Android App Penetration Testing & Frida Hooks

Real-World Android Pentesting: Identifying and Exploiting Insecure External Storage with Frida

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction

In the realm of Android application penetration testing, insecure data storage remains a perennial vulnerability. While internal storage offers a degree of isolation, external storage (like SD cards or shared internal storage partitions) presents significant risks due to its less restrictive access controls. When applications store sensitive user data or critical configuration files on external storage without proper encryption or access restrictions, they expose this data to other applications, the user, and potentially even malicious actors with physical device access. This article delves into identifying and exploiting these insecure external storage vulnerabilities, leveraging the powerful dynamic instrumentation toolkit, Frida.

We will explore how to static and dynamically analyze Android applications for insecure storage practices, understand the nuances of Android’s storage mechanisms, and ultimately use Frida to intercept, inspect, and even manipulate data being written to or read from external storage in real-time, simulating a potent attack scenario.

Understanding Android Storage Mechanisms

Android provides several storage options for applications, each with distinct security implications.

Internal Storage

Internal storage is private to the application. Data stored here is typically only accessible by the application itself, and it’s automatically deleted when the application is uninstalled. This is the default and most secure location for sensitive application data because it’s sandboxed and requires root privileges for other apps to access.

External Storage

External storage is world-readable and world-writable. On most devices, this refers to a shared internal storage partition, though it can also include removable SD cards. While useful for storing large files that should be accessible by the user or other apps (e.g., photos, downloads), it is inherently insecure for sensitive data. Any application with the `READ_EXTERNAL_STORAGE` or `WRITE_EXTERNAL_STORAGE` permission can access files stored here, posing a significant risk if an application places private user data, tokens, or encryption keys in this area.

Identifying Insecure External Storage Vulnerabilities

Identifying these vulnerabilities involves a combination of static and dynamic analysis.

1. Static Analysis

Begin by decompiling the Android application (APK) using tools like JADX or Apktool. Focus on the `AndroidManifest.xml` and the application’s source code.

AndroidManifest.xml Inspection:

Check for the presence of external storage permissions. While `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` are common, their mere presence doesn’t confirm a vulnerability, but it indicates the app *can* access external storage.

<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

Source Code Review:

Search the decompiled Java/Smali code for common API calls related to external storage. Look for:

  • `Environment.getExternalStorageDirectory()`
  • `Context.getExternalFilesDir()`
  • `Context.getExternalCacheDir()`
  • Usage of `java.io.File` with paths constructed from these methods.
  • `FileOutputStream`, `FileWriter`, `BufferedWriter` used with external paths.

Pay close attention to what data is being written to these paths.

2. Dynamic Analysis with ADB

Install the application on a rooted device or emulator. Use `adb shell` to explore the common external storage paths while the application is running and performing its functions.

adb shell
cd /sdcard/Android/data/
ls -l
cd <package.name>/
ls -lR
cat <potentially_sensitive_file>

Also check the root of the `/sdcard` directory or `Environment.getExternalStorageDirectory()` for any files directly dropped there.

Leveraging Frida for Dynamic Exploitation

Frida is an unparalleled toolkit for dynamic instrumentation, allowing us to inject custom scripts into running processes. This enables us to hook into Java/Kotlin methods, inspect arguments, modify return values, and observe behavior in real-time without modifying the application binary.

Frida Setup Prerequisites

  1. Rooted Android device or emulator.
  2. Frida server running on the Android device.
  3. Frida tools installed on your host machine (`pip install frida-tools`).

To run Frida server on your device:

# Download the appropriate frida-server for your device's architecture from GitHub
# Example for ARM64:
wget https://github.com/frida/frida/releases/download/16.1.4/frida-server-16.1.4-android-arm64.xz
unxz frida-server-16.1.4-android-arm64.xz
adb push frida-server-16.1.4-android-arm64 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Hooking Storage APIs to Identify Sensitive Data Writes

Our goal is to intercept calls to file writing methods that involve external storage. We can hook methods like `java.io.FileOutputStream`’s constructor or `java.io.File`’s `createNewFile()` to get a clearer picture of file creation and writes.

Consider a simple Frida script to monitor all `FileOutputStream` creations:

Java.perform(function () {
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload('java.lang.String').implementation = function (path) {
        console.log("[+] FileOutputStream created for path: " + path);
        if (path.includes("/sdcard/") || path.includes("external_storage")) {
            console.warn("[!!!] Possible sensitive data written to external storage: " + path);
            // You can add more checks here, e.g., print stack trace
            // Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
        }
        return this.$init(path);
    };

    FileOutputStream.$init.overload('java.io.File').implementation = function (file) {
        console.log("[+] FileOutputStream created for file: " + file.getAbsolutePath());
        if (file.getAbsolutePath().includes("/sdcard/") || file.getAbsolutePath().includes("external_storage")) {
            console.warn("[!!!] Possible sensitive data written to external storage: " + file.getAbsolutePath());
        }
        return this.$init(file);
    };

    // Hooking write methods to see content
    var OutputStream = Java.use('java.io.OutputStream');
    OutputStream.write.overload('[B', 'int', 'int').implementation = function (b, off, len) {
        var data = Java.array('byte', b);
        var str = String.fromCharCode.apply(String, data);
        console.log("[+] Data being written: " + str);
        return this.write(b, off, len);
    };
});

Real-World Scenario: Intercepting and Manipulating Data

Let’s imagine a vulnerable application that stores a user’s session token or sensitive preferences in a file on external storage.

Example vulnerable Java/Kotlin code:

// In a hypothetical Android application
public void saveSessionToken(String token) {
    File externalDir = Environment.getExternalStorageDirectory();
    File tokenFile = new File(externalDir, "app_session.txt");
    try (FileOutputStream fos = new FileOutputStream(tokenFile)) {
        fos.write(token.getBytes());
        Log.d("App", "Session token saved to: " + tokenFile.getAbsolutePath());
    } catch (IOException e) {
        Log.e("App", "Error saving session token", e);
    }
}

A Frida script can not only detect this write but also intercept and modify the token being written or even read later.

Java.perform(function () {
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    var originalWrite = FileOutputStream.write.overload('[B');

    FileOutputStream.write.overload('[B').implementation = function (b) {
        var filePath = "Unknown";
        try {
            // Attempt to get the file path from the FileDescriptor associated with this FileOutputStream
            var fd = this.getFD();
            var FileDescriptor = Java.use('java.io.FileDescriptor');
            var pathField = FileDescriptor.class.getDeclaredField('path');
            pathField.setAccessible(true);
            filePath = pathField.get(fd);
        } catch (e) {
            // Handle cases where path might not be directly accessible or field name differs across Android versions
        }
        
        var originalData = Java.array('byte', b);
        var originalString = String.fromCharCode.apply(String, originalData);
        console.log("[*] Detected write to: " + filePath);
        console.log("[*] Original data: " + originalString);

        if (filePath.includes("app_session.txt") && originalString.startsWith("session_")) {
            console.warn("[!!!] Intercepting and altering sensitive session token!");
            var modifiedToken = "MALICIOUS_SESSION_TOKEN_INJECTED_BY_FRIDA";
            var modifiedData = modifiedToken.getBytes();
            console.log("[!!!] Modified data: " + modifiedToken);
            return originalWrite.call(this, modifiedData);
        }
        return originalWrite.call(this, b);
    };

    // Also hook reads to ensure consistency if app reads the token back
    var FileInputStream = Java.use("java.io.FileInputStream");
    FileInputStream.read.overload().implementation = function () {
        var ret = this.read();
        // You can similarly inspect and modify data read if needed
        return ret;
    };
});

To execute this script, ensure your target application is running, then use:

frida -U -f <package.name> -l your_frida_script.js --no-pause

Replace `<package.name>` with the actual package name of the target application (e.g., `com.example.vulnerableapp`). The `–no-pause` flag ensures the app starts immediately with the script injected.

Mitigation Strategies for Developers

To prevent insecure external storage vulnerabilities:

  • **Avoid storing sensitive data on external storage.** If absolutely necessary, always encrypt the data with a strong, app-specific key.
  • **Use internal storage for private data.** Leverage `Context.getFilesDir()` or `getCacheDir()` for application-private files.
  • **Implement proper file access permissions.** For files that must be on external storage, use permissions that restrict access to the owning app if possible, though this is less effective for world-writable paths.
  • **Sanitize and validate all inputs and outputs.** Never trust data coming from or going to external storage.

Conclusion

Insecure external storage remains a critical vulnerability in Android applications, often leading to sensitive data exposure. By mastering static analysis for initial identification and leveraging the dynamic power of Frida, penetration testers can effectively pinpoint, intercept, and even manipulate data flows to demonstrate the full impact of these vulnerabilities. Understanding both the attack vectors and robust mitigation strategies is crucial for securing the Android ecosystem against such prevalent threats.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Pentesting #Dynamic Analysis #Frida #Insecure Storage #Mobile Security

Related Technical Guides

Reverse Engineering Android Apps: A Blueprint for Universal SSL Pinning Bypass Using Frida

May 29, 2026

Frida Stalker Unleashed: Real-World Techniques to Crack DexGuard Obfuscation

May 29, 2026

Intercepting Encrypted Communications: Frida Hooks for Android Native Network Libraries

May 30, 2026