Android App Penetration Testing & Frida Hooks

Mastering Frida: Programmatically Listing Android’s Live Classes and Their Methods

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Dynamic Android Class Enumeration with Frida

In the realm of Android application penetration testing and reverse engineering, understanding the internal architecture of an application at runtime is paramount. Static analysis can reveal much, but the true behavior and loaded components often only emerge during dynamic execution. Frida, a powerful dynamic instrumentation toolkit, provides an unparalleled ability to interact with and manipulate running applications. One of its most fundamental and incredibly useful capabilities is the programmatic enumeration of live Java classes and their methods loaded within an Android application’s process.

This article delves into the techniques for using Frida to list all loaded Java classes, filter them for relevance, and then inspect the methods of specific classes. This process is crucial for identifying interesting attack surfaces, understanding custom SDKs, and preparing for targeted hooking.

Prerequisites

Before diving into the Frida scripts, ensure you have the following:

  • A rooted Android device or an emulator.
  • Frida server running on the Android device.
  • Frida tools installed on your host machine (pip install frida-tools).
  • Basic familiarity with JavaScript and Android application structure.

Frida’s Java API for Dynamic Analysis

Frida exposes a robust JavaScript API that allows direct interaction with the Java VM running within the target process. The core functions we’ll use are:

  • Java.perform(function() { ... });: This is the entry point for all Java-related Frida scripts, ensuring the Java VM is ready.
  • Java.enumerateLoadedClassesSync();: This function returns an array of strings, where each string is the fully qualified name of a Java class currently loaded in the VM. The Sync suffix indicates it’s a synchronous operation.
  • Java.use('className');: This function allows you to obtain a wrapper object for a specific Java class, enabling you to inspect its properties and methods, and to hook them.

Listing All Loaded Classes

The first step in exploring an application’s runtime components is to get a complete list of all currently loaded Java classes. This can be an extensive list, often containing hundreds or even thousands of classes from the Android framework, third-party libraries, and the application itself.

Frida Script: Basic Class Enumeration (enum_classes.js)

Java.perform(function () {  console.log('Enumerating all loaded Java classes...');  var classes = Java.enumerateLoadedClassesSync();  classes.forEach(function(className) {    console.log('[+] ' + className);  });  console.log('Finished enumerating ' + classes.length + ' classes.');});

Executing the Script

To run this script against an Android application (e.g., a simple test app with package com.example.mytestapp), use the following command:

frida -U -f com.example.mytestapp -l enum_classes.js --no-pause

The -U flag targets a USB-connected device, -f spawns the application, -l loads the script, and --no-pause allows the app to start immediately after injection. You’ll see a flood of class names in your console.

Filtering Classes for Relevance

While a full list is comprehensive, it’s often overwhelming. We usually want to focus on specific areas: the application’s own classes, or classes from a particular third-party library. Filtering becomes essential.

Frida Script: Filtered Class Enumeration (filter_classes.js)

This script filters classes based on a desired package prefix. Replace com.example.mytestapp with the package name you are interested in.

Java.perform(function () {  var targetPackagePrefix = 'com.example.mytestapp'; // Or 'com.google.android' for Google libraries  console.log('Enumerating Java classes starting with: ' + targetPackagePrefix);  var classes = Java.enumerateLoadedClassesSync();  var filteredClasses = [];  classes.forEach(function(className) {    if (className.startsWith(targetPackagePrefix)) {      filteredClasses.push(className);      console.log('[+] ' + className);    }  });  console.log('Finished enumerating ' + filteredClasses.length + ' filtered classes.');});

Executing the Filtered Script

frida -U -f com.example.mytestapp -l filter_classes.js --no-pause

This will give you a much more manageable list, focusing on the application’s internal structure.

Enumerating Methods of a Specific Class

Once you’ve identified an interesting class, the next logical step is to understand what methods it exposes. Frida allows you to reflectively inspect a class’s methods.

Understanding Method Enumeration

Java methods are essentially properties of a class. In Frida’s JavaScript context, you can use Object.getOwnPropertyNames() to list these properties. However, it’s important to distinguish between static methods (properties of the class constructor itself) and instance methods (properties of the class’s prototype). Additionally, we often want to iterate through the inheritance chain to find all accessible methods.

Frida Script: Method Enumeration (enum_methods.js)

Java.perform(function () {  function enumerateClassMethods(className) {    try {      var targetClass = Java.use(className);      console.log('Methods for class: ' + className);      console.log('---------------------------------');      // Enumerate static methods      var staticMethods = Object.getOwnPropertyNames(targetClass.$class).filter(function(methodName) {        return typeof targetClass[methodName] === 'function';      });      console.log('Static Methods:');      staticMethods.forEach(function(methodName) {        if (!methodName.startsWith('$') && methodName !== 'class') { // Filter out Frida's internal methods and 'class' property          console.log('  [S] ' + methodName);        }      });      // Enumerate instance methods      var instanceMethods = Object.getOwnPropertyNames(targetClass.prototype).filter(function(methodName) {        return typeof targetClass.prototype[methodName] === 'function';      });      console.log('Instance Methods:');      instanceMethods.forEach(function(methodName) {        if (!methodName.startsWith('$') && methodName !== 'constructor') { // Filter out Frida's internal methods and 'constructor'          console.log('  [I] ' + methodName);        }      });      console.log('---------------------------------');    } catch (e) {      console.error('Error enumerating methods for ' + className + ': ' + e.message);    }  }  // Example: Enumerate methods of android.app.Activity  enumerateClassMethods('android.app.Activity');  // Example: Enumerate methods of a class from your target app  // enumerateClassMethods('com.example.mytestapp.MainActivity');});

Executing the Method Enumeration Script

frida -U -f com.example.mytestapp -l enum_methods.js --no-pause

This will output the static and instance methods for the specified class. You’ll notice many methods inherited from `java.lang.Object` and other superclasses. For more targeted analysis, you might filter these out or recursively traverse the prototype chain.

Advanced: Combined Class and Method Explorer

Let’s combine these concepts into a more powerful script that can enumerate classes within a given package prefix and then list the methods for each of those classes.

Frida Script: Combined Explorer (explore_app.js)

Java.perform(function () {  var targetPackagePrefix = 'com.example.mytestapp'; // SET YOUR TARGET PACKAGE HERE!  console.log('Starting dynamic exploration for package: ' + targetPackagePrefix);  function enumerateMethods(className) {    var methods = [];    try {      var targetClass = Java.use(className);      // Static methods      Object.getOwnPropertyNames(targetClass.$class).forEach(function(methodName) {        if (typeof targetClass[methodName] === 'function' && !methodName.startsWith('$')) {          methods.push('  [S] ' + methodName);        }      });      // Instance methods      Object.getOwnPropertyNames(targetClass.prototype).forEach(function(methodName) {        if (typeof targetClass.prototype[methodName] === 'function' && !methodName.startsWith('$')) {          methods.push('  [I] ' + methodName);        }      });    } catch (e) {      // console.error('  Error inspecting methods for ' + className + ': ' + e.message);    }    return methods;  }  var classes = Java.enumerateLoadedClassesSync();  console.log('Found ' + classes.length + ' total loaded classes.');  var exploredCount = 0;  classes.forEach(function(className) {    if (className.startsWith(targetPackagePrefix)) {      exploredCount++;      console.log('n[+] Class: ' + className);      var classMethods = enumerateMethods(className);      if (classMethods.length > 0) {        classMethods.forEach(function(method) {          console.log(method);        });      } else {        console.log('  No specific methods found (might be inherited or internal).');      }    }  });  console.log('nFinished exploring ' + exploredCount + ' classes within ' + targetPackagePrefix + '.');});

Executing the Combined Explorer

frida -U -f com.example.mytestapp -l explore_app.js --no-pause

This script provides a comprehensive overview of the application’s custom classes and their declared methods, giving you a detailed blueprint for further analysis or hooking.

Practical Use Cases in Penetration Testing

  • Discovering Custom APIs: Identify internal application-specific methods that might handle sensitive data or business logic.
  • Bypassing Security Controls: Find methods related to authentication, authorization, or encryption that could be hooked or tampered with.
  • Understanding Application Flow: By listing methods, you can infer the capabilities and responsibilities of different classes, helping to map out the application’s control flow.
  • Preparing for Targeted Hooks: Once a method of interest is found, you can use its full signature to create precise Frida hooks to observe or modify its behavior.
  • Identifying Obfuscated Code: While obfuscation changes method names, dynamic enumeration still lists the *available* methods, providing a starting point for de-obfuscation or direct interaction.

Conclusion

Frida’s dynamic class and method enumeration capabilities are indispensable tools for any Android penetration tester or reverse engineer. By programmatically exploring the live components of an application, you gain deep insights into its runtime behavior, identify critical attack vectors, and lay the groundwork for more advanced instrumentation and manipulation. Mastering these techniques transforms abstract static analysis into concrete, actionable dynamic intelligence, empowering you to uncover vulnerabilities and fully understand the inner workings of Android applications.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Pentesting #Dynamic Analysis #Frida #Mobile Security #Reverse Engineering

Related Technical Guides

Mastering Frida: A Step-by-Step Guide to Changing Android Method Input & Output

May 30, 2026

Stealth Exfiltration: Techniques for Undetectable Data Siphoning from Android Apps using Frida

May 29, 2026

Demystifying Android Binder & Ashmem: A Frida-Powered Shared Memory Walkthrough

May 29, 2026