Android App Penetration Testing & Frida Hooks

Android RE Lab: Mapping Runtime Classes and Methods with Frida & Objection

By Antigravity Research Published May 30, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking Android App Internals

Android reverse engineering (RE) is a crucial skill for security researchers, penetration testers, and malware analysts. While static analysis (disassembling APKs) provides a foundational understanding, it often falls short in revealing the dynamic behavior of an application. Modern Android apps employ various obfuscation techniques and dynamically load classes, making static analysis alone insufficient. This is where dynamic analysis tools like Frida and Objection become indispensable. They allow us to interact with a running application’s memory, hooking functions, modifying behavior, and, critically, enumerating its runtime classes and methods.

This advanced tutorial will guide you through using Frida and Objection to dynamically map the classes and methods loaded into an Android application’s memory space. This technique is invaluable for discovering hidden functionalities, identifying interesting API calls, and pinpointing potential hooking targets during a penetration test.

The Power of Runtime Enumeration

Why is runtime enumeration so powerful? Consider these scenarios:

  • Dynamic Loading: Many applications load classes and methods only when needed, or even download them from remote servers, making them invisible to static analysis.
  • Obfuscation: Tools like ProGuard and DexGuard rename classes and methods to unreadable names. Dynamic enumeration allows us to see these entities with their runtime (potentially de-obfuscated) names.
  • Understanding Behavior: By listing methods, we can infer functionalities, especially when looking for specific patterns (e.g., cryptographic operations, network communication, authentication checks).

Setting Up Your Android RE Lab

Before we dive in, ensure you have the following:

  • Rooted Android Device or Emulator: Necessary for running the Frida server.
  • Frida Server: Download the appropriate `frida-server` binary for your device’s architecture (e.g., `frida-server-*-android-arm64`) from the Frida releases page.
  • Frida-tools and Objection: Installed on your host machine via pip.
pip install frida-tools objection

Push `frida-server` to your device, set execute permissions, and run it:

# Push to device (replace with your device's architecture and IP)adb push frida-server-*-android-arm64 /data/local/tmp/# Grant execute permissionsadb shell "chmod 755 /data/local/tmp/frida-server-*-android-arm64"# Run frida-server in the backgroundadb shell "/data/local/tmp/frida-server-*-android-arm64 &"

Method 1: Deep Dive with Frida Scripts

Frida provides a JavaScript API to interact with the target process. We’ll start by crafting a Frida script to enumerate classes and methods.

1. Enumerating All Loaded Classes

We use `Java.enumerateClasses()` within a `Java.perform()` block to ensure our script runs in the context of the Android application’s Java VM. This will list all classes currently loaded by the Java Virtual Machine.

// list_all_classes.jsJava.perform(function() {    console.log("[*] Listing all loaded classes...");    Java.enumerateClasses({        onMatch: function(className) {            console.log("[+] Found class: " + className);        },        onComplete: function() {            console.log("[*] Class enumeration complete.");        }    });});

To run this script against a target application (e.g., `com.example.targetapp`):

frida -U -l list_all_classes.js -f com.example.targetapp --no-pause

The `-U` flag targets a USB-connected device, `-l` loads our script, `-f` spawns the application, and `–no-pause` allows it to run immediately. You’ll see a flood of class names in your console.

2. Filtering Classes by Package Name

Listing all classes can be overwhelming. We often want to focus on application-specific classes. We can filter them by checking if the class name starts with the application’s package name.

// filter_classes.jsJava.perform(function() {    var packageName = "com.example.targetapp"; // Replace with your target app's package    console.log("[*] Listing classes for package: " + packageName);    Java.enumerateClasses({        onMatch: function(className) {            if (className.startsWith(packageName)) {                console.log("[+] Found app class: " + className);            }        },        onComplete: function() {            console.log("[*] App class enumeration complete.");        }    });});
frida -U -l filter_classes.js -f com.example.targetapp --no-pause

3. Enumerating Methods for a Specific Class

Once you’ve identified an interesting class, you can list its methods using `Java.use()` and the `$ownMethods` property.

// list_methods.jsJava.perform(function() {    var targetClassName = "com.example.targetapp.MySecretManager"; // Replace with an interesting class name    try {        var targetClass = Java.use(targetClassName);        console.log("[*] Listing methods for class: " + targetClassName);        var methods = targetClass.$ownMethods;        methods.forEach(function(methodName) {            console.log("[+] Method: " + methodName);        });        console.log("[*] Method enumeration complete.");    } catch (e) {        console.error("[-] Error enumerating class or methods: " + e.message);    }});
frida -U -l list_methods.js -f com.example.targetapp --no-pause

This script will give you a clear view of all the methods defined within `MySecretManager`, including constructors, private, and public methods.

Method 2: Streamlining with Objection

While Frida scripts offer ultimate flexibility, Objection acts as a powerful runtime mobile exploration toolkit built on top of Frida. It provides a user-friendly command-line interface to perform common RE tasks, including class and method enumeration, without writing custom JavaScript.

1. Connecting to the Application

Launch Objection and attach to your target application. If the app is not running, Objection can spawn it:

objection -g com.example.targetapp explore

This command will spawn `com.example.targetapp` (if not running) and attach Objection to it, dropping you into an interactive shell.

2. Listing All Classes

To get a list of all classes loaded in the application’s memory:

android hooking list classes

Similar to the Frida script, this will output a very long list. You can pipe the output to a file or scroll through it.

3. Searching for Specific Classes

Objection’s `android hooking search classes` command is incredibly useful for finding classes matching a specific keyword or pattern:

android hooking search classes secretandroid hooking search classes encryption

This will return all class names containing

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #Dynamic Analysis #Frida #Objection #Penetration Testing

Related Technical Guides

The Pentester’s Playbook: Exploiting Android Native Vulnerabilities with Frida ARM64 Hooking

May 29, 2026

From Zero to Hero: A Complete Guide to Exploiting Android’s Insecure Internal Storage via Frida

May 30, 2026

Automating Dynamic Analysis: Scripting Frida & Objection for Efficient Android App Pentesting

May 29, 2026