Android App Penetration Testing & Frida Hooks

Android App Pentesting with Frida: Locating & Extracting Hardcoded Secrets

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Hardcoded Secrets and Frida

In the realm of mobile application security, hardcoded secrets represent a significant vulnerability. Developers, often for convenience, embed sensitive information like API keys, database credentials, or encryption keys directly into an application’s codebase. While static analysis can sometimes uncover these secrets, dynamic analysis with tools like Frida offers a powerful advantage: the ability to intercept, inspect, and modify app behavior at runtime, even when secrets are obfuscated or loaded dynamically. This article will guide you through using Frida to uncover and extract these hidden treasures from Android applications.

Frida is a dynamic instrumentation toolkit that lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. For Android penetration testers, Frida provides unparalleled control, allowing us to hook into Java methods, native functions, and even scan memory segments to extract sensitive data as it’s being used.

Prerequisites and Setup

Tools Required

  • ADB (Android Debug Bridge): For interacting with your Android device or emulator.
  • Frida: Specifically, `frida-tools` (Python package on your host machine) and `frida-server` (binary to run on the Android device).
  • Android Device or Emulator: A rooted device or an emulator with root access (e.g., Genymotion, Android Studio AVD with Google Play images).
  • Decompiler: Tools like Jadx-GUI, Ghidra, or JEB for static analysis and initial reconnaissance.

Setting up Frida on Android

First, ensure your Android device or emulator is rooted and ADB is configured. Then, follow these steps:

  1. Download frida-server: Visit Frida’s GitHub releases page and download the appropriate `frida-server` binary for your device’s architecture (e.g., `frida-server-*-android-arm64`).
  2. Push to Device: Use ADB to push the `frida-server` binary to a writable location on your device, like `/data/local/tmp/`. 
    adb push frida-server-*-android-arm64 /data/local/tmp/frida-server
  3. Make Executable: Connect via ADB shell and grant execute permissions. 
    adb shellsu -chmod 755 /data/local/tmp/frida-server
  4. Run frida-server: Execute the server in the background. 
    adb shellsu -/data/local/tmp/frida-server &

Verify Frida is running by executing `frida-ps -U` on your host machine. This should list processes on the connected Android device.

Static Analysis: The First Step

Before diving into dynamic analysis, static analysis provides crucial clues. Decompile the target APK using Jadx-GUI or Ghidra. Look for common indicators of secrets:

  • Keywords like `API_KEY`, `SECRET`, `TOKEN`, `PASSWORD`, `AUTH`, `URL`, `ENDPOINT`.
  • Methods that seem to return or handle sensitive strings (e.g., `getApiKey()`, `getServerUrl()`, `getAuthToken()`).
  • Classes named `Config`, `Constants`, `Utils`, `KeyManager`, `SecretManager`.

For example, using Jadx-GUI, you might search for `API_KEY` to find a class like `com.example.app.Config` containing a static string or a method that returns it.

// Example snippet from a decompiled app:public final class Config {    public static final String API_KEY = "sk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";    public static final String BASE_URL = "https://api.example.com";    // ...}

This initial reconnaissance significantly narrows down the scope for dynamic hooking.

Dynamic Analysis with Frida: Runtime Extraction

Frida allows us to hook into the application’s runtime and extract values. We’ll focus on three primary techniques.

Hooking Java Methods for String Extraction

The most common approach is to hook methods that are likely to access or return the hardcoded secret. If static analysis points to a `getApiKey()` method, hooking it is straightforward.

// api_key_hook.jsJava.perform(function() {    var targetClass = Java.use('com.example.app.Config');    targetClass.getApiKey.implementation = function() {        var apiKey = this.getApiKey();        console.log('[+] Detected API Key:', apiKey);        // Optionally, modify the return value        // return 'my_fake_api_key';        return apiKey;    };    console.log('[*] Hooked com.example.app.Config.getApiKey()');});

This script intercepts the call to `getApiKey()`, logs its original return value, and then lets the original method execute. You can run this with `frida -U -f com.example.app -l api_key_hook.js –no-pause`.

Inspecting Object Instantiation (Constructors)

Sometimes, secrets are initialized as instance variables within a class’s constructor. Hooking the constructor allows you to inspect the arguments passed or the object’s state immediately after creation.

// constructor_hook.jsJava.perform(function() {    var SecretManager = Java.use('com.example.app.SecretManager');    SecretManager.$init.implementation = function(arg1, arg2) {        console.log('[+] SecretManager constructor called with:', arg1, arg2);        this.$init(arg1, arg2); // Call original constructor        console.log('[+] SecretManager instance created, checking fields:');        console.log('    - Internal Key:', this.internalKey.value); // Assuming 'internalKey' is a field    };    console.log('[*] Hooked com.example.app.SecretManager constructor.');});

Remember that `this` inside the `implementation` function refers to the instance of the class.

Memory Scanning for Patterns

In cases where secrets are not directly exposed via Java methods (e.g., loaded from native libraries, decrypted at runtime into a byte array, or stored in non-standard ways), direct memory scanning can be effective. You can search for specific byte patterns or ASCII/UTF-8 strings within the app’s memory regions.

// memory_scan.jsJava.perform(function() {    console.log('[*] Searching for potential secrets in memory...');    // Example: Search for a common API key prefix like 'sk_live_'    var searchPattern = '73 6b 5f 6c 69 76 65 5f'; // Hex for 'sk_live_'    // You can iterate through various memory ranges or focus on specific ones    Process.enumerateRanges('rwx').forEach(function(range) {        var results = Memory.scanSync(range.base, range.size, searchPattern);        results.forEach(function(match) {            var secretAddress = match.address;            var sizeToRead = 64; // Read a reasonable chunk after the pattern            var secretCandidate = Memory.readCString(secretAddress, sizeToRead);            console.log('[+] Potential Secret found at', secretAddress, ':', secretCandidate);        });    });    console.log('[*] Memory scan completed.');});

This script scans all readable, writable, executable memory regions for the hex pattern of

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Pentesting #Dynamic Analysis #Frida #Hardcoded Secrets #Mobile Security

Related Technical Guides

Frida Biometric Bypass: Step-by-Step Guide to Evading Android Fingerprint & Face Authentication

May 30, 2026

Real-World Android Pentesting: Identifying and Exploiting Insecure External Storage with Frida

May 30, 2026

Automating the Attack: Scripting ADB & Frida for Scalable Android App Pentesting Workflows

May 29, 2026