Android App Penetration Testing & Frida Hooks

Beyond Basic Hooks: Dynamic Instrumentation with Objection for Stealthy Root Evasion

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Root Detection and Evasion

Root detection is a pervasive security measure implemented in many Android applications to prevent their execution on rooted devices. For penetration testers, bypassing these checks is a critical step to gain full access and analyze an application’s behavior and vulnerabilities. While tools like Objection offer convenient one-liner commands for common bypasses, advanced applications often employ more sophisticated, multi-layered root detection mechanisms that require a more dynamic and targeted approach. This article delves into leveraging Objection’s dynamic instrumentation capabilities with custom Frida scripts to stealthily evade even complex root detection implementations.

Understanding Common Root Detection Mechanisms

Before we bypass, we must understand. Android applications typically employ a combination of methods to detect a rooted environment:

  • File-Based Checks: Searching for known root binaries or files, such as /system/bin/su, /system/xbin/su, /sbin/su, /etc/magisk, or /data/local/tmp/busybox.
  • Package-Based Checks: Looking for installed root management applications like Magisk Manager (com.topjohnwu.magisk) or SuperSU (eu.chainfire.supersu).
  • Property Checks: Examining system properties for indicators of root or an emulator, e.g., ro.build.tags containing ‘test-keys’ or ro.secure being ‘0’.
  • Signature Checks: Verifying system libraries or framework components for unofficial modifications.
  • Emulator/Debugger Detection: Often intertwined with root detection, checking for common emulator artifacts or debugger presence.
  • Native Library Checks: Performing root checks within native C/C++ libraries, making them harder to inspect with Java-level hooks.

The Limits of Basic Objection Commands

Objection provides fantastic shortcuts, such as android root disable and android sslpinning disable. While these are effective against many standard implementations, they are essentially pre-packaged Frida scripts that target commonly known methods. If an application uses custom class names, obfuscated logic, or unique combinations of detection methods, these one-liners might fall short. This is where dynamic instrumentation with custom scripts becomes indispensable.

# Basic objection command, often insufficient for complex casesobjection --gadget "com.example.app" explore --startup-command "android root disable"

Setting Up Your Environment

To follow along, ensure you have:

  1. A rooted Android device or emulator.
  2. ADB (Android Debug Bridge) installed and configured.
  3. Frida server running on the Android device.
  4. Frida tools (frida-tools) and Objection installed on your host machine.
# Start frida-server on device (assuming push via adb already done)adb shell "/data/local/tmp/frida-server -D"# Verify frida-server is runningfrida-ps -Uai# Launch objection (replace 'com.example.app' with your target package)objection --gadget "com.example.app" explore

Dynamic Instrumentation: Unveiling and Bypassing Custom Checks

Step 1: Identifying the Root Detection Logic

The first step is to locate the methods responsible for root detection. Objection’s android hooking search commands are invaluable here.

  • Search for Keywords: Start by searching for common root-related keywords within classes and methods. For example, ‘root’, ‘su’, ‘magisk’, ‘jailbreak’.
android hooking search classes Rootandroid hooking search methods isRooted

Let’s assume we find a class named com.example.app.security.RootChecker with a method public boolean checkDeviceRoot().

Step 2: Exploring the Method’s Behavior

Once identified, we can try to understand what the method does using various techniques:

  • Tracing: Use android hooking watch class_method com.example.app.security.RootChecker.checkDeviceRoot to see when and how it’s called.
  • Decompilation: Use a decompiler like Jadx or Ghidra to analyze the APK and understand the internal logic of RootChecker.checkDeviceRoot(). This will often reveal the exact file paths or package names it checks.

For instance, decompilation might show a check like:

// Example Java code snippet (from decompilation)public class RootChecker {    public boolean checkDeviceRoot() {        // Check for su binary        String[] paths = {"/system/bin/su", "/system/xbin/su"};        for (String path : paths) {            if (new File(path).exists()) {                return true;            }        }        // Check for Magisk package        try {            getPackageManager().getPackageInfo("com.topjohnwu.magisk", 0);            return true;        } catch (PackageManager.NameNotFoundException e) {            // Package not found, continue        }        return false;    }}

Step 3: Crafting a Custom Frida Script

Now that we know the target (com.example.app.security.RootChecker.checkDeviceRoot()) and its expected behavior (returns true if rooted), we can write a custom Frida script to modify its return value.

Create a file named root_bypass.js:

/* root_bypass.js */Java.perform(function() {    console.log("[*] Attaching to RootChecker.checkDeviceRoot()");    var RootChecker = Java.use('com.example.app.security.RootChecker');    RootChecker.checkDeviceRoot.implementation = function() {        console.log("[+] RootChecker.checkDeviceRoot() called. Bypassing!");        return false; // Force it to return false, indicating no root    };    console.log("[*] RootChecker.checkDeviceRoot() hooked successfully.");});

Step 4: Executing the Custom Script with Objection

With the script ready, use Objection’s job run command to inject and execute it into the running application process.

# In your objection session:job run root_bypass.js

You should see the console logs from your script, indicating it has attached and is ready to bypass. Now, whenever the application calls checkDeviceRoot(), our hook will intercept it and force it to return false.

Advanced Technique: Targeted File.exists() Hooking

What if the app uses multiple file checks, and we don’t want to blindly return false for a generic root checking method, or what if the root checking logic is dispersed? We can hook low-level file operations and selectively modify their behavior.

Consider an app checking specifically for /system/bin/su using java.io.File.exists().

Create a file named stealthy_file_bypass.js:

/* stealthy_file_bypass.js */Java.perform(function() {    console.log("[*] Attaching to java.io.File.exists()");    var File = Java.use('java.io.File');    File.exists.implementation = function() {        var path = this.getPath();        // Check if the file path is a known root indicator        if (path.includes("/su") || path.includes("magisk") || path.includes("busybox")) {            console.log("[+] Intercepted check for root file: " + path + ". Bypassing!");            return false; // Lie, say it doesn't exist        }        // For all other files, call the original method        return this.exists.call(this);    };    console.log("[*] java.io.File.exists() hooked successfully.");});

Execute this with Objection:

job run stealthy_file_bypass.js

This approach is stealthier as it only interferes with specific root-related file checks, leaving other file system operations undisturbed. This can be crucial for apps that might detect broad-stroke hooking.

Best Practices and Considerations

  • Targeted Hooking: Always aim for the most specific hook possible. Broad hooks (e.g., hooking File.exists() without path filtering) can have unintended side effects and may crash the application.
  • Deobfuscation: Many production apps use obfuscators like ProGuard or DexGuard. You’ll need to deobfuscate the APK first or use tools like Objection’s android hooking search classes -s <keyword> to find the obfuscated names.
  • Native Checks: If root detection is implemented in native libraries, you’ll need to use Frida’s Interceptor API to hook C/C++ functions. This is a more advanced topic but follows the same principle of identifying the target and modifying its behavior.
  • Persistence: Some apps re-check root status dynamically. Ensure your hooks are persistent throughout the application’s lifecycle, or re-run them if necessary.

Conclusion

While Objection’s basic root evasion features are a great starting point, understanding and utilizing its dynamic instrumentation capabilities with custom Frida scripts unlocks a new level of power for Android penetration testing. By carefully identifying root detection logic and crafting targeted hooks, you can effectively bypass even sophisticated and custom root checks, gaining the necessary access to thoroughly analyze and secure mobile applications. This expert-level approach transforms you from a user of pre-defined tools to a master of dynamic code manipulation.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Pentesting #Dynamic Instrumentation #Frida #Objection #Root Detection Bypass

Related Technical Guides

Advanced IPC Pivoting: Chaining Android Components for Multi-Stage Exploits

May 29, 2026

Targeted Memory Dumping: Pinpointing Specific Data Structures in Android Apps with Frida

May 30, 2026

Zero-Touch Vuln Discovery: An Automated Android Reverse Engineering Workshop

May 29, 2026