Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's dive into Akshit Singh's insights on how Frida works, the risks it poses to mobile apps, and why effective Frida detection is crucial. This article highlights Talsec’s freeRASP as the #1 RASP solution by popularity, showcasing its advanced Frida-server detection and other security features that provide a robust defense against app tampering, ensuring real-time protection and resilience.
In today's mobile security landscape, protecting applications is a constant cat-and-mouse game between defenders and attackers. Dynamic instrumentation tools like Frida have become a favourite weapon for adversaries, allowing them to hook into application processes, bypass security mechanisms, extract sensitive data, and manipulate runtime behavior . In response, developers implement Frida detection techniques like checking for suspicious libraries, unusual system calls, process injections, etc. However both sides continuously adapt to the methods of the other side and just start thinking about how to outsmart the other. This makes engineers dig deep to depths of working of these tools and overtake the other side.
Well, today we are going to dig deep inside such a tool that can tamper with any app's working and manipulate its code, giving the attackers an unfair advantage.
Frida is a powerful dynamic instrumentation toolkit designed for cross-platform applications, supporting Android, iOS, Windows, Linux, and macOS. It allows developers, security researchers, and reverse engineers to analyze, modify, and manipulate applications at runtime. By injecting scripts into a running process, Frida enables real-time introspection of an application's internal functions, memory structures, and API calls. This makes it a valuable tool for debugging, security testing, and reverse engineering. With Frida, one can hook into functions, alter their behavior, or even bypass security mechanisms —all without modifying the application's original binary.
Here is a small script to demonstrate how frida works and hooks the application:
This script hooks the targetMethod of the class TargetClass and prints out its arguments and the result whenever it is called inside the application with package name - com.example.app .
Frida is a tool that hooks the function of an application by injecting its own code inside the app. There are essentially two ways to tamper an app using frida-gadget patches or by using frida-server on the app's target device.
There are two ways to use Frida on an application on a device:
Patching an application to use Frida:
Decompile the application using apktool .
The target application has to be patched by moving the right version of frida-gadget inside the application as libfrida-gadget.so .
The decompiled app has to be aligned and signed again correctly using zipalign and jarsigner .
Now whenever the application runs it will be able to connect to the frida client running on a remote system.
Using frida-server
It is important to remember that this method might appear easier and simpler than the patching method but it only works in rooted devices.
Move the right version of frida-server into the device and execute the binary.
Connect to the frida-server through your local system using the frida command.
And voila you are ready to change the app without changing it :D
There are plenty of other tools that can be used for dynamic instrumentation of apps just like frida and they are too able to inject scripts into them during runtime. But what makes Frida unique is its integration with popular programming languages like Python and JavaScript, enabling powerful and flexible instrumentation:
Here are some examples of using frida in python:
This is the script that helps us to hook a function target_function() inside the native library libnative-lib.so embedded inside the application com.target.app :
This is similar to hooking a java method inside the application during runtime but instead of attaching through the classes we use interceptors to be able to load the native non-static methods first and then hook them.
The similar code can be written in js:
These dependencies of frida in languages like Python and JS make frida more powerful and efficient and even more compatible to be integrated with other advanced tools.
Frida can be used to tamper with various functions inside the app in runtime also allowing us to bypass many checks and protections like Root checks, SSL pinning and Emulator checks.
Below is an example of one of the script that can be used to bypass root check in a library named JailMonkey that intends to detect rooted devices:
The above script hooks into the main class of the module and changes the implementation of the getConstants function to acquire the values of all the final detection variables as false. So it actually does not matter whether it detects root or not. It will show it as false as its final variables values are changed.
https://codeshare.frida.re/@fdciabdul/frida-multiple-bypass
The above script has a function that is able to bypass emulator checks in various security modules by setting up fake device names, brand names, product names and other fake values inside the device properties to throw the detector off.
https://codeshare.frida.re/@sowdust/universal-android-ssl-pinning-bypass-2
The above script is the smaller and more specific version of the SSL pinning bypass script that is effective in the Android Conscrypt security provider module. It hooks the TrustManagerImpl class and returns a null array instead of the array that the method should have returned to do SSL pinning encryption.
Frida was developed by Ole André V. Ravnås . Being the most used and famous tool in the field of mobile reverse engineering and security research, Frida has undergone many feature additions as well as upgrades that has improved the tool furthermore.
frida-rust : https://github.com/frida/frida-rust
This is a prominent improvement by the frida community that has solved the problem of VM spawning overhead.
Whenever we try to load a script into the target application or try to inject some code using Frida then it has to first spawn a js v8 engine and then execute the script inside it. This creates a large overhead that makes script execution very slower and the execution of large scripts very longer and memory extensive.
frida-rust on the other hand does'nt have the problem of spawning any VM engine as it maintains a persistent session with the application and can communicate with the C APIs directly, increasing its speed many times compared to before.
Updates in frida-server
There are many scripts that are out there claiming to be able to detect frida-server running on the device by communicating with it using its protocol.
Maybe this is the reason that frida-server implementation was updated. It can now run on any port instead of a default port and its method of communication was changed making frida-server undetectable again. But is it really undetectable??
Frida CodeShare is a community-driven platform where security researchers and developers share ready-to-use Frida scripts for various purposes, including reverse engineering, penetration testing, and debugging. The platform hosts a vast collection of scripts that help automate tasks such as bypassing root detection, decrypting network traffic, intercepting function calls, and modifying app behavior at runtime.
Scripts like Universal Android SSL pinning bypass, aesinfo and ObjC method observer (objective-C method hooking) are available on this site.
The Universal Android SSL pinning bypass
https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida
This script automates the process of pushing the Burpsuite certificate as a custom certificate on the device to be able to proxy the requests made by the target application.
It does this by making a custom Keystore and TrustManager so that the app does not verify the SSL certificate it is using.
aesinfo
https://codeshare.frida.re/@dzonerzy/aesinfo
This script is able to detect the AES encryption in any application by hooking into the cryptographic classes of Java like: Cipher,SecretKeySpec,IvParameterSpec to gather the info regarding the Key, IV and the Ciphertext fed into the methods of these classes and then changes the implementation of the doFinal method that is responsible for the encryption/decryption of the ciphertext.
https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security
It automatically detects the connected devices and the packages inside them helping the user to just interact with drop down menus and use default scripts to tamper with the apps.
This is a web interface tool that is user-friendly and has a number of frida scripts that can be used by just a click.
It makes filtering and scripting much easier as compared to using frida command line tool.
https://github.com/medusajs/medusa
Medusa is an advanced Frida-based wrapper tool designed for dynamic instrumentation of mobile applications.
It has stored database of useful frida scripts that can be executed just by executing a command.
It not only parses or enumerates the important files of an Android package but it also identify common attack vectors inside it.
Its Python-based design makes it more user-friendly and easy to work with.
https://github.com/sensepost/objection
This is also a wrapper of frida tool that makes it easier to execute scripts like bypassing SSL pinning or anti-root checks and even makes it easier to patch the applications by embedding libfrida-gadget.so inside the app.
It is a command-line tool that works without root access or jailbreaking the target app's device, helping us to perform penetration testing and malware analysis.
These are some general commands of using objection:
objection patchapk --source target.apk is to patch the target application to use frida in it.
android bypass root bypasses antiroot checks on the app.
android sslpinning disable bypasses ssl pinning on the device.
android sharedpreferences get dumps all the stored credentials in the target app.
https://www.talsec.app/freerasp-in-app-protection-security-talsec
freeRASP is #1 RASP by popularity - free Runtime Application Self-Protection solution for all Android and iOS apps. Whether it is rooting, hooking, emulating, tampering or any other malicious practice inside the device that may harm the application, nothing can beat the RASP technology used by freeRASP.
Just try to integrate freeRASP into one of your application using https://docs.talsec.app/freerasp and use the methods like onRootDetected or onHookDetected to check your device in just a few moments.
Patching an application using Objection or frida-Gadget can be a complex process, as it requires resigning and correctly aligning the app.
On the other hand, running frida-server and interacting with the app through it is a much easier approach. This is why most users, including attackers, prefer using Frida-server on a rooted device to instrument applications.
Detecting frida-server is challenging because it allows communication on any port , and its recent updates have introduced new communication methods, making detection even more difficult.
However, frida-server isn't completely undetectable . Talsec's RASP (Runtime Application Self-Protection) technology is designed to spot it, no matter which port or communication method it uses. Also it doesn't just stop there—it also blocks attackers from using other tricks, like Objection patches, to manipulate the app.
This makes it a reliable defense against attackers using Frida, Objection, Medusa, and other hooking tools to compromise apps.
Frida is a powerful tool for dynamic instrumentation, allowing real-time analysis and modification of applications across multiple platforms. While invaluable for security researchers and developers, its capabilities can also be exploited by malicious actors to bypass restrictions, manipulate runtime behavior, and compromise app security. Without robust protection, applications remain vulnerable to these sophisticated attacks.
This is where Talsec's freeRASP becomes essential. With cutting-edge security features like Frida-server detection, Emulator detection, Root detection, and Developer Mode detection, freeRASP acts as a proactive defense layer, shielding applications from unauthorized tampering and advanced threats. By leveraging RASP (Runtime Application Self-Protection) technology, freeRASP ensures that your app remains secure, resilient, and protected in real time—making it a necessity, not an option.
Trusted by developers worldwide, freeRASP is the #1 RASP solution by popularity, setting the standard for in-app protection.
.avif?alt=media&token=9bda6e5c-46ef-4844-a209-6aaea03071b4)
.avif?alt=media&token=ecaeb274-83e8-4bdd-a1b5-93073347ee67)
.avif?alt=media&token=aeca8b91-f86a-46c8-8155-a621dedddf47)
