Android App Penetration Testing & Frida Hooks

Frida Hooks Explained: How to Enumerate Android Classes & Methods for Dynamic Analysis

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Frida for Android Dynamic Analysis

Frida is an indispensable dynamic instrumentation toolkit for developers, security researchers, and penetration testers alike. It allows you to inject snippets of JavaScript or your own library into native apps on various platforms, including Android. This capability enables you to observe and manipulate runtime behavior, making it a powerful tool for reverse engineering, security testing, and debugging. A foundational step in many Android dynamic analysis tasks is understanding the application’s internal structure by enumerating its loaded classes and their respective methods.

This guide will walk you through the process of using Frida to programmatically discover all loaded Android classes and then delve into how to inspect the methods within a specific class. This technique is crucial for gaining insight into an application’s architecture, identifying potential hooking points, and understanding how different components interact at runtime.

Setting Up Your Dynamic Analysis Environment

Before we dive into Frida scripting, ensure your environment is properly set up. You’ll need:

  • An Android device or emulator (rooted is preferred for full control, but Frida works on non-rooted devices for many scenarios if you can inject into a debuggable app or use a custom-built APK).
  • ADB (Android Debug Bridge) installed and configured on your host machine.
  • Frida-tools installed on your host machine (`pip install frida-tools`).
  • The Frida-server binary running on your Android device.

Deploying Frida-Server on Android

First, download the appropriate Frida-server binary for your Android device’s architecture (e.g., `frida-server-*-android-arm64` for a 64-bit ARM device) from the Frida releases page. Then, push it to your device and execute it:

adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"

Verify Frida-server is running by executing frida-ps -U on your host machine. You should see a list of running processes on your Android device.

Enumerating All Loaded Android Classes

Frida’s JavaScript API exposes the Java object, which provides powerful methods for interacting with the Android Java runtime. One of the most useful for initial reconnaissance is Java.enumerateLoadedClasses(). This function iterates through all Java classes currently loaded into the target application’s runtime and allows you to process their names.

Frida Script for Class Enumeration

Create a file named enumerate_classes.js with the following content:

Java.perform(function() {    console.log("[+] Enumerating loaded classes...");    var classes = Java.enumerateLoadedClassesSync();    classes.forEach(function(className) {        console.log("Class: " + className);    });    console.log("[+] Class enumeration complete.");});

Executing the Class Enumeration Script

To run this script against a target application (e.g., a simple test app or a package like com.android.settings), use the frida -U command:

frida -U -l enumerate_classes.js -f com.android.settings --no-pause

Here’s a breakdown of the command:

  • -U: Connects to a USB device.
  • -l enumerate_classes.js: Loads our Frida script.
  • -f com.android.settings: Spawns the application with the given package name. Replace com.android.settings with your target app’s package.
  • --no-pause: Prevents Frida from pausing the application immediately after injection, allowing it to start normally.

You will see a lengthy list of class names printed to your console. This output can be extensive, often hundreds or thousands of classes, including system classes, third-party libraries, and the application’s own classes. Filtering this output (e.g., using grep or adding logic to the script) is often necessary to find relevant application-specific classes.

Inspecting Methods of a Specific Android Class

Once you’ve identified a class of interest, the next logical step is to enumerate its methods. This reveals the functionalities provided by that class, helping you understand its role and potential interaction points.

Frida Script for Method Enumeration

Let’s say we want to inspect the methods of the android.widget.Toast class, which is commonly used for displaying short messages.

Create a file named enumerate_methods.js:

Java.perform(function() {    var targetClassName = "android.widget.Toast";    try {        var targetClass = Java.use(targetClassName);        console.log("[+] Methods for class: " + targetClassName);        // Get all own property names, which include methods        var methods = Object.getOwnPropertyNames(targetClass.__proto__).filter(function(method) {            return method !== 'constructor'; // Filter out the constructor itself        });        // Sort for better readability (optional)        methods.sort();        methods.forEach(function(methodName) {            console.log("  - " + methodName);        });        console.log("[+] Method enumeration complete for " + targetClassName + ".");    } catch (e) {        console.error("[-] Could not find or access class " + targetClassName + ": " + e.message);    }});

In this script:

  • Java.use(targetClassName): This is a crucial function that creates a wrapper object around the specified Java class, allowing you to interact with its static and instance members.
  • targetClass.__proto__: Accesses the prototype of the `targetClass` object, which contains its methods.
  • Object.getOwnPropertyNames(): Retrieves an array of all own property names (including methods) defined directly on the prototype.
  • .filter(function(method) { return method !== 'constructor'; }): Filters out the constructor itself, as we’re typically interested in functional methods.

Executing the Method Enumeration Script

Run the script similar to the previous one:

frida -U -l enumerate_methods.js -f com.android.settings --no-pause

You will see a list of methods belonging to the android.widget.Toast class printed to the console. For instance, you might see methods like makeText, show, cancel, setGravity, etc.

Alternative Method Enumeration (More Comprehensive)

While Object.getOwnPropertyNames() is good for directly defined methods, Java classes also inherit methods. For a more comprehensive list that includes inherited methods, you can iterate through the class hierarchy or use Java reflection methods if you have a `java.lang.Class` object.

Here’s a snippet demonstrating how to use `getMethods()` via reflection for a `java.lang.Class` instance:

Java.perform(function() {    var targetClassName = "android.widget.Toast";    try {        var Class = Java.use('java.lang.Class');        var System = Java.use('java.lang.System');        var targetClassInstance = System.class.forName(targetClassName); // Get a java.lang.Class object        console.log("[+] Comprehensive methods for class: " + targetClassName);        var methods = targetClassInstance.getMethods();        methods.forEach(function(method) {            console.log("  - " + method.getName() + "(" + method.getParameterTypes().map(function(type) { return type.getName(); }).join(", ") + ")");        });        console.log("[+] Comprehensive method enumeration complete.");    } catch (e) {        console.error("[-] Error enumerating comprehensive methods: " + e.message);    }});

This advanced snippet utilizes the Java reflection API directly to get all public methods (including inherited ones) and their parameter types, providing richer detail. The output will be much more extensive.

Practical Applications and Next Steps

Enumerating classes and methods is the gateway to deeper dynamic analysis:

  • Understanding Application Flow: By inspecting classes in areas of interest (e.g., login, payment, encryption), you can infer how the application handles sensitive operations.
  • Identifying Hooking Targets: Once a method of interest is found (e.g., a cryptographic function, a root-detection check, an authentication method), you can then write a Frida hook to intercept arguments, modify return values, or bypass its execution entirely.
  • Discovering Hidden Functionality: Sometimes, developers leave in methods or classes that aren’t directly exposed in the UI but can be programmatically invoked.

From here, you can proceed to write more specific Frida scripts to hook these identified methods, examine their arguments, modify their return values, or even call them with custom arguments. This initial enumeration step is fundamental for effective Android application penetration testing and reverse engineering.

Conclusion

Frida provides unparalleled capabilities for dynamic analysis of Android applications. By mastering the techniques of enumerating loaded classes and their methods, you gain significant insight into an app’s runtime behavior and internal structure. This knowledge forms the bedrock for advanced hooking, manipulation, and security testing, empowering you to uncover vulnerabilities and better understand how Android applications function under the hood.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Dynamic Analysis #Frida #Penetration Testing #Reverse Engineering

Related Technical Guides

Deep Dive: Automated Static & Dynamic Analysis for Android Malware Detection & Reversing

May 29, 2026

Frida Lab: Unpacking & Dumping Android App Secrets from Memory

May 29, 2026

Frida Hooks for Live Deobfuscation: Runtime Class & Method Name Restoration in Android Apps

May 29, 2026