscape, protecting applications is a constant cat-and-mouse game between defenders and attackers. Dynamic instrumentation tools like Frida have become a favourite weapon for adversaries, allowing them to hook into application processes, bypass security mechanisms, extract sensitive data, and manipulate runtime behavior . In response, developers implement Frida detection techniques like checking for suspicious libraries, unusual system calls, process injections, etc. However both sides continuously adapt to the methods of the other side and just start thinking about how to outsmart the other. This makes engineers dig deep to depths of working of these tools and overtake the other side.

Well, today we are going to dig deep inside such a tool that can tamper with any app's working and manipulate its code, giving the attackers an unfair advantage.

What is Frida?

Frida is a powerful dynamic instrumentation toolkit designed for cross-platform applications, supporting Android, iOS, Windows, Linux, and macOS. It allows developers, security researchers, and reverse engineers to analyze, modify, and manipulate applications at runtime. By injecting scripts into a running process, Frida enables real-time introspection of an application's internal functions, memory structures, and API calls. This makes it a valuable tool for debugging, security testing, and reverse engineering. With Frida, one can hook into functions, alter their behavior, or even bypass security mechanisms —all without modifying the application's original binary.

Here is a small script to demonstrate how frida works and hooks the application:

Java.perform(function() {
var TargetClass = Java.use('com.example.app.TargetClass');

    TargetClass.targetMethod.implementation = function(arg1, arg2) {
        console.log("[*] targetMethod called with args: " + arg1 + ", " + arg2);
        var result = this.targetMethod(arg1, arg2);
        console.log("[*] targetMethod returned: " + result);
        return result;
    };
});

This script hooks the targetMethod of the class TargetClass and prints out its arguments and the result whenever it is called inside the application with package name - com.example.app .

Frida is a tool that hooks the function of an application by injecting its own code inside the app. There are essentially two ways to tamper an app using frida-gadget patches or by using frida-server on the app's target device.

Using Frida

There are two ways to use Frida on an application on a device:

  • Patching an application to use Frida:

    • Decompile the application using apktool .

    • The target application has to be patched by moving the right version of frida-gadget inside the application as libfrida-gadget.so .

    • The decompiled app has to be aligned and signed again correctly using zipalign and jarsigner .

    • Now whenever the application runs it will be able to connect to the frida client running on a remote system.

  • Using frida-server

    • It is important to remember that this method might appear easier and simpler than the patching method but it only works in rooted devices.

    • Move the right version of frida-server into the device and execute the binary.

    • Connect to the frida-server through your local system using the frida command.

And voila you are ready to change the app without changing it :D

There are plenty of other tools that can be used for dynamic instrumentation of apps just like frida and they are too able to inject scripts into them during runtime. But what makes Frida unique is its integration with popular programming languages like Python and JavaScript, enabling powerful and flexible instrumentation:

Here are some examples of using frida in python:

  • This is the script that helps us to hook a function target_function() inside the native library libnative-lib.so embedded inside the application com.target.app :

import frida

# Payload
jscode = """
Interceptor.attach(Module.findExportByName("libnative-lib.so", "target_function"), {
    onEnter: function(args) {
        console.log("[*] Hooked target_function!");
        console.log("Arg[0]: " + args[0].toInt32());
        console.log("Arg[1]: " + args[1].readUtf8String());
        
        args[0] = ptr(1337);  // Change integer argument
        args[1].writeUtf8String("Hacked!");  // Change string argument
    },
    onLeave: function(retval) {
        console.log("Original return value: " + retval.toInt32());
        retval.replace(42); //Changing the return value
    }
});
"""
device = frida.get_usb_device()
session = device.attach("com.target.app") 
script = session.create_script(jscode)
script.load()
  • This is similar to hooking a java method inside the application during runtime but instead of attaching through the classes we use interceptors to be able to load the native non-static methods first and then hook them.

  • The similar code can be written in js:

const frida = require('frida');

async function main() {
    const device = await frida.getUsbDevice();
    const session = await device.attach("com.target.app");
    const scriptCode = `
        Interceptor.attach(Module.findExportByName("libnative-lib.so", "target_function"), {
            onEnter: function(args) {
                console.log("[*] Hooked function called!");
                console.log("Arg[0]: " + args[0].toInt32());
            }
        });
    `;

    const script = await session.createScript(scriptCode);
    script.message.connect(message => console.log(message));
    await script.load();

    console.log("[+] Hook installed!");
}
main();

These dependencies of frida in languages like Python and JS make frida more powerful and efficient and even more compatible to be integrated with other advanced tools.

The power of Frida

Frida can be used to tamper with various functions inside the app in runtime also allowing us to bypass many checks and protections like Root checks, SSL pinning and Emulator checks.

Bypassing Root checks

Below is an example of one of the script that can be used to bypass root check in a library named JailMonkey that intends to detect rooted devices:

Java.perform(() => {
    try {
        const klass = Java.use("com.gantix.JailMonkey.JailMonkeyModule");
        const hashmap_klass = Java.use("java.util.HashMap");
        const false_obj = Java.use("java.lang.Boolean").FALSE.value;

        klass.getConstants.implementation = function () {
            var h = hashmap_klass.$new();
            h.put("isJailBroken", false_obj);
            h.put("hookDetected", false_obj);
            h.put("canMockLocation", false_obj);
            h.put("isOnExternalStorage", false_obj);
            h.put("AdbEnabled", false_obj);
            return h;
        };
    } catch (error) {
        console.error("An error occurred:", error);
    }
});

The above script hooks into the main class of the module and changes the implementation of the getConstants function to acquire the values of all the final detection variables as false. So it actually does not matter whether it detects root or not. It will show it as false as its final variables values are changed.

Bypassing emulator checks

The above script has a function that is able to bypass emulator checks in various security modules by setting up fake device names, brand names, product names and other fake values inside the device properties to throw the detector off.

Bypassing SSL pinning:

The above script is the smaller and more specific version of the SSL pinning bypass script that is effective in the Android Conscrypt security provider module. It hooks the TrustManagerImpl class and returns a null array instead of the array that the method should have returned to do SSL pinning encryption.

Developments in Frida

Frida was developed by Ole André V. Ravnås . Being the most used and famous tool in the field of mobile reverse engineering and security research, Frida has undergone many feature additions as well as upgrades that has improved the tool furthermore.

    • This is a prominent improvement by the frida community that has solved the problem of VM spawning overhead.

    • Whenever we try to load a script into the target application or try to inject some code using Frida then it has to first spawn a js v8 engine and then execute the script inside it. This creates a large overhead that makes script execution very slower and the execution of large scripts very longer and memory extensive.

    • frida-rust on the other hand does'nt have the problem of spawning any VM engine as it maintains a persistent session with the application and can communicate with the C APIs directly, increasing its speed many times compared to before.

  • Updates in frida-server

    • There are many scripts that are out there claiming to be able to detect frida-server running on the device by communicating with it using its protocol.

    • Maybe this is the reason that frida-server implementation was updated. It can now run on any port instead of a default port and its method of communication was changed making frida-server undetectable again. But is it really undetectable??

Frida CodeShare

Frida CodeShare is a community-driven platform where security researchers and developers share ready-to-use Frida scripts for various purposes, including reverse engineering, penetration testing, and debugging. The platform hosts a vast collection of scripts that help automate tasks such as bypassing root detection, decrypting network traffic, intercepting function calls, and modifying app behavior at runtime.

Scripts like Universal Android SSL pinning bypass, aesinfo and ObjC method observer (objective-C method hooking) are available on this site.

  • The Universal Android SSL pinning bypass

This script automates the process of pushing the Burpsuite certificate as a custom certificate on the device to be able to proxy the requests made by the target application.

It does this by making a custom Keystore and TrustManager so that the app does not verify the SSL certificate it is using.

  • aesinfo

This script is able to detect the AES encryption in any application by hooking into the cryptographic classes of Java like: Cipher,SecretKeySpec,IvParameterSpec to gather the info regarding the Key, IV and the Ciphertext fed into the methods of these classes and then changes the implementation of the doFinal method that is responsible for the encryption/decryption of the ciphertext.

Tools based on Frida

Runtime Mobile Security tool

  • It automatically detects the connected devices and the packages inside them helping the user to just interact with drop down menus and use default scripts to tamper with the apps.

  • This is a web interface tool that is user-friendly and has a number of frida scripts that can be used by just a click.

  • It makes filtering and scripting much easier as compared to using frida command line tool.

Medusa

Medusa is an advanced Frida-based wrapper tool designed for dynamic instrumentation of mobile applications.

  • It has stored database of useful frida scripts that can be executed just by executing a command.

    • It not only parses or enumerates the important files of an Android package but it also identify common attack vectors inside it.

    • Its Python-based design makes it more user-friendly and easy to work with.

Objection

  • This is also a wrapper of frida tool that makes it easier to execute scripts like bypassing SSL pinning or anti-root checks and even makes it easier to patch the applications by embedding libfrida-gadget.so inside the app.

    • It is a command-line tool that works without root access or jailbreaking the target app's device, helping us to perform penetration testing and malware analysis.

  • These are some general commands of using objection:

    • objection patchapk --source target.apk is to patch the target application to use frida in it.

    • android bypass root bypasses antiroot checks on the app.

    • android sslpinning disable bypasses ssl pinning on the device.

    • android sharedpreferences get dumps all the stored credentials in the target app.

freeRASP Protection

freeRASP is #1 RASP by popularity - free Runtime Application Self-Protection solution for all Android and iOS apps. Whether it is rooting, hooking, emulating, tampering or any other malicious practice inside the device that may harm the application, nothing can beat the RASP technology used by freeRASP.

Frida detection with freeRASP

Patching an application using Objection or frida-Gadget can be a complex process, as it requires resigning and correctly aligning the app.

On the other hand, running frida-server and interacting with the app through it is a much easier approach. This is why most users, including attackers, prefer using Frida-server on a rooted device to instrument applications.

Detecting frida-server is challenging because it allows communication on any port , and its recent updates have introduced new communication methods, making detection even more difficult.

However, frida-server isn't completely undetectable . Talsec's RASP (Runtime Application Self-Protection) technology is designed to spot it, no matter which port or communication method it uses. Also it doesn't just stop there—it also blocks attackers from using other tricks, like Objection patches, to manipulate the app.

This makes it a reliable defense against attackers using Frida, Objection, Medusa, and other hooking tools to compromise apps.

Conclusion

Frida is a powerful tool for dynamic instrumentation, allowing real-time analysis and modification of applications across multiple platforms. While invaluable for security researchers and developers, its capabilities can also be exploited by malicious actors to bypass restrictions, manipulate runtime behavior, and compromise app security. Without robust protection, applications remain vulnerable to these sophisticated attacks.

This is where Talsec's freeRASP becomes essential. With cutting-edge security features like Frida-server detection, Emulator detection, Root detection, and Developer Mode detection, freeRASP acts as a proactive defense layer, shielding applications from unauthorized tampering and advanced threats. By leveraging RASP (Runtime Application Self-Protection) technology, freeRASP ensures that your app remains secure, resilient, and protected in real time—making it a necessity, not an option.

Trusted by developers worldwide, freeRASP is the #1 RASP solution by popularity, setting the standard for in-app protection.

frida-rust :

Just try to integrate freeRASP into one of your application using and use the methods like onRootDetected or onHookDetected to check your device in just a few moments.

https://codeshare.frida.re/@fdciabdul/frida-multiple-bypass
https://codeshare.frida.re/@sowdust/universal-android-ssl-pinning-bypass-2
https://github.com/frida/frida-rust
https://codeshare.frida.re
https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida
https://codeshare.frida.re/@dzonerzy/aesinfo
https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security
https://github.com/medusajs/medusa
https://github.com/sensepost/objection
https://www.talsec.app/freerasp-in-app-protection-security-talsec
https://docs.talsec.app/freerasp
Hook, Hack, Defend: Frida's Impact on Mobile Security & How to Fight Back
Frida Logo
Frida Prompt
Runtime Mobile Security - Device Settings Panel
RMS - Workspace
Medusa Logo
Objection Logo
Objection Tooltip