Android App Penetration Testing & Frida Hooks

Troubleshooting Frida Hooks: Debugging JNI_OnLoad and Native Library Load Issues on Android

By Antigravity Research Published May 30, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to JNI_OnLoad and Native Library Loading

The Java Native Interface (JNI) is a powerful framework that allows Java code running in a Java Virtual Machine (JVM) to call and be called by native applications and libraries written in languages such as C, C++, and assembly. In Android app development, JNI is extensively used for performance-critical operations, interacting with hardware, or integrating existing native codebases. A critical function in this ecosystem is JNI_OnLoad.

JNI_OnLoad is a special C/C++ function that the Java Virtual Machine (JVM) looks for and executes when a native library is loaded into memory via System.loadLibrary() or System.load(). Its primary purpose is to perform initialization routines for the native library, such as registering native methods with the JVM (mapping Java methods to native C/C++ functions) and setting up global variables or structures. For security researchers and penetration testers, hooking JNI_OnLoad is paramount because it’s often the earliest point where a native library’s functionality can be intercepted and manipulated before other native functions are called or anti-tampering checks are established.

The Challenge of Hooking JNI_OnLoad with Frida

Timing is Everything

One of the most frequent challenges when trying to hook JNI_OnLoad with Frida is a timing issue. Frida injects its agent into the target process, but there’s a race condition: the target application might load its native libraries and execute JNI_OnLoad before Frida’s agent has fully initialized and attached its hooks. If JNI_OnLoad has already run by the time your hook is set up, you will simply miss the event.

Additionally, Android applications often load native libraries very early in their lifecycle, sometimes even within the Application.onCreate() method or static initializers of classes. This makes it challenging to reliably intercept these calls using typical Java.perform() blocks, which execute once the Java VM is ready for interaction, but might still be after initial native library loads.

Library Resolution and Multiple JNI_OnLoad Functions

Android’s linker manages native libraries in specific namespaces. A library named libnative.so will typically expose its JNI_OnLoad function as an export. However, an application might load multiple native libraries, each with its own JNI_OnLoad. Identifying which specific JNI_OnLoad you need to hook, or handling cases where multiple libraries expose this function, requires careful module enumeration and precise targeting.

Frida Strategies for Reliable JNI_OnLoad Hooking

Early Injection and Waiting for Module Load

To mitigate the timing issue, you should aim for the earliest possible injection and then actively wait for your target module to appear in the process’s memory space. Use frida -l script.js -f package_name --no-pause to inject Frida into the application at launch and immediately execute your script without pausing the application’s startup.

Java.perform(function () {  var targetLib = 'libnative.so';  var module = null;  // Keep trying to find the module until it's loaded  var interval = setInterval(function() {    module = Process.findModuleByName(targetLib);    if (module) {      clearInterval(interval);      console.log('[+] Found module: ' + targetLib + ' at ' + module.base);      var jniOnLoad = module.findExportByName('JNI_OnLoad');      if (jniOnLoad) {        console.log('[+] JNI_OnLoad found at ' + jniOnLoad);        Interceptor.attach(jniOnLoad, {          onEnter: function(args) {            console.log('JNI_OnLoad ENTERED!');            // You can inspect arguments, but JNI_OnLoad typically has (JavaVM*, void*)            this.vm = args[0];            this.reserved = args[1];          },          onLeave: function(retval) {            console.log('JNI_OnLoad EXITED! Return value: ' + retval);            // Example: Force JNI_VERSION_1_6 if library tries to downgrade            // retval.replace(0x00010006); // JNI_VERSION_1_6          }        });      } else {        console.log('[-] JNI_OnLoad not found in ' + targetLib);      }    } else {      console.log('[-] Waiting for ' + targetLib + ' to load...');    }  }, 100); // Check every 100ms});

Intercepting System.loadLibrary and dlopen

A more robust approach is to intercept the functions responsible for loading native libraries. On the Java side, this is System.loadLibrary(). On the native side, this eventually boils down to dlopen(), which loads a shared object. By hooking these, you can ensure your JNI_OnLoad hook is placed as soon as the library load is initiated or completed.

Java.perform(function () {  var System = Java.use('java.lang.System');  System.loadLibrary.overload('java.lang.String').implementation = function (libname) {    console.log('[Java] System.loadLibrary called for: ' + libname);    this.loadLibrary(libname); // Call original method    if (libname === 'native') { // Target our specific library      console.log('[+] Now trying to hook JNI_OnLoad for ' + libname);      var module = Process.findModuleByName('libnative.so');      if (module) {        var jniOnLoad = module.findExportByName('JNI_OnLoad');        if (jniOnLoad) {          console.log('[+] JNI_OnLoad for libnative.so found at ' + jniOnLoad);          Interceptor.attach(jniOnLoad, {            onEnter: function(args) { console.log('JNI_OnLoad ENTERED (via System.loadLibrary hook)!'); },            onLeave: function(retval) { console.log('JNI_OnLoad EXITED (via System.loadLibrary hook)!'); }          });        }      }    }  };  // Hooking dlopen for a more native-level approach  var dlopen = Module.findExportByName(null, 'dlopen');  if (dlopen) {    Interceptor.attach(dlopen, {      onEnter: function(args) {        this.library_path = args[0].readUtf8String();        console.log('[Native] dlopen called for: ' + this.library_path);      },      onLeave: function(retval) {        if (retval.toInt32() !== 0 && this.library_path && this.library_path.includes('libnative.so')) {          console.log('[+] libnative.so loaded via dlopen! Module base: ' + retval);          var module = Process.findModuleByAddress(retval);          var jniOnLoad = module.findExportByName('JNI_OnLoad');          if (jniOnLoad) {            console.log('[+] JNI_OnLoad for libnative.so found at ' + jniOnLoad);            Interceptor.attach(jniOnLoad, {              onEnter: function(args) { console.log('JNI_OnLoad ENTERED (via dlopen hook)!'); },              onLeave: function(retval) { console.log('JNI_OnLoad EXITED (via dlopen hook)!'); }            });          }        }      }    });  }});

Handling Multiple JNI_OnLoad Functions and Dynamic Loads

If you suspect multiple JNI_OnLoad functions or are unsure which library provides it, you can enumerate all loaded modules and their exports:

Java.perform(function () {  Process.enumerateModules().forEach(function(module) {    // Filter for relevant modules, e.g., only application-specific ones    // if (!module.name.startsWith('lib') && !module.name.endsWith('.so')) return;    var jniOnLoad = module.findExportByName('JNI_OnLoad');    if (jniOnLoad) {      console.log('[*] Found JNI_OnLoad in module: ' + module.name + ' at ' + jniOnLoad);      Interceptor.attach(jniOnLoad, {        onEnter: function(args) { console.log('JNI_OnLoad ENTERED in ' + module.name); },        onLeave: function(retval) { console.log('JNI_OnLoad EXITED in ' + module.name); }      });    }  });});

Debugging Common Frida Hooking Issues

No Output from console.log or send

  • Frida Server/Agent Issue: Ensure frida-server is running on the device and is reachable. Verify Frida agent injected correctly by checking frida-ps -U or frida -D -l script.js -f package_name.
  • Early Application Crash: The application might be crashing immediately after launch or injection, preventing your script from running. Use --no-pause and monitor logcat for crashes.
  • Wrong Package Name/PID: Double-check the package name (-f) or PID (-p) you are targeting.

Hook Not Triggering

  • Module Not Loaded: Use Process.findModuleByName('libname.so') in a live Frida console (`frida -U -f package_name –no-pause`) to confirm if the library is loaded and at what address.
  • Export Name Mismatch: Verify the exact export name. Sometimes it might be `JNI_OnLoad@XXX` due to mangling, or not exported at all. Use `Module.enumerateExports(module_name)` to list all exports.
  • Timing Race Condition: As discussed, `JNI_OnLoad` might have already executed. Implement `System.loadLibrary` or `dlopen` hooks to guarantee interception.
  • Function Signature Incorrect: If hooking other native functions, ensure the `Interceptor.attach` arguments match the function’s signature (number and type of arguments).

Application Crashing on Hook

  • Incorrect Argument Handling: When `onEnter` or `onLeave` modify arguments or return values, ensure you’re using correct types and not corrupting memory. For example, `args[0].writePointer(ptr)` or `retval.replace(new_value)`.
  • Memory Access Violations: Reading from or writing to invalid memory addresses within your hook can cause crashes. Use `try-catch` blocks around risky operations and `console.log` extensively to pinpoint the exact line causing the crash.
  • Stack Corruption: If you’re manually manipulating the stack or calling conventions, even slight errors can lead to crashes. Stick to `Interceptor.attach`’s default behavior unless you’re very confident.
  • Concurrency Issues: Hooks can introduce concurrency issues if not handled carefully, especially in multi-threaded native code.

Advanced Techniques and Best Practices

When dealing with complex native environments, combining `Java.perform` with native hooks offers powerful context. For instance, you might want to call a Java method before or after a native function executes, or pass information between Java and native hook contexts. Remember to use `Interceptor.replace` with extreme caution, as it completely replaces the function and requires you to replicate the original function’s logic if you still want it to run.

Always test your Frida scripts incrementally. Start with simple `console.log` statements to confirm hooks are attaching and triggering, then gradually add more complex logic. When debugging, leverage Frida’s interactive console (`frida -U -f package_name –no-pause`) to dynamically test snippets of code and inspect the process state without restarting the application every time.

Finally, `frida-trace` can be an excellent tool for initial exploration. Use `frida-trace -i

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #App Penetration Testing #Frida #JNI_OnLoad #Native Hooks

Related Technical Guides

Xposed Module Development: Crafting Custom Hooks to Uncover Android App Vulnerabilities

May 30, 2026

Frida for Android Pentesters: Modifying Runtime Behavior via Argument/Return Hooks

May 30, 2026

Advanced Frida Techniques: Hooking JNI Native Methods & Inline Assembly on Android ARM64

May 29, 2026