Android App Penetration Testing & Frida Hooks

Demystifying Android NDK JNI: A Ghidra & Frida Workflow for Beginners to Advanced

By Antigravity Research Published May 30, 2026 ⏱️ 3 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android NDK, JNI, Ghidra, and Frida

Android’s Native Development Kit (NDK) allows developers to implement parts of their applications using native code languages like C and C++. This is often done for performance-critical sections, code obfuscation, or leveraging existing native libraries. The Java Native Interface (JNI) acts as the bridge, enabling Java code to interact with these native libraries. Reverse engineering these native components is crucial for security researchers, penetration testers, and anyone looking to understand proprietary application logic or uncover vulnerabilities. This article provides a comprehensive guide, from beginner concepts to advanced techniques, leveraging Ghidra for static analysis and Frida for dynamic instrumentation.

Why Reverse Engineer NDK/JNI?

  • Security Research: Discover vulnerabilities in native code, such as buffer overflows or format string bugs.
  • Malware Analysis: Understand the true behavior of Android malware that hides malicious logic in native libraries.
  • Intellectual Property Protection: Analyze how sensitive algorithms or cryptographic operations are implemented.
  • Obfuscation Bypass: Native code is often used to make reverse engineering harder; understanding it helps bypass these measures.

Prerequisites and Setup

Before diving in, ensure you have the following tools and knowledge:

  • Android SDK & Platform Tools: For adb (Android Debug Bridge).
  • A Rooted Android Device or Emulator: Necessary for running Frida server.
  • Ghidra: A powerful open-source reverse engineering framework.
  • Frida: A dynamic instrumentation toolkit.
  • Basic Understanding of C/C++ and ARM Assembly: Essential for native code analysis.

Frida Setup on Device

adb shellmkdir /data/local/tmp/frida/adb push frida-server /data/local/tmp/frida/frida-serveradb shell 'chmod 755 /data/local/tmp/frida/frida-server'adb shell '/data/local/tmp/frida/frida-server &'

Understanding Android NDK and JNI Basics

The Android NDK allows you to build `.so` (shared object) files, which are ELF binaries containing native code. JNI provides a standard way for Java code to call native functions and vice-versa. Key concepts include:

  • JNIEnv*: A pointer to a pointer to the JNI function table. It’s the primary way to interact with the Java VM from native code.
  • jclass, jobject, jmethodID, jfieldID: JNI types used to reference Java classes, objects, methods, and fields from native code.
  • Native Method Registration:
    • Static Registration: Methods are named using a specific convention: Java_PackageName_ClassName_MethodName. The JVM resolves these names directly.
    • Dynamic Registration: Methods are registered explicitly using RegisterNatives, often called within JNI_OnLoad. This is common for obfuscation.
  • JNI_OnLoad: An optional function exported by the native library, called when the library is loaded by the JVM. It’s a common place for dynamic method registration, environment setup, and anti-tampering checks.

Phase 1: Static Analysis with Ghidra

Obtaining the Native Library

First, extract the `.so` file from the target APK. APKs are essentially ZIP archives.

unzip target.apk -d extracted_apkmv extracted_apk/lib/armeabi-v7a/libnative-lib.so . # Or arm64-v8a, x86, etc.

Loading into Ghidra

  1. Open Ghidra and create a new project.
  2. Go to File -> Import File and select your libnative-lib.so.
  3. Confirm the language (e.g., ARMv7:le:32:v7 or AARCH64:le:64:v8a).
  4. Once imported, double-click to open it in the Code Browser.
  5. When prompted, analyze the binary. Ensure ‘Create Function Signatures’ and ‘Non-Returning Functions’ are selected for better analysis.

Identifying JNI Export Functions

In Ghidra’s Symbol Tree, navigate to ‘Exports’. You’ll often find:

  • JNI_OnLoad: This is your primary entry point for dynamic analysis.
  • Statically Registered Methods: Functions prefixed with Java_ (e.g., Java_com_example_NativeLib_stringFromJNI).

Let’s consider a simple C example for a native method:

<code class=

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android NDK #Frida #Ghidra #JNI Reverse Engineering #Mobile Security

Related Technical Guides

Native Hooking with Frida: Bypassing JNI-Based Anti-Tampering in Android Apps

May 30, 2026

Frida vs. Xposed: The Ultimate SSL Pinning Bypass Showdown for Android Security

May 30, 2026

Real-time Data Extraction: Advanced Frida Hooks for Android Application Memory Artifacts

May 29, 2026