Author: admin

Deep Dive: Reverse Engineering Android Intents with Frida for Security Audits

Introduction to Android Intents and Security

Android Intents are powerful messaging objects that facilitate communication between different components of an application or between separate applications. They serve various purposes: starting activities, services, or broadcasting events. While essential for Android’s modular architecture, improper handling of Intents can introduce significant security vulnerabilities, including sensitive data leakage, unauthorized component invocation, and Intent hijacking. Understanding how an application constructs and dispatches Intents is crucial for effective security auditing.

Why Frida for Dynamic Intent Analysis?

Static analysis alone often falls short when dealing with the dynamic nature of Android Intents, especially when data is constructed at runtime or when conditional logic dictates Intent behavior. Frida, a dynamic instrumentation toolkit, allows security researchers to inject custom scripts into running processes on Android devices. This capability makes Frida an indispensable tool for intercepting, inspecting, and even modifying Intents in real-time, offering unparalleled insight into an app’s runtime communication patterns.

Setting Up Your Environment

Prerequisites

An Android device or emulator (rooted is preferable for full Frida capabilities, though not strictly required for user apps).
Android Debug Bridge (ADB) installed and configured on your host machine.
Python 3 installed on your host machine.
Frida command-line tools installed.
Frida server binary for your target Android architecture.

Installation Steps

Install Frida tools:
```
pip install frida-tools
```
Download Frida server: Visit the Frida releases page and download the `frida-server-*-android-ARCH.xz` file matching your device’s architecture (e.g., `arm64`, `x86`).

Push and run Frida server on your device:

# Extract the server binaryadb push /path/to/frida-server /data/local/tmp/# Make it executableadb shell "chmod 755 /data/local/tmp/frida-server"# Run the server in the backgroundadb shell "/data/local/tmp/frida-server &"

Verify the server is running by listing processes:

frida-ps -U

You should see a list of processes from your connected device.

Dissecting Android Intent Hooks with Frida

The core idea is to hook the methods responsible for dispatching Intents. Key methods include those in `android.content.ContextWrapper` and `android.app.Activity` which call `startActivity`, `sendBroadcast`, and `startService`.

Core Intent Classes to Target

android.content.Intent: The Intent object itself, holding all the data.
android.content.ContextWrapper: A common base class for `Context` implementations (like `Activity` and `Service`) that provides methods for interacting with the Android system, including Intent dispatch.
android.os.Bundle: Used for storing extra data within an Intent.

Intercepting `startActivity` Calls

We’ll target the `startActivity` method, commonly found in `ContextWrapper`. This method is invoked when an application component wants to launch another activity.

Java.perform(function () {    var Intent = Java.use('android.content.Intent');    var Bundle = Java.use('android.os.Bundle');    var ContextWrapper = Java.use('android.content.ContextWrapper');    console.log('[*] Frida script loaded successfully');    ContextWrapper.startActivity.overload('android.content.Intent').implementation = function (intent) {        printIntentDetails('startActivity', intent);        return this.startActivity(intent);    };    ContextWrapper.startActivity.overload('android.content.Intent', 'android.os.Bundle').implementation = function (intent, options) {        printIntentDetails('startActivity (with options)', intent);        if (options) {            console.log('    Options (Bundle): ' + bundleToString(options));        }        return this.startActivity(intent, options);    };    // Helper function to print Intent details    function printIntentDetails(methodName, intent) {        console.log('n[*] Caught ' + methodName + ' call:');        console.log('    Action: ' + intent.getAction());        console.log('    Data: ' + intent.getDataString());        var component = intent.getComponent();        if (component) {            console.log('    Component: ' + component.getPackageName() + '/' + component.getClassName());        } else {            console.log('    Component: null (Implicit Intent)');        }        var categories = intent.getCategories();        if (categories) {            console.log('    Categories: ' + categories.toString());        }        console.log('    Flags: 0x' + intent.getFlags().toString(16));        var extras = intent.getExtras();        if (extras) {            console.log('    Extras (Bundle): ' + bundleToString(extras));        } else {            console.log('    Extras: No extras found.');        }    }    // Helper function to convert Bundle to string    function bundleToString(bundle) {        if (bundle === null) {            return 'null';        }        var sb = Java.use('java.lang.StringBuilder').$new();        sb.append('{');        var first = true;        var keySet = bundle.keySet();        var iterator = keySet.iterator();        while (iterator.hasNext()) {            if (!first) {                sb.append(', ');            }            var key = iterator.next();            var value = bundle.get(key);            sb.append(key).append('=').append(value ? value.toString() : 'null');            first = false;        }        sb.append('}');        return sb.toString();    }});

Handling Broadcast Intents

Broadcast Intents are used for system-wide or app-specific events. We can hook `sendBroadcast` in a similar fashion:

// ... inside Java.perform(function () { ...}var Context = Java.use('android.content.Context');Context.sendBroadcast.overload('android.content.Intent').implementation = function (intent) {    printIntentDetails('sendBroadcast', intent);    return this.sendBroadcast(intent);};Context.sendBroadcast.overload('android.content.Intent', 'java.lang.String').implementation = function (intent, receiverPermission) {    printIntentDetails('sendBroadcast (with permission)', intent);    console.log('    Required Permission: ' + receiverPermission);    return this.sendBroadcast(intent, receiverPermission);};

Building a Comprehensive Frida Script for Intent Monitoring

Combining the above, we create a robust script. Save this as `intent_monitor.js`:

Java.perform(function () {    var Intent = Java.use('android.content.Intent');    var Bundle = Java.use('android.os.Bundle');    var ContextWrapper = Java.use('android.content.ContextWrapper');    var Context = Java.use('android.content.Context');    console.log('[*] Frida script loaded: Monitoring Android Intents');    // Hook startActivity methods    ContextWrapper.startActivity.overload('android.content.Intent').implementation = function (intent) {        printIntentDetails('startActivity', intent, this.$className);        return this.startActivity(intent);    };    ContextWrapper.startActivity.overload('android.content.Intent', 'android.os.Bundle').implementation = function (intent, options) {        printIntentDetails('startActivity (with options)', intent, this.$className);        if (options) {            console.log('    Options (Bundle): ' + bundleToString(options));        }        return this.startActivity(intent, options);    };    // Hook sendBroadcast methods    Context.sendBroadcast.overload('android.content.Intent').implementation = function (intent) {        printIntentDetails('sendBroadcast', intent, this.$className);        return this.sendBroadcast(intent);    };    Context.sendBroadcast.overload('android.content.Intent', 'java.lang.String').implementation = function (intent, receiverPermission) {        printIntentDetails('sendBroadcast (with permission)', intent, this.$className);        console.log('    Required Permission: ' + receiverPermission);        return this.sendBroadcast(intent, receiverPermission);    };    // Helper function to print Intent details    function printIntentDetails(methodName, intent, callerClass) {        console.log('n[+] Intercepted ' + methodName + ' from: ' + callerClass);        console.log('    Action: ' + intent.getAction());        console.log('    Data: ' + intent.getDataString());        var component = intent.getComponent();        if (component) {            console.log('    Component: ' + component.getPackageName() + '/' + component.getClassName());        } else {            console.log('    Component: null (Implicit Intent)');        }        var categories = intent.getCategories();        if (categories) {            console.log('    Categories: ' + categories.toString());        }        console.log('    Flags: 0x' + intent.getFlags().toString(16));        var extras = intent.getExtras();        if (extras) {            console.log('    Extras (Bundle): ' + bundleToString(extras));        } else {            console.log('    Extras: No extras found.');        }    }    // Helper function to convert Bundle to string    function bundleToString(bundle) {        if (bundle === null) {            return 'null';        }        var sb = Java.use('java.lang.StringBuilder').$new();        sb.append('{');        var first = true;        var keySet = bundle.keySet();        var iterator = keySet.iterator();        while (iterator.hasNext()) {            if (!first) {                sb.append(', ');            }            var key = iterator.next();            var value = bundle.get(key);            sb.append(key).append('=').append(value ? value.toString() : 'null');            first = false;        }        sb.append('}');        return sb.toString();    }});

To run this script against an application (e.g., `com.example.app`):

frida -U -l intent_monitor.js -f com.example.app --no-pause

Then interact with the app. You’ll see detailed Intent information printed to your console whenever `startActivity` or `sendBroadcast` is called.

Practical Security Audit Applications

This dynamic analysis technique is invaluable for several security audit scenarios:

Sensitive Data Leakage

By inspecting the `Extras (Bundle)` section of intercepted Intents, you can identify if sensitive information (e.g., user credentials, tokens, PII) is being passed between components or even to external applications without proper encryption or access control. This often happens inadvertently through implicit Intents or when third-party SDKs are integrated.
Unintended Component Exposure

Analyze implicit Intents (where `Component` is `null`). If an application sends an implicit Intent with a broad action or category, it might inadvertently invoke an unintended or malicious component installed on the user’s device, leading to Intent hijacking or privilege escalation. Conversely, check explicit Intents to ensure they are targeting the correct, internal components and not external ones that might mimic internal interfaces.
Insecure Broadcasts

Monitor `sendBroadcast` calls. If a broadcast contains sensitive data and lacks a required permission (`receiverPermission` is `null` or too permissive), any app on the device can register a receiver and access that data.
Misconfigured Intent Flags

Examine the `Flags` field. Certain flags, like `FLAG_GRANT_READ_URI_PERMISSION`, can broaden access to URIs without proper validation, potentially exposing file system access. Understanding the context of these flags is crucial.
Third-Party Library Behavior

Many applications integrate third-party libraries for analytics, ads, or other functionalities. Frida allows you to observe how these libraries interact with the Android system via Intents, uncovering potential privacy concerns or vulnerabilities introduced by external code.

Conclusion

Frida provides a powerful, dynamic lens through which to examine Android Intent communications. By actively hooking and inspecting Intents at runtime, security auditors can uncover a wide array of vulnerabilities that might be missed by static analysis alone. This deep dive into Intent reverse engineering empowers researchers to identify sensitive data exposures, unintended component interactions, and insecure broadcasting practices, ultimately contributing to more robust and secure Android applications. Integrating Frida into your Android penetration testing methodology will significantly enhance your ability to perform thorough and effective security audits.

May 30, 2026

Behind the Scenes: How Android SharedPreferences Work & How Frida Hooks Them
Introduction to Android SharedPreferences

Android’s SharedPreferences API provides a lightweight mechanism for applications to store and retrieve small amounts of primitive data. This data persists across user sessions and application restarts, making it ideal for preferences, settings, and other non-critical information. While seemingly simple, understanding its underlying mechanics and potential security pitfalls is crucial for both developers and penetration testers.

What are SharedPreferences?

At its core, SharedPreferences stores data in XML files within the application’s private data directory (typically /data/data/<package_name>/shared_prefs/). Each set of preferences corresponds to a distinct XML file. By default, these files are only accessible by the application that created them, thanks to Android’s sandbox security model. However, on a rooted device, or if the app is debuggable, these files can be directly inspected, revealing stored values.

How Apps Use SharedPreferences

Applications interact with SharedPreferences through the getSharedPreferences() method from a Context object, specifying a name for the preference file and a mode (e.g., MODE_PRIVATE). To write data, an Editor object is obtained, values are put, and then apply() or commit() is called. To read, direct getter methods like getString() or getInt() are used.

Here’s a typical pattern in Kotlin:
```
// Writing to SharedPreferencesfun saveUserData(context: Context, username: String, token: String) {    val sharedPrefs = context.getSharedPreferences("user_data", Context.MODE_PRIVATE)    val editor = sharedPrefs.edit()    editor.putString("username", username)    editor.putString("auth_token", token)    editor.apply() // Asynchronous write} // Reading from SharedPreferencesfun getUserData(context: Context): Pair<String?, String?> {    val sharedPrefs = context.getSharedPreferences("user_data", Context.MODE_PRIVATE)    val username = sharedPrefs.getString("username", null)    val token = sharedPrefs.getString("auth_token", null)    return Pair(username, token)}
```
Security Considerations of SharedPreferences

Common Misconceptions and Vulnerabilities

Despite being app-private, SharedPreferences are not inherently secure for sensitive data. They are stored unencrypted by default within the app’s sandboxed environment. This leads to several common vulnerabilities:
- Rooted Devices: On a rooted Android device, the preference XML files can be directly accessed and modified by any user with root privileges.
- Backup Mechanisms: If Android’s backup features are enabled, SharedPreferences can be backed up to external storage or cloud services, potentially exposing data.
- World-Readable Mode: While less common now, historically, developers sometimes used MODE_WORLD_READABLE, making the preferences accessible to other applications (now deprecated).
- Forensic Analysis: During forensic analysis of a device or an application’s data directory, preference files are easily extractable.
Therefore, storing sensitive information like authentication tokens, API keys, or personal identifiable information (PII) directly in SharedPreferences is highly discouraged without proper encryption at the application layer.

Introduction to Frida for Android Hooking

What is Frida?

Frida is a dynamic instrumentation toolkit that allows developers, security researchers, and reverse engineers to inject snippets of JavaScript or custom C code into running processes. For Android, this means you can attach to an application, inspect its memory, hook functions, modify behavior, and observe its runtime activities without recompiling the APK. It’s an indispensable tool for penetration testing and reverse engineering Android applications.

Frida Setup (Brief)

To use Frida, you typically need:
1. A rooted Android device or emulator.
2. The frida-server binary running on the Android device.
3. The frida-tools Python package installed on your host machine.
Once frida-server is running (e.g., adb push frida-server /data/local/tmp/frida-server && adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"), you can interact with processes using frida or frida-trace from your host.

Frida Hooking SharedPreferences

Identifying Target Methods

To intercept SharedPreferences access, we need to target key methods within the android.content.SharedPreferences and android.content.SharedPreferences.Editor classes. The most relevant methods for read/write operations are:
- android.content.SharedPreferences.getString(java.lang.String key, java.lang.String defValue)
- android.content.SharedPreferences.Editor.putString(java.lang.String key, java.lang.String value)
- android.content.SharedPreferences.Editor.apply()
- android.content.SharedPreferences.Editor.commit()
By hooking these methods, we can observe what keys are being accessed, what values are being written, and even modify them on the fly.

Writing a Frida Script to Intercept SharedPreferences Access

The following Frida script demonstrates how to hook these critical SharedPreferences methods. It will log every attempt to read or write a string value, and every time an edit operation is applied or committed.
```
Java.perform(function() {    console.log("[+] Starting SharedPreferences Hooking Script");    // Hook SharedPreferences.Editor for write operations    var SharedPreferencesEditor = Java.use("android.content.SharedPreferences$Editor");    SharedPreferencesEditor.putString.implementation = function(key, value) {        console.log("[SharedPreferences WRITE] Key: " + key + ", Value: " + value);        var retval = this.putString(key, value);        return retval;    };    SharedPreferencesEditor.apply.implementation = function() {        console.log("[SharedPreferences APPLY] Changes applied.");        return this.apply();    };    SharedPreferencesEditor.commit.implementation = function() {        console.log("[SharedPreferences COMMIT] Changes committed.");        return this.commit();    };    // Hook SharedPreferences for read operations    var SharedPreferences = Java.use("android.content.SharedPreferences");    SharedPreferences.getString.implementation = function(key, defValue) {        var readValue = this.getString(key, defValue);        console.log("[SharedPreferences READ] Key: " + key + ", Read Value: " + readValue + ", Default: " + defValue);        return readValue;    };    console.log("[+] SharedPreferences Hooks Applied");});
```
Practical Demonstration

Setting up the Environment

Ensure your Android device is connected via ADB and frida-server is running. Save the above Frida script as sp_hook.js on your host machine.

Running the Frida Script

To attach Frida to a running application, you need its package name. Let’s assume the target app is com.example.myapp. You can then execute the Frida script using the following command:
```
frida -U -f com.example.myapp -l sp_hook.js --no-pause
```
- -U: Connect to a USB device.
- -f com.example.myapp: Spawn and attach to the specified package name.
- -l sp_hook.js: Load the Frida script.
- --no-pause: Start the application immediately after injecting the script.
Once the command runs, interact with com.example.myapp. For instance, if the app has a login screen that saves a session token or a settings screen that stores user preferences, perform actions that would trigger SharedPreferences read or write operations. You will observe output similar to this in your terminal:
```
[+] Starting SharedPreferences Hooking Script[+] SharedPreferences Hooks Applied[SharedPreferences WRITE] Key: username, Value: testuser[SharedPreferences WRITE] Key: auth_token, Value: d24f5a...[SharedPreferences APPLY] Changes applied.[SharedPreferences READ] Key: username, Read Value: testuser, Default: null[SharedPreferences READ] Key: app_language, Read Value: en, Default: en
```
This output provides real-time visibility into the application’s use of SharedPreferences, revealing the keys and values being handled. This is incredibly useful for identifying where sensitive data might be stored or simply understanding an application’s internal logic.

Conclusion

Understanding how Android SharedPreferences work is fundamental for both secure application development and effective penetration testing. While convenient, their default unencrypted storage makes them unsuitable for highly sensitive data without additional application-level encryption. Frida provides a powerful and flexible way to dynamically inspect and manipulate SharedPreferences operations, offering invaluable insights into an application’s data handling and potential vulnerabilities. By applying these hooking techniques, security researchers can efficiently uncover insecure data storage practices and advise on remediation strategies.
May 30, 2026
Mastering Frida: Building a Universal Shared Preferences Interceptor for Android
Introduction to Frida and Shared Preferences Interception

Frida is an unparalleled dynamic instrumentation toolkit that allows developers and security researchers to inject JavaScript snippets into native apps on Windows, macOS, Linux, iOS, Android, and QNX. Its powerful API provides direct access to app memory, functions, and objects, enabling runtime manipulation and analysis. For Android penetration testing, Frida is a game-changer, offering deep insights into an application’s behavior without requiring source code modifications or recompilation.

Android’s Shared Preferences provide a lightweight mechanism for applications to store private primitive data in key-value pairs. While convenient for developers, they often become a repository for sensitive information such as API keys, session tokens, user settings, or even flags controlling application features. Intercepting access to Shared Preferences can reveal critical data or allow for runtime manipulation, making it a crucial technique in Android app analysis and penetration testing.

This article will guide you through building a universal Frida script to intercept all read and write operations on Android’s Shared Preferences. We’ll cover identifying the relevant Android APIs, crafting Frida hooks for methods like getSharedPreferences, Editor.put*, Editor.apply/commit, and SharedPreferences.get*, and finally, deploying the script to observe an application’s behavior in real-time.

Prerequisites and Setup

Before diving into the code, ensure you have the following tools and a basic understanding of their usage:

Essential Tools
- Frida-server: Running on your Android device or emulator.
- Frida-tools: Installed on your host machine (e.g., pip install frida-tools).
- ADB (Android Debug Bridge): For interacting with your Android device.
- Python: For running Frida scripts and managing tools.
If you haven’t set up Frida on your device, here’s a quick recap:
```
# Download the correct frida-server for your device's architecture (e.g., arm64) from GitHub.

# Example for arm64:

adb push frida-server-*-android-arm64 /data/local/tmp/frida-server

adb shell
```
May 30, 2026
Frida Deep Dive: Intercepting Android Shared Preferences Access at Runtime Introduction: The Importance of Shared Preferences in Android Security Analysis Android applications frequently use Shared Preferences to store small amounts of primitive data, such as user settings, session tokens, feature flags, or even sensitive information like API keys or authentication tokens. While not designed for robust security, developers often inadvertently or intentionally store data here that becomes a prime target for reverse engineers and penetration testers. Understanding how and when an application reads from or writes to Shared Preferences at runtime can reveal critical insights into its logic, potential vulnerabilities, and sensitive data handling. Frida, a dynamic instrumentation toolkit, provides unparalleled capabilities for runtime analysis of Android applications. By injecting a JavaScript engine into the target process, Frida allows us to hook into native functions, Java methods, and even modify application logic on the fly. This deep dive focuses on using Frida to effectively intercept and monitor all Shared Preferences interactions, offering a powerful technique for Android app penetration testing. Setting Up Your Environment for Frida Hooking Prerequisites Rooted Android Device or Emulator: Frida requires root privileges to inject into system processes. ADB (Android Debug Bridge): Essential for connecting to your device and transferring files. Frida-server: The Frida component that runs on the Android device. Frida-tools: Python tools for controlling Frida from your host machine. Install via pip install frida-tools. Frida Server Installation First, download the appropriate frida-server binary for your device’s architecture (e.g., arm64 for most modern Android devices) from Frida’s GitHub releases page. Then, push it to your device and run it: adb push frida-server-/data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-" adb shell "/data/local/tmp/frida-server- &" Verify Frida-server is running and detectable: frida-ps -U This command should list processes running on your USB-connected device. Understanding Android Shared Preferences Architecture In Android, Shared Preferences are managed through the android.content.SharedPreferences interface. Applications obtain an instance of this interface typically via Context.getSharedPreferences(String name, int mode). The name parameter specifies the XML file name where the preferences are stored, and mode defines access permissions (e.g., MODE_PRIVATE). Once an instance is obtained, data is read using methods like getString(), getInt(), getBoolean(), etc., and written using an Editor obtained via edit(), followed by putString(), putInt(), and finally commit() or apply() to save changes. Frida Script: Intercepting All Shared Preferences Access We will craft a comprehensive Frida script that hooks into the key methods involved in Shared Preferences management. This single script will allow us to observe when Shared Preferences files are opened, what data is being read, what data is being written, and when those changes are committed or applied. Java.perform(function() { console.log("[*] Frida script loaded: Monitoring Shared Preferences."); // --- Hooking Context.getSharedPreferences() to identify files --- const Context = Java.use("android.content.Context"); Context.getSharedPreferences.overload('java.lang.String', 'int').implementation = function(name, mode) { console.log("[SP Discovery] getSharedPreferences called: File='" + name + "', Mode='" + mode + "'"); return this.getSharedPreferences(name, mode); }; // --- Hooking SharedPreferences for read operations --- const SharedPreferences = Java.use("android.content.SharedPreferences"); SharedPreferences.getString.overload('java.lang.String', 'java.lang.String').implementation = function(key, defValue) { let actualValue = this.getString(key, defValue); console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'"); // Example: Modify return value on the fly // if (key === "isPremiumUser") { return "true"; } return actualValue; }; SharedPreferences.getInt.overload('java.lang.String', 'int').implementation = function(key, defValue) { let actualValue = this.getInt(key, defValue); console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'"); return actualValue; }; SharedPreferences.getBoolean.overload('java.lang.String', 'boolean').implementation = function(key, defValue) { let actualValue = this.getBoolean(key, defValue); console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'"); return actualValue; }; SharedPreferences.getFloat.overload('java.lang.String', 'float').implementation = function(key, defValue) { let actualValue = this.getFloat(key, defValue); console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'"); return actualValue; }; SharedPreferences.getLong.overload('java.lang.String', 'long').implementation = function(key, defValue) { let actualValue = this.getLong(key, defValue); console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'"); return actualValue; }; // Note: getStringSet is less common but can be hooked similarly // SharedPreferences.getStringSet.overload('java.lang.String', 'java.util.Set').implementation = function(key, defValue) { // let actualValue = this.getStringSet(key, defValue); // console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'"); // return actualValue; // }; // --- Hooking SharedPreferences.Editor for write operations and commit/apply --- const Editor = Java.use("android.content.SharedPreferences$Editor"); Editor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(key, value) { console.log("[SP Write] Key='" + key + "', Value='" + value + "'"); // Example: Modify value before it's written // if (key === "sessionToken") { value = "HOOKED_TOKEN_12345"; } return this.putString(key, value); }; Editor.putInt.overload('java.lang.String', 'int').implementation = function(key, value) { console.log("[SP Write] Key='" + key + "', Value='" + value + "'"); return this.putInt(key, value); }; Editor.putBoolean.overload('java.lang.String', 'boolean').implementation = function(key, value) { console.log("[SP Write] Key='" + key + "', Value='" + value + "'"); return this.putBoolean(key, value); }; Editor.putFloat.overload('java.lang.String', 'float').implementation = function(key, value) { console.log("[SP Write] Key='" + key + "', Value='" + value + "'"); return this.putFloat(key, value); }; Editor.putLong.overload('java.lang.String', 'long').implementation = function(key, value) { console.log("[SP Write] Key='" + key + "', Value='" + value + "'"); return this.putLong(key, value); }; // Hook commit for synchronous saves Editor.commit.implementation = function() { console.log("[SP Commit] Changes committed synchronously."); return this.commit(); }; // Hook apply for asynchronous saves Editor.apply.implementation = function() { console.log("[SP Apply] Changes applied asynchronously."); this.apply(); }; // Hook clear to detect data removal Editor.clear.implementation = function() { console.log("[SP Clear] All preferences cleared."); return this.clear(); }; // Hook remove to detect specific key removal Editor.remove.overload('java.lang.String').implementation = function(key) { console.log("[SP Remove] Key='" + key + "' removed."); return this.remove(key); }; }); Executing the Frida Script Save the above JavaScript code as sp_monitor.js. Then, launch your target application with Frida, injecting the script: frida -U -f com.your.package.name -l sp_monitor.js --no-pause Replace com.your.package.name with the actual package name of the Android application you are testing. The -f flag spawns the application and --no-pause ensures it runs immediately. As you interact with the app, you will see detailed logs in your terminal showing every Shared Preferences interaction. Understanding the Script’s Output [SP Discovery]: Indicates when getSharedPreferences is called, revealing the names of preference files (e.g., my_app_prefs.xml) and their access modes. [SP Read]: Logs every attempt to read a value from Shared Preferences, including the key, the actual value retrieved, and the default value provided. The this.toString() call attempts to provide context about which SharedPreferences object is being accessed, which often includes the file name. [SP Write]: Captures calls to putString, putInt, etc., showing the key and the value being prepared for storage. [SP Commit] / [SP Apply]: Notifies you when changes made through the Editor are saved to disk (commit synchronously, apply asynchronously). [SP Clear] / [SP Remove]: Alerts when all preferences are cleared or a specific key is removed. Advanced Considerations and Use Cases Filtering Output: For verbose applications, you might want to filter the output based on specific preference file names or keys to focus on sensitive data. This can be done by adding conditional checks within your Frida hooks (e.g., if (name === "sensitive_config") { ... }). Modifying Values On-the-Fly: The true power of Frida lies in its ability to alter application behavior. Within the implementation block of read hooks (e.g., getString), you can return a modified value instead of the original one. Similarly, in write hooks (e.g., putString), you can change the value argument before passing it to this.putString(key, value), effectively injecting data into the app’s preferences. This is crucial for bypassing license checks, feature flags, or injecting test data. Revealing Hidden Logic: By observing the exact sequence of reads and writes, you can reconstruct the application’s internal state management. This is invaluable when static analysis falls short, especially with obfuscated code. Detecting Sensitive Data: Look for keys like token, apiKey, password, jwt, sessionId, or custom key names that might indicate sensitive data. Intercepting their values at runtime confirms their presence and allows for extraction. Conclusion Intercepting Shared Preferences access at runtime with Frida is an indispensable technique for Android application penetration testing and reverse engineering. It provides dynamic visibility into an app’s configuration, sensitive data storage, and behavioral logic that static analysis alone cannot offer. By mastering these hooking techniques, you can effectively monitor, analyze, and even manipulate an application’s internal state, uncovering vulnerabilities and understanding its inner workings with expert precision. May 30, 2026
From Zero to Hero: Practical Guide to Frida Hooking Android SharedPreferences Introduction to Android SharedPreferences and Frida Android applications frequently store small collections of key-value data using SharedPreferences. This mechanism is often used for user settings, session tokens, flags, or other non-sensitive information. However, security misconfigurations can lead to sensitive data being stored here, making it a prime target during penetration testing. Frida, a dynamic instrumentation toolkit, provides an unparalleled ability to hook into application runtime and observe or manipulate calls to Android APIs, including SharedPreferences. This guide will take you through the practical steps of using Frida to intercept and manipulate Android SharedPreferences access, from enumerating preference files to logging and modifying read/write operations. By the end, you’ll be equipped to leverage Frida for deep analysis of an app’s data storage patterns. Prerequisites A rooted Android device or an emulator (e.g., Android Studio AVD, Genymotion) Frida server running on the Android device/emulator Frida-tools installed on your host machine (pip install frida-tools) Basic understanding of Android application structure and Java/Kotlin A target Android application to test against (or a simple test app you create) Understanding Android SharedPreferences SharedPreferences allow applications to save and retrieve persistent key-value pairs of primitive data types. This data is stored in XML files within the application’s private data directory (typically /data/data/com.example.app/shared_prefs/). An application can create multiple SharedPreferences files, each identified by a unique name. Key methods involved: Context.getSharedPreferences(String name, int mode): Retrieves a SharedPreferences instance for the given name and mode. SharedPreferences.getString(String key, String defValue): Retrieves a string value from the preferences. SharedPreferences.Editor.putString(String key, String value): Writes a string value to the editor. SharedPreferences.Editor.apply() or SharedPreferences.Editor.commit(): Saves the changes made to the editor back to the SharedPreferences file. Setting up Frida Ensure Frida server is running on your Android device. First, find the correct Frida server binary for your device’s architecture (e.g., frida-server-*-android-arm64) from the Frida releases page. Push it to the device and execute it: adb push frida-server /data/local/tmp/frida-server adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" Verify Frida is running by listing processes from your host machine: frida-ps -U Hooking Context.getSharedPreferences to Enumerate Files The first step in understanding an app’s SharedPreferences usage is to identify which files it interacts with. We can hook Context.getSharedPreferences to log the name of each preference file requested. Frida Script: enumerate_prefs.js Java.perform(function () { var Context = Java.use("android.content.Context"); Context.getSharedPreferences.overload("java.lang.String", "int").implementation = function (name, mode) { console.log("[+] getSharedPreferences called for name: " + name + ", mode: " + mode); return this.getSharedPreferences(name, mode); }; console.log("[*] SharedPreferences enumeration hook loaded."); }); Running the script: frida -U -l enumerate_prefs.js -f com.example.targetapp --no-pause Replace com.example.targetapp with the package name of your target application. As the app runs, you’ll see output similar to: [+] getSharedPreferences called for name: my_app_prefs, mode: 0 [+] getSharedPreferences called for name: user_settings, mode: 0 Hooking Read Operations: Intercepting Data Retrieval Once you know the SharedPreferences files, the next step is to observe what data is being read from them. We’ll focus on getString but the principle applies to getInt, getBoolean, etc. Frida Script: log_prefs_read.js Java.perform(function () { var SharedPreferences = Java.use("android.content.SharedPreferences"); // Hook getString SharedPreferences.getString.overload("java.lang.String", "java.lang.String").implementation = function (key, defValue) { var value = this.getString(key, defValue); var spName = this.toString().match(/.*?Impl{(.*?)}/)[1] || 'UNKNOWN'; // Extract SP name from toString() console.log("[+] SharedPreferences READ from " + spName + " - Key: " + key + ", Value: " + value + ", Default: " + defValue); return value; }; // Hook getInt, getBoolean, etc. similarly if needed SharedPreferences.getInt.overload("java.lang.String", "int").implementation = function (key, defValue) { var value = this.getInt(key, defValue); var spName = this.toString().match(/.*?Impl{(.*?)}/)[1] || 'UNKNOWN'; console.log("[+] SharedPreferences READ from " + spName + " - Key: " + key + ", Value: " + value + ", Default: " + defValue); return value; }; console.log("[*] SharedPreferences read hook loaded."); }); Note: Extracting the actual SharedPreferences file name from this (the SharedPreferences object) can be tricky. The toString() method often contains enough information to infer it for standard implementations. For custom implementations, you might need a more involved approach, such as hooking Context.getSharedPreferences, storing the returned instances in a map, and then looking them up. For this guide, a simple regex against toString() is sufficient for most cases. Running the script: frida -U -l log_prefs_read.js -f com.example.targetapp --no-pause You’ll see output like: [+] SharedPreferences READ from my_app_prefs - Key: username, Value: testuser, Default: null [+] SharedPreferences READ from user_settings - Key: enable_notifications, Value: true, Default: false Hooking Write Operations: Intercepting and Modifying Data Storage Observing write operations allows you to understand what data an app intends to store. You can also dynamically modify this data before it’s committed, potentially bypassing security checks or injecting malicious settings. Frida Script: intercept_prefs_write.js Java.perform(function () { var SharedPreferencesEditor = Java.use("android.content.SharedPreferences$Editor"); // Hook putString SharedPreferencesEditor.putString.overload("java.lang.String", "java.lang.String").implementation = function (key, value) { console.log("[+] SharedPreferences WRITE (putString) - Key: " + key + ", Original Value: " + value); // Example: Modify a specific value if (key === "session_token" && value !== "MY_MODIFIED_TOKEN") { console.warn("[!] Modifying session_token from: " + value + " to: MY_MODIFIED_TOKEN"); value = "MY_MODIFIED_TOKEN"; } return this.putString(key, value); }; // Hook apply() and commit() to know when changes are saved SharedPreferencesEditor.apply.implementation = function () { console.log("[+] SharedPreferences Editor: apply() called. Changes saved asynchronously."); return this.apply(); }; SharedPreferencesEditor.commit.implementation = function () { console.log("[+] SharedPreferences Editor: commit() called. Changes saved synchronously."); return this.commit(); }; console.log("[*] SharedPreferences write hook loaded."); }); Running the script: frida -U -l intercept_prefs_write.js -f com.example.targetapp --no-pause When the app attempts to write data, you will see output like: [+] SharedPreferences WRITE (putString) - Key: username, Original Value: newuser [+] SharedPreferences Editor: apply() called. Changes saved asynchronously. If you’ve implemented the modification logic, you’ll also see: [+] SharedPreferences WRITE (putString) - Key: session_token, Original Value: original_token_xyz [!] Modifying session_token from: original_token_xyz to: MY_MODIFIED_TOKEN [+] SharedPreferences Editor: commit() called. Changes saved synchronously. This demonstrates how you can not only observe but also actively tamper with data as it’s being written to SharedPreferences. Advanced Scenarios and Considerations Encrypted SharedPreferences: Some applications use libraries like EncryptedSharedPreferences (part of AndroidX Security) or custom encryption. In such cases, directly hooking getString or putString might only reveal the encrypted bytes. You would need to shift your focus to hook the encryption/decryption methods themselves, often found in helper classes or specific methods within the encryption library. Runtime Modifications: Beyond simple logging, Frida allows you to alter the return values of read operations or the arguments of write operations. This can be powerful for testing different application states or bypassing logic that relies on specific SharedPreferences values. Multiple Hooks: You can combine multiple Frida scripts or integrate various hooks into a single, comprehensive script to get a holistic view of the app’s behavior. Error Handling: For production-grade Frida scripts, consider adding error handling and more robust ways to identify objects or method overloads, especially when dealing with obfuscated applications. Conclusion Frida is an indispensable tool for dynamic analysis of Android applications, and its capabilities for hooking SharedPreferences are particularly useful for uncovering sensitive data and understanding an app’s persistence mechanisms. By following this guide, you’ve learned how to identify SharedPreferences files, intercept both read and write operations, and even modify data on the fly. This knowledge empowers you to conduct more thorough penetration tests and gain deeper insights into the security posture of Android applications. May 30, 2026
Troubleshooting Frida Hooks: When Shared Preferences Interception Fails Introduction to Frida and Shared Preferences Hooking Android applications frequently rely on SharedPreferences to store small amounts of primitive data, such as user settings, session tokens, or application flags. During an Android penetration test, intercepting reads from and writes to SharedPreferences is crucial for understanding an app’s behavior, identifying sensitive data leakage, or manipulating application logic. Frida, a powerful dynamic instrumentation toolkit, is the go-to tool for this. However, direct hooking of SharedPreferences methods like getString or putString doesn’t always work as smoothly as anticipated. This article delves into common reasons why your Frida hooks might fail to intercept SharedPreferences access and provides expert-level troubleshooting techniques and solutions. Understanding Shared Preferences Internals At its core, SharedPreferences provides a simple key-value storage mechanism. Data is typically stored in XML files within the app’s private data directory (/data/data/<package_name>/shared_prefs/). Applications obtain a SharedPreferences instance via Context.getSharedPreferences(name, mode), after which they can create an Editor to modify data, committing changes, or directly retrieve values. Common Access Patterns Here’s a typical flow for interacting with SharedPreferences: Getting the instance: SharedPreferences prefs = context.getSharedPreferences("MyPrefs", Context.MODE_PRIVATE); Writing data: SharedPreferences.Editor editor = prefs.edit();editor.putString("username", "frida_user");editor.apply(); // or editor.commit(); Reading data: String username = prefs.getString("username", "default_user"); Basic Frida Script for Shared Preferences Hooking (Initial Attempt) A common first attempt at hooking SharedPreferences might look like this: Java.perform(function () { var SharedPreferences = Java.use("android.content.SharedPreferences"); SharedPreferences.getString.overload("java.lang.String", "java.lang.String").implementation = function (key, defValue) { console.log("[+] SharedPreferences.getString called for key: " + key + ", default: " + defValue); var result = this.getString(key, defValue); console.log(" -> Result: " + result); return result; }; console.log("[+] Hooked SharedPreferences.getString");}); You might inject this script with frida -U -f com.example.app -l hook_prefs.js --no-pause. If this script produces no output even when you know the app is accessing preferences, it’s time to troubleshoot. Diagnosing Failed Hooks: Common Pitfalls and Solutions Pitfall 1: Incorrect Method Signature or Class Name One of the most frequent reasons for a failed hook is an incorrect method signature, especially with overloaded methods, or a misspelled class name. Android frameworks and app developers sometimes extend or implement SharedPreferences in custom ways, or the method signature might differ slightly. Solution: Verify Method Signature with Decompilation or frida-trace Decompilation: Use tools like Jadx or Ghidra to decompile the target APK. Navigate to android.content.SharedPreferences or its relevant implementation (e.g., android.app.SharedPreferencesImpl) to confirm the exact method signatures, including argument types and return types. frida-trace: A quick way to discover method calls and signatures at runtime is using frida-trace: frida-trace -U -f com.example.app -i "*SharedPreferences*!*getString*" --no-pause This command traces all getString calls within any class containing “SharedPreferences” in its name. Observe the output to identify the precise class and method signature being called. You might find it’s android.app.SharedPreferencesImpl.getString(java.lang.String, java.lang.String) rather than the interface. Pitfall 2: Method Inlining and Obfuscation Modern Android build tools (like R8/ProGuard) often perform optimizations such as method inlining or obfuscation. Inlining replaces a method call with the method’s body, making the original method disappear from the runtime. Obfuscation renames classes and methods, making direct name-based hooking difficult. Solution: Hooking Multiple Overloads or Core Implementations If getString has multiple overloads (e.g., for different types), or if the specific signature is hard to pinpoint, you can try hooking all overloads: Java.perform(function () { var SharedPreferences = Java.use("android.content.SharedPreferences"); SharedPreferences.getString.overload("*").implementation = function (key, defValue) { // Hook all overloads console.log("[+] SharedPreferences.getString ALL overloads called for key: " + key + ", default: " + defValue); var result = this.getString(key, defValue); console.log(" -> Result: " + result); return result; }; console.log("[+] Hooked all SharedPreferences.getString overloads");}); For inlining or if the app uses a custom SharedPreferences implementation, you might need to target the internal Android implementation, android.app.SharedPreferencesImpl: Java.perform(function () { var SharedPreferencesImpl = Java.use("android.app.SharedPreferencesImpl"); SharedPreferencesImpl.getString.overload("java.lang.String", "java.lang.String").implementation = function (key, defValue) { console.log("[+] SharedPreferencesImpl.getString called for key: " + key + ", default: " + defValue); var result = this.getString(key, defValue); console.log(" -> Result: " + result); return result; }; console.log("[+] Hooked SharedPreferencesImpl.getString");}); Pitfall 3: Multiple SharedPreferences Instances or Custom Implementations An application might manage multiple SharedPreferences files, each with a different name. Furthermore, some applications create wrapper classes around SharedPreferences or even implement their own storage mechanisms that mimic SharedPreferences but don’t directly use its core methods. Solution: Identify and Hook the Specific Instance or Wrapper Hooking Context.getSharedPreferences: The most reliable way to catch all SharedPreferences instances created by the app is to hook the method that provides them: Java.perform(function () { var ContextImpl = Java.use("android.app.ContextImpl"); // Or android.content.ContextWrapper ContextImpl.getSharedPreferences.overload("java.lang.String", "int").implementation = function (name, mode) { var prefs = this.getSharedPreferences(name, mode); console.log("[+] getSharedPreferences called for name: " + name + ", mode: " + mode); // Here, you can hook methods on the 'prefs' instance if needed // Example: hooking getString on this specific instance var SharedPreferences = Java.use("android.content.SharedPreferences"); var prefsProxy = Java.cast(prefs, SharedPreferences); // Cast to interface to access methods prefsProxy.getString.overload("java.lang.String", "java.lang.String").implementation = function (key, defValue) { var result = this.getString(key, defValue); console.log(" -> [" + name + "] getString for key: " + key + ", default: " + defValue + ", result: " + result); return result; }; return prefs; }; console.log("[+] Hooked ContextImpl.getSharedPreferences");}); Look for Custom Wrappers: Decompile the app and search for classes that import android.content.SharedPreferences. These might be custom managers that internally call SharedPreferences methods. You’ll then need to hook their specific methods. Pitfall 4: Dynamic Class Loading Some applications dynamically load classes at runtime, meaning the SharedPreferences implementation (or a custom wrapper) might not be available in the JVM’s classpath when your Frida script first executes Java.use(). Solution: Monitor Class Loading or Hook at a Later Stage Instead of hooking immediately, you can defer the hook until the class is loaded, or continuously monitor for its presence: Java.perform(function () { function attachSharedPreferencesHooks() { try { var SharedPreferencesImpl = Java.use("android.app.SharedPreferencesImpl"); SharedPreferencesImpl.getString.overload("java.lang.String", "java.lang.String").implementation = function (key, defValue) { console.log("[+] (Dynamic) SharedPreferencesImpl.getString called for key: " + key + ", default: " + defValue); var result = this.getString(key, defValue); console.log(" -> Result: " + result); return result; }; console.log("[+] Dynamically hooked SharedPreferencesImpl.getString"); } catch (e) { console.log("[-] SharedPreferencesImpl not yet loaded, retrying..."); // Optionally, retry after a delay or upon a class loading event setTimeout(attachSharedPreferencesHooks, 1000); } } attachSharedPreferencesHooks(); // Or use Java.enumerateLoadedClasses() repeatedly to find custom classes // Or hook java.lang.ClassLoader.loadClass to intercept class loading}); Pitfall 5: Indirect Access (File I/O Layer) In extremely rare or difficult cases, where direct method hooking fails due to aggressive optimizations, obfuscation, or custom non-Java native implementations, you might consider going one level lower: the file system. Solution: Hook File I/O Operations SharedPreferences data is stored in XML files. You can hook file I/O operations to detect when these files are read or written. This isn’t specific to SharedPreferences but captures any file access, which can be useful as a last resort. Interceptor.attach(Module.findExportByName(null, "open"), { // Hooking POSIX open() system call onEnter: function (args) { this.path = Memory.readUtf8String(args[0]); if (this.path.includes("shared_prefs") && (this.path.endsWith(".xml") || this.path.endsWith(".xml.bak"))) { console.log("[+] File opened: " + this.path); this.isPrefsFile = true; } }, onLeave: function (retval) { if (this.isPrefsFile) { console.log("[+] File handle for " + this.path + " : " + retval); } }});Interceptor.attach(Module.findExportByName(null, "read"), { // Hooking POSIX read() system call onEnter: function (args) { // You'd need to correlate file descriptors from 'open' calls to make this precise // This is a simplified example // For a real scenario, you'd track the FD and path if (args[0].toInt32() > 0 && args[0].toInt32() < 100) { // Simple heuristic for FD // ... further checks } }, // ... onLeave, to read data if needed});console.log("[+] Attempting to hook file I/O operations for shared_prefs."); This method is less precise but can reveal activity on SharedPreferences files, which can then be manually inspected from the device’s filesystem. Advanced Troubleshooting Techniques Runtime Class Discovery and Monitoring When dealing with highly dynamic or custom implementations, proactively searching for classes at runtime can be beneficial. You can iterate through all loaded classes or monitor ClassLoader for new class definitions. Java.perform(function () { Java.enumerateLoadedClasses({ onMatch: function (className) { if (className.includes("SharedPreferences") || className.includes("Prefs")) { console.log("[+] Discovered potential related class: " + className); } }, onComplete: function () { console.log("[+] Class enumeration complete."); } });}); Tracing Call Stacks If you manage to hook a method but can’t understand its context, a call stack trace can reveal which part of the application is calling it. Java.perform(function () { var SharedPreferencesImpl = Java.use("android.app.SharedPreferencesImpl"); SharedPreferencesImpl.getString.overload("java.lang.String", "java.lang.String").implementation = function (key, defValue) { var Log = Java.use("android.util.Log"); var Exception = Java.use("java.lang.Exception"); console.log("[+] SharedPreferencesImpl.getString called for key: " + key); console.log(" Call stack:n" + Log.getStackTraceString(Exception.$new())); var result = this.getString(key, defValue); return result; };}); Conclusion Troubleshooting Frida hooks for Android SharedPreferences can be a complex but rewarding process. By systematically diagnosing issues – from verifying method signatures and handling obfuscation to understanding dynamic class loading and the underlying file I/O – you can overcome common interception failures. Remember to leverage decompilation tools, frida-trace, and Frida’s powerful JavaScript API to gain deep insights into the application’s runtime behavior. With these techniques, you’ll be well-equipped to effectively monitor and manipulate shared preferences data during your Android penetration tests. May 30, 2026
Frida for Android Pen-Testers: Manipulating SharedPreferences Without Root Introduction to SharedPreferences and Frida Android applications frequently use SharedPreferences for storing lightweight key-value pairs, typically for user settings, feature flags, session tokens, or other application-specific configurations. While convenient for developers, these preferences can be a treasure trove for penetration testers. Gaining access to and manipulating SharedPreferences can reveal sensitive information, alter application behavior, bypass restrictions, or even escalate privileges within the application’s context. Traditionally, accessing or modifying these files (located in /data/data/<package_name>/shared_prefs/) requires root access on the Android device, as they reside in the app’s private data directory. However, during a penetration test, root access isn’t always available or desirable, especially when testing devices where root might alert security mechanisms or simply be impractical. This is where Frida, a dynamic instrumentation toolkit, becomes an invaluable asset. Frida allows you to inject scripts into running processes on Android, iOS, Windows, macOS, and Linux. By doing so, you can hook into application functions, modify their behavior, inspect data, and even call arbitrary methods at runtime—all without modifying the application binary or requiring root access for the specific manipulation of an app’s internal logic, as long as Frida itself can run on the device (which sometimes still requires root for `frida-server`, but the *manipulation itself* is performed in the app’s userland context). Prerequisites and Setup Before diving into the specifics, ensure you have a basic Frida setup operational. This typically involves: A rooted Android device or emulator with `frida-server` running. (While the *manipulation* doesn’t require the app itself to be rooted, `frida-server` often needs root permissions to inject into other processes). `frida-tools` installed on your host machine (`pip install frida-tools`). ADB configured to communicate with your Android device. You’ll also need to identify the package name of your target application (e.g., com.example.app). You can find this using `adb shell pm list packages -f` or `adb shell dumpsys window windows | grep -E ‘mCurrentFocus|mFocusedApp’`. Understanding SharedPreferences Access Android applications interact with SharedPreferences primarily through the android.content.SharedPreferences interface and its nested Editor interface. The common workflow involves: Obtaining a SharedPreferences instance, usually via Context.getSharedPreferences(name, mode) or Activity.getPreferences(mode). Reading values using methods like getString(key, defValue), getInt(key, defValue), getBoolean(key, defValue), etc. To write values, obtaining an Editor instance via SharedPreferences.edit(). Putting values using methods like Editor.putString(key, value), Editor.putInt(key, value), etc. Committing changes using Editor.apply() (asynchronous) or Editor.commit() (synchronous). Our Frida strategy will focus on intercepting these key methods to observe and alter the data flow. Frida Hooking Strategy for SharedPreferences Our goal is to dynamically intercept calls to getSharedPreferences to gain a handle on the SharedPreferences object. Once we have this, we can then hook its read methods (like getString, getBoolean) and the Editor‘s write methods (like putString, putBoolean) as well as the apply/commit methods to manipulate the data before it’s read by the app or before it’s written to disk. 1. Identifying the Target SharedPreferences First, let’s write a simple Frida script to log every time an application requests a SharedPreferences instance. This helps us discover the names of preference files used by the app. Java.perform(function() { console.log("[*] SharedPreferences Discovery Script Started"); var ContextWrapper = Java.use('android.content.ContextWrapper'); ContextWrapper.getSharedPreferences.implementation = function(name, mode) { console.log("[+] getSharedPreferences called: Name = " + name + ", Mode = " + mode); return this.getSharedPreferences(name, mode); };}); To run this script (let’s save it as `discover_prefs.js`), attach Frida to your target app: frida -U -f com.target.package -l discover_prefs.js --no-pause As you interact with the app, you’ll see output in your terminal indicating the names of the SharedPreferences files being accessed. For this tutorial, let’s assume we discovered a preference file named my_app_prefs. 2. Reading and Modifying Values Dynamically Now, let’s craft a more comprehensive Frida script to not only log but also modify the values read from and written to my_app_prefs. Java.perform(function() { console.log("[*] Frida SharedPreferences Manipulation Script Initiated"); // Get references to necessary classes var ContextWrapper = Java.use('android.content.ContextWrapper'); var SharedPreferences = Java.use('android.content.SharedPreferences'); var Editor = Java.use('android.content.SharedPreferences$Editor'); // Hook ContextWrapper.getSharedPreferences to intercept preference file access ContextWrapper.getSharedPreferences.implementation = function(name, mode) { console.log("----------------------------------------------------------------------------------------------------------------"); console.log("[HOOKED] Application is requesting SharedPreferences: '" + name + "' with mode: " + mode); // Call the original method to get the actual SharedPreferences object var prefs = this.getSharedPreferences(name, mode); // Check if this is our target SharedPreferences file if (name === "my_app_prefs") { console.log("[INFO] Intercepting methods for target SharedPreferences: '" + name + "'"); // --- Hook Read Operations (e.g., getString, getBoolean) --- prefs.getString.implementation = function(key, defValue) { var originalValue = this.getString(key, defValue); console.log("[READ] SP: '" + name + "' | Key: '" + key + "' | Original: '" + originalValue + "' | Default: '" + defValue + "'"); // Example: Manipulate a specific string value if (key === "premium_feature_unlocked") { console.log("[MODIFY] Overriding 'premium_feature_unlocked' to 'true'!"); return "true"; // Force it to return "true" } if (key === "user_api_key") { console.log("[MODIFY] Supplying a test API key for 'user_api_key'!"); return "TEST_API_KEY_BY_FRIDA_12345"; } return originalValue; }; prefs.getBoolean.implementation = function(key, defValue) { var originalValue = this.getBoolean(key, defValue); console.log("[READ] SP: '" + name + "' | Key: '" + key + "' | Original Boolean: " + originalValue + " | Default: " + defValue); // Example: Manipulate a specific boolean value if (key === "is_admin_user") { console.log("[MODIFY] Forcing 'is_admin_user' to true!"); return true; } return originalValue; }; prefs.getInt.implementation = function(key, defValue) { var originalValue = this.getInt(key, defValue); console.log("[READ] SP: '" + name + "' | Key: '" + key + "' | Original Int: " + originalValue + " | Default: " + defValue); if (key === "app_version_code") { console.log("[MODIFY] Setting 'app_version_code' to 9999 for testing!"); return 9999; } return originalValue; }; // --- Hook Write Operations (e.g., putString, putBoolean) via Editor --- Editor.putString.implementation = function(key, value) { console.log("[WRITE] SP Editor: '" + name + "' | Key: '" + key + "' | New Value: '" + value + "'"); // Example: Intercept and modify a value before it's saved if (key === "user_preference_setting") { console.log("[MODIFY] Altering 'user_preference_setting' to 'frida_controlled_state'!"); return this.putString(key, "frida_controlled_state"); } return this.putString(key, value); }; Editor.putBoolean.implementation = function(key, value) { console.log("[WRITE] SP Editor: '" + name + "' | Key: '" + key + "' | New Boolean Value: " + value); if (key === "telemetry_enabled") { console.log("[MODIFY] Forcing 'telemetry_enabled' to false, regardless of app's intent!"); return this.putBoolean(key, false); } return this.putBoolean(key, value); }; // --- Hook Apply/Commit to observe when changes are saved --- Editor.apply.implementation = function() { console.log("[SAVING] SharedPreferences Editor ('" + name + "') - Changes applied (asynchronous)."); return this.apply(); }; Editor.commit.implementation = function() { console.log("[SAVING] SharedPreferences Editor ('" + name + "') - Changes committed (synchronous)."); return this.commit(); }; } console.log("----------------------------------------------------------------------------------------------------------------"); return prefs; };}); Save this script as `manipulate_prefs.js`. To execute it, you would again use Frida: frida -U -f com.target.package -l manipulate_prefs.js --no-pause Replace com.target.package with the actual package name of the application you are testing. The `–no-pause` flag ensures the application starts immediately after injection. Execution and Observation Once Frida is attached and the script is running, interact with the target application. You will observe detailed output in your terminal: Messages indicating when getSharedPreferences is called. Logs of values being read (`[READ]`) and, more importantly, when they are being manipulated (`[MODIFY]`). Logs of values being written (`[WRITE]`) and any modifications applied by our script. Confirmation messages when changes are saved (`[SAVING]`). For instance, if the app tries to check `premium_feature_unlocked`, our script will force it to return `true`, potentially unlocking features without the app ever knowing the original value. Similarly, any attempt by the app to enable `telemetry_enabled` would be overridden to `false` before it’s saved. Advanced Considerations Different Data Types: The provided script primarily hooks `getString`, `getBoolean`, `getInt`, `putString`, `putBoolean`, and `putInt`. Remember to extend your hooks to other data types like `getLong`, `getFloat`, `getStringSet`, and their corresponding `put` methods if the application uses them. Preventing Writes: You can entirely prevent a write operation from occurring by simply not calling the original `this.putString(key, value)` or `this.putBoolean(key, value)` within the `Editor` hook. This can be useful for blocking specific configuration changes. Bypassing Integrity Checks: If an application performs integrity checks on SharedPreferences data (e.g., checksums), manipulating values at runtime can bypass these checks, as the check itself might read the manipulated value. Conditional Manipulation: The script uses `if (key === “some_key”)` for conditional manipulation. You can extend this with more complex logic based on current app state, other preference values, or even user input received via Frida’s RPC API. Conclusion Frida provides an incredibly powerful and flexible way to interact with Android applications at runtime. By strategically hooking into SharedPreferences access methods, penetration testers can effectively manipulate application settings and data without requiring direct file system access via root. This technique is crucial for understanding an app’s internal logic, bypassing client-side controls, and identifying potential vulnerabilities that might otherwise remain hidden. Mastering dynamic instrumentation with Frida opens up a vast array of possibilities for in-depth mobile application security assessments. May 30, 2026
How to Bypass Android Shared Preferences Security with Frida Hooks Introduction: The Perils of Shared Preferences Android’s Shared Preferences API provides a lightweight mechanism for applications to store private primitive data in key-value pairs. It’s designed for simple settings, user preferences, and small amounts of application state. While convenient and seemingly innocuous, developers often misuse Shared Preferences to store sensitive information such as API keys, session tokens, user IDs, or even flags indicating administrative privileges. This misjudgment frequently stems from an underestimation of the security implications, assuming that since the data is ‘private’ to the app, it is inherently secure. The data stored via Shared Preferences is typically saved in XML files within the app’s private data directory (e.g., /data/data/<package_name>/shared_prefs/<preference_name>.xml). While these files are generally inaccessible to other unprivileged applications, a rooted device or an attacker with physical access can easily bypass these filesystem-level protections. Even without root, if an application is debuggable, an attacker can use tools like `run-as` to access these files, compromising any sensitive data within. Why Traditional File System Access Falls Short For penetration testers, the first instinct to examine Shared Preferences might be to directly access the XML files from the device’s filesystem. This approach involves: adb shellsu # or run-as com.example.targetappcd /data/data/com.example.targetapp/shared_prefs/ls -lcat my_prefs.xml However, this method has several limitations. Firstly, it requires a rooted device or a debuggable application to gain sufficient permissions. Secondly, even if you can read the files, you’re only seeing the static state of the preferences at the time of access. You miss dynamic changes, how values are used by the application, or if they are encrypted before being written to disk (though this is rare for Shared Preferences). More sophisticated applications might also employ custom `SharedPreferences` implementations or encrypt data in memory before passing it to the `Editor` methods, making direct file inspection insufficient. This is where dynamic instrumentation shines. By hooking into the application’s runtime, we can intercept calls to the Shared Preferences API as they happen, gaining full visibility into the data being read and written, irrespective of file permissions or on-disk encryption. Enter Frida: Dynamic Instrumentation for Android Frida is a powerful, cross-platform dynamic instrumentation toolkit that allows you to inject scripts into running processes. For Android penetration testing, Frida enables you to hook into Java methods, native functions, and even modify their behavior on the fly. This capability is invaluable for understanding application logic, bypassing security controls, and extracting sensitive information that might otherwise be hidden. This tutorial assumes you have a basic understanding of Frida and have it set up on your testing environment (host machine with `frida-tools` and a rooted Android device with `frida-server` running). If not, you’ll need to install `frida-tools` via pip and deploy `frida-server` to your device and run it. # On your host machine:pip install frida-tools# On your Android device (as root):adb push frida-server-<version>-android-<arch> /data/local/tmp/frida-serveradb shell"chmod 755 /data/local/tmp/frida-server"adb shell"/data/local/tmp/frida-server &" Identifying and Hooking Shared Preferences Access To fully understand and manipulate Shared Preferences, we need to target several key areas: Hooking `ContextWrapper.getSharedPreferences` The first step is to identify when an application is requesting a Shared Preferences instance. Applications typically obtain a `SharedPreferences` object by calling `getSharedPreferences(String name, int mode)` from a `Context` or `ContextWrapper` instance. By hooking this method, we can log which preference files are being accessed and with what permissions. Java.perform(function () { var ContextWrapper = Java.use("android.content.ContextWrapper"); ContextWrapper.getSharedPreferences.implementation = function (name, mode) { console.log("[+] getSharedPreferences called for: '" + name + "' with mode: " + mode); // Call the original method to ensure the app functions correctly return this.getSharedPreferences(name, mode); };}); To run this script against a target application (replace `com.example.targetapp` with the actual package name): frida -U -f com.example.targetapp -l hook_get_prefs.js --no-pause This will print the name and mode every time an app retrieves a `SharedPreferences` object, giving you insight into the preference files being used. Intercepting Shared Preferences Writes (`Editor.putString`, `Editor.apply`, `Editor.commit`) To capture data being written to Shared Preferences, we need to hook the `Editor` interface methods. Specifically, `putString`, `putBoolean`, `putInt`, etc., and the `apply()` or `commit()` methods which persist the changes. Java.perform(function () { var Editor = Java.use("android.content.SharedPreferences$Editor"); // Intercept putString method Editor.putString.implementation = function (key, value) { console.log("[+] SharedPreferences.Editor.putString() called. Key: '" + key + "', Value: '" + value + "'"); // You can modify the value here if needed: // if (key === "sensitive_token") { // console.log("[*] Modifying sensitive_token to 'BYPASSED_TOKEN_FRIDA'"); // return this.putString(key, "BYPASSED_TOKEN_FRIDA"); // } return this.putString(key, value); // Call original method }; // Intercept putBoolean method for flags Editor.putBoolean.implementation = function (key, value) { console.log("[+] SharedPreferences.Editor.putBoolean() called. Key: '" + key + "', Value: " + value); return this.putBoolean(key, value); }; // Intercept apply() for asynchronous writes Editor.apply.implementation = function () { console.log("[+] SharedPreferences.Editor.apply() called. Changes being committed asynchronously."); return this.apply(); }; // Intercept commit() for synchronous writes Editor.commit.implementation = function () { console.log("[+] SharedPreferences.Editor.commit() called. Changes being committed synchronously."); return this.commit(); };}); This script provides comprehensive logging of all `putString` and `putBoolean` operations, along with when changes are applied or committed. This is extremely useful for identifying when and what sensitive data is being saved. Intercepting Shared Preferences Reads (`SharedPreferences.getString`, `getBoolean`, etc.) Equally important is intercepting data reads. By hooking the getter methods, we can see what data the application retrieves from Shared Preferences and even modify it before it’s used by the app’s logic. This allows for powerful runtime manipulation. Java.perform(function () { var SharedPreferences = Java.use("android.content.SharedPreferences"); // Intercept getString method SharedPreferences.getString.implementation = function (key, defValue) { var retrievedValue = this.getString(key, defValue); console.log("[+] SharedPreferences.getString() called. Key: '" + key + "', Default: '" + defValue + "', Retrieved: '" + retrievedValue + "'"); // Example: Modifying a sensitive flag or token on-the-fly if (key === "isAdminFlag" && retrievedValue === "false") { console.log("[*] Bypassing isAdminFlag. Changing from 'false' to 'true'."); return "true"; // Inject our desired value } if (key === "api_token" && retrievedValue === "some_old_token") { console.log("[*] Intercepted old API token. Injecting a new one."); return "NEW_INJECTED_API_TOKEN_12345"; } return retrievedValue; // Return the original or modified value }; // Intercept getBoolean method SharedPreferences.getBoolean.implementation = function (key, defValue) { var retrievedValue = this.getBoolean(key, defValue); console.log("[+] SharedPreferences.getBoolean() called. Key: '" + key + "', Default: " + defValue + ", Retrieved: " + retrievedValue); if (key === "premium_unlocked" && !retrievedValue) { console.log("[*] Bypassing 'premium_unlocked'. Changing from 'false' to 'true'."); return true; } return retrievedValue; };}); This script demonstrates how to not only log the retrieved values but also actively modify them. This is crucial for bypassing license checks, elevating privileges, or injecting test data into the application’s runtime. For instance, if an app checks `getBoolean( May 30, 2026
Advanced Frida Hooking: Dumping All Shared Preferences from Any Android App Introduction to Android Shared Preferences and Their Security Implications Android’s SharedPreferences provide a lightweight mechanism for applications to store private primitive data in key-value pairs. This data is stored in XML files within the application’s private directory (typically /data/data/com.package.name/shared_prefs/). While designed for simple settings and configurations, developers sometimes inadvertently store sensitive information such as user tokens, API keys, session IDs, or even unencrypted personal data in Shared Preferences. For penetration testers and security researchers, inspecting Shared Preferences is a crucial step in understanding an application’s internal workings and identifying potential vulnerabilities. While static analysis and direct file system access (on rooted devices) can reveal these files, dynamic instrumentation with tools like Frida offers a more powerful and versatile approach, especially when dealing with non-rooted devices or when real-time data inspection is required. Why Frida for Dumping Shared Preferences? Traditional methods for accessing Shared Preferences often involve: `adb pull` on rooted devices: This allows directly pulling XML files from /data/data//shared_prefs/. However, it requires a rooted device and the app must have already written the preferences to disk. Static analysis: Decompiling the APK to find where SharedPreferences are used. This tells you *what* might be stored but not the *current values* at runtime. Frida, a dynamic instrumentation toolkit, overcomes these limitations by injecting into a running application process. This allows us to hook Java methods, inspect memory, and even modify runtime behavior. For Shared Preferences, Frida provides the unique ability to: Identify all SharedPreferences instances created by the application, even if they’re not immediately written to disk. Dump the *current* contents of these preferences directly from memory, regardless of file system permissions or rooting status (as long as Frida server is running). Monitor real-time changes to preferences as the user interacts with the app. Prerequisites and Setup Required Tools A rooted or non-rooted Android device (physical or emulator) with Frida Server installed and running. ADB (Android Debug Bridge) installed on your host machine. Frida client installed on your host machine (pip install frida-tools). A target Android application for testing. For this tutorial, we’ll assume com.example.targetapp. Basic Frida Setup Verification First, ensure your Android device is connected and recognized by ADB: adb devices You should see your device listed. Next, verify that Frida Server is running and accessible. If you haven’t started it, push the Frida server binary to your device and execute it. Assuming it’s running, check processes: frida-ps -U This command lists all processes on the connected USB device. If successful, you’re ready to proceed. The Strategy: Hooking Shared Preferences Access Our primary goal is to identify whenever an application accesses or creates a SharedPreferences instance and then extract all its current key-value pairs. We’ll achieve this by hooking key Android API methods. Identifying `SharedPreferences` Instances Applications typically obtain a SharedPreferences object using `Context.getSharedPreferences(String name, int mode)` or `PreferenceManager.getDefaultSharedPreferences(Context context)`. By hooking these methods, we can intercept the creation of new preference sets and retrieve their names. Dumping All Key-Value Pairs Once we have a reference to a SharedPreferences object, the Java API provides the getAll() method, which returns a `Map` containing all entries. We can simply call this method on the hooked instance to dump its entire content. Real-time Monitoring of Changes (Advanced) For a more comprehensive analysis, we can also hook `SharedPreferences.Editor.commit()` and `SharedPreferences.Editor.apply()`. These methods are called when changes made via a `SharedPreferences.Editor` are persisted. By hooking these, we can log individual changes as they happen. Crafting the Frida Script Let’s put this strategy into a Frida JavaScript script. This script will intercept calls to getSharedPreferences, log the preference file name, and then dump all current contents of that preference set. Java.perform(function () { console.log('Frida script loaded: Dumping SharedPreferences'); // Hook ContextWrapper.getSharedPreferences to intercept preference file names var ContextWrapper = Java.use('android.content.ContextWrapper'); ContextWrapper.getSharedPreferences.implementation = function (name, mode) { console.log('[+] Intercepted SharedPreferences: "' + name + '"'); // Call the original method to get the SharedPreferences object var sharedPrefs = this.getSharedPreferences(name, mode); // Dump all entries from this SharedPreferences object dumpSharedPreferences(sharedPrefs, name); return sharedPrefs; }; // Hook PreferenceManager.getDefaultSharedPreferences for cases where default preferences are used // This might require hooking a specific Activity or Application context depending on usage var PreferenceManager = Java.use('android.preference.PreferenceManager'); PreferenceManager.getDefaultSharedPreferences.implementation = function (context) { var sharedPrefs = this.getDefaultSharedPreferences(context); console.log('[+] Intercepted DefaultSharedPreferences.'); // Since default preferences don't have an explicit 'name' parameter in this call, // we need to infer it or just label it as 'default'. // The default name is usually related to the package name. var packageName = context.getPackageName(); var defaultPrefsName = packageName + '_preferences'; // Common default naming convention dumpSharedPreferences(sharedPrefs, defaultPrefsName); return sharedPrefs; }; function dumpSharedPreferences(prefsObject, prefsName) { if (prefsObject === null) { console.log('[-] SharedPreferences object is null for: ' + prefsName); return; } try { var allEntries = prefsObject.getAll(); var map = Java.cast(allEntries, Java.use('java.util.Map')); if (map.size() == 0) { console.log(' No entries found for "' + prefsName + '"'); return; } console.log(' --- Dumping contents of "' + prefsName + '" (size: ' + map.size() + ') ---'); var iterator = map.entrySet().iterator(); while (iterator.hasNext()) { var entry = iterator.next(); var key = entry.getKey(); var value = entry.getValue(); // Handle null values gracefully var valueStr = (value !== null) ? value.toString() : 'null'; // Attempt to detect if value is an object and stringify if possible if (Java.isJavaObject(value) && value.$className !== undefined) { if (value.$className.startsWith('java.lang.')) { // Primitive wrappers, handled by toString() } else { // Other objects, try to convert to JSON if possible, else toString() try { valueStr = JSON.stringify(Java.cast(value, Java.use('java.lang.Object'))); } catch (e) { valueStr = value.$className + '@' + value.hashCode() + ' (Object, toString: ' + value.toString() + ')'; } } } console.log(' Key: "' + key + '", Value: "' + valueStr + '"'); } console.log(' --- End dump for "' + prefsName + '" ---'); } catch (e) { console.error(' Error dumping SharedPreferences "' + prefsName + '": ' + e.message); } }}) Executing the Script and Analyzing Output Running the Frida Script Save the above code as shared_prefs_dump.js. To execute it against your target application (e.g., com.example.targetapp), use the following command: frida -U -l shared_prefs_dump.js --no-pause -f com.example.targetapp -U: Attaches to a USB device. -l shared_prefs_dump.js: Loads our Frida script. --no-pause: Prevents Frida from pausing the application immediately after injection, allowing it to run normally. -f com.example.targetapp: Spawns and attaches to the specified application package name. Once the app launches, interact with it. Perform actions that you suspect might involve reading or writing to Shared Preferences (e.g., logging in, changing settings, navigating screens). As the app calls `getSharedPreferences`, Frida will intercept these calls, dump the contents, and print them to your console. Interpreting the Results The output in your console will show messages similar to this: [+] Intercepted SharedPreferences: "user_session_data" --- Dumping contents of "user_session_data" (size: 3) --- Key: "username", Value: "testuser" Key: "session_token", Value: "s3cr3tTok3n123" Key: "is_logged_in", Value: "true" --- End dump for "user_session_data" ---[+] Intercepted SharedPreferences: "app_settings" No entries found for "app_settings" This output clearly identifies the name of the SharedPreferences file (e.g., May 30, 2026
Frida Scripting Lab: Monitor & Modify Android SharedPreferences Live Introduction to Android SharedPreferences and Frida Android applications frequently use SharedPreferences to store small amounts of primitive data in key-value pairs. This can include user settings, session tokens, feature flags, or even sensitive information (though not recommended for the latter without proper encryption). During penetration testing or security analysis, understanding how an app interacts with its preferences is crucial. Frida, a dynamic instrumentation toolkit, provides an unparalleled capability to inspect and manipulate an app’s runtime behavior, including its interaction with SharedPreferences. This guide will walk you through setting up a Frida environment to monitor and dynamically modify SharedPreferences values in a live Android application. You’ll learn how to intercept calls, observe data flow, and even inject your own values to alter application logic. Prerequisites Before we begin, ensure you have the following tools set up: Rooted Android Device or Emulator: A device or emulator with root access is required to run the Frida server. ADB (Android Debug Bridge): For interacting with the Android device/emulator from your computer. Frida-server: The Frida server running on your Android device. Frida-tools: Installed on your host machine (pip install frida-tools). Basic understanding of JavaScript: Frida scripts are written in JavaScript. Make sure your Frida server is running on the device. You can typically start it with:adb push frida-server /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &" Understanding Android SharedPreferences SharedPreferences are an interface for accessing and modifying preference data. They are backed by XML files stored in the app’s private directory (e.g., /data/data/your.package.name/shared_prefs/). The main methods we’ll focus on are: Context.getSharedPreferences(name, mode): To retrieve a SharedPreferences instance. SharedPreferences.getString(), getInt(), getBoolean(), etc.: To read data. SharedPreferences.Editor.putString(), putInt(), putBoolean(), etc.: To write data. SharedPreferences.Editor.apply() or commit(): To save changes. Monitoring SharedPreferences Access with Frida Hooking Context.getSharedPreferences() First, let’s see which preference files an application is accessing. We can hook the getSharedPreferences method to log its arguments. Java.perform(function() { var Context = Java.use("android.content.Context"); Context.getSharedPreferences.implementation = function(name, mode) { console.log("[*] getSharedPreferences called for file: " + name + ", mode: " + mode); return this.getSharedPreferences(name, mode); }; console.log("[+] Hooked Context.getSharedPreferences()");}); Run this script using frida -U -l script.js -f com.example.app --no-pause, replacing com.example.app with your target package name. You will see logs whenever the app requests a SharedPreferences instance. Intercepting Read Operations Next, let’s monitor when an app reads specific values. We’ll hook getString, but the same principle applies to getInt, getBoolean, etc. Java.perform(function() { var SharedPreferences = Java.use("android.content.SharedPreferences"); SharedPreferences.getString.implementation = function(key, defValue) { var result = this.getString(key, defValue); console.log("[*] SharedPreferences.getString(" + key + ") called. Default: " + defValue + ", Result: " + result); return result; }; console.log("[+] Hooked SharedPreferences.getString()");}); This script logs the key, default value, and the actual value retrieved. You can combine this with the previous hook to get a full picture of access patterns. Intercepting Write Operations To see what data is being written, we need to hook the Editor.putString() methods and then the apply() or commit() methods that finalize the write. Java.perform(function() { var Editor = Java.use("android.content.SharedPreferences$Editor"); Editor.putString.implementation = function(key, value) { console.log("[*] SharedPreferences.Editor.putString(" + key + ", " + value + ") called."); return this.putString(key, value); }; Editor.apply.implementation = function() { console.log("[*] SharedPreferences.Editor.apply() called."); return this.apply(); }; Editor.commit.implementation = function() { console.log("[*] SharedPreferences.Editor.commit() called."); return this.commit(); }; console.log("[+] Hooked SharedPreferences.Editor methods.");}); This comprehensive set of hooks will give you deep insight into how the application reads and writes data through SharedPreferences. Modifying SharedPreferences Live Monitoring is useful, but the real power of Frida comes from modifying these values on the fly. This can be used to bypass client-side checks, unlock features, or test different application states. Changing Read Values (getResult()) We can alter the return value of any get method. For instance, imagine an app checks a boolean preference for a ‘premium’ feature. We can force it to always return true. Java.perform(function() { var SharedPreferences = Java.use("android.content.SharedPreferences"); SharedPreferences.getBoolean.implementation = function(key, defValue) { var originalResult = this.getBoolean(key, defValue); if (key === "isPremiumUser") { console.log("[*] Intercepted 'isPremiumUser' read: Original: " + originalResult + ". Forcing to true!"); return true; // Force premium status } return originalResult; }; console.log("[+] Hooked SharedPreferences.getBoolean() to modify 'isPremiumUser'.");}); This script demonstrates a targeted modification. You can extend this logic to modify strings, integers, or other types based on specific keys. Injecting New Entries or Modifying Existing Ones Sometimes you might want to inject a new preference entry that the app doesn’t normally create, or change a value before it’s even read. You can obtain a reference to the SharedPreferences object and modify it directly. Java.perform(function() { var Context = Java.use("android.content.Context"); var SharedPreferences = null; // First, get a reference to the SharedPreferences object Context.getSharedPreferences.implementation = function(name, mode) { var sp = this.getSharedPreferences(name, mode); if (name === "app_settings") { // Target a specific preferences file SharedPreferences = sp; console.log("[+] Obtained SharedPreferences instance for 'app_settings'."); } return sp; }; // After the app has initialized and hopefully accessed 'app_settings' setTimeout(function() { if (SharedPreferences !== null) { console.log("[*] Modifying 'app_settings' live..."); var editor = SharedPreferences.edit(); editor.putString("injected_feature_flag", "enabled"); editor.putInt("admin_level", 5); editor.apply(); console.log("[+] Injected 'injected_feature_flag' and 'admin_level'."); console.log(" Current 'injected_feature_flag': " + SharedPreferences.getString("injected_feature_flag", "default")); console.log(" Current 'admin_level': " + SharedPreferences.getInt("admin_level", 0)); } else { console.log("[-] Could not get SharedPreferences instance for 'app_settings'."); } }, 5000); // Wait 5 seconds for app to initialize}); This script first hooks getSharedPreferences to capture a reference to the specific preferences file, then uses a setTimeout to wait for the app to initialize before directly editing and applying new values. This allows you to dynamically alter preferences even if the app hasn’t provided a UI for them. Practical Applications and Next Steps The techniques demonstrated here are fundamental for a wide range of Android security assessments: Bypassing Feature Restrictions: Modify boolean flags like isProUser, adFree, etc. Altering Application Flow: Change settings that control logic, such as server URLs, debug modes, or analytics opt-ins. Data Leakage Analysis: Identify if sensitive information is being stored insecurely in preferences. Race Condition Testing: Dynamically change preferences to test how an app handles concurrent modifications. Experiment with different types of preferences and methods. Remember to always use these techniques ethically and on applications you have permission to test. Conclusion Frida provides an incredibly powerful and flexible platform for dynamic analysis of Android applications. By mastering its use for monitoring and modifying SharedPreferences, you gain deep control over an app’s internal state. This skill is invaluable for security researchers and developers looking to understand, debug, or uncover vulnerabilities in Android applications. Keep exploring Frida’s capabilities; the possibilities are vast. May 30, 2026

Author: admin

Introduction to Android Intents and Security

Why Frida for Dynamic Intent Analysis?

Setting Up Your Environment

Prerequisites

Installation Steps

Dissecting Android Intent Hooks with Frida

Core Intent Classes to Target

Intercepting startActivity Calls

Handling Broadcast Intents

Building a Comprehensive Frida Script for Intent Monitoring

Practical Security Audit Applications

Sensitive Data Leakage

Unintended Component Exposure

Insecure Broadcasts

Misconfigured Intent Flags

Third-Party Library Behavior

Conclusion

Introduction to Android SharedPreferences

What are SharedPreferences?

How Apps Use SharedPreferences

Security Considerations of SharedPreferences

Common Misconceptions and Vulnerabilities

Introduction to Frida for Android Hooking

What is Frida?

Frida Setup (Brief)

Frida Hooking SharedPreferences

Identifying Target Methods

Writing a Frida Script to Intercept SharedPreferences Access

Practical Demonstration

Setting up the Environment

Running the Frida Script

Conclusion

Introduction to Frida and Shared Preferences Interception

Prerequisites and Setup

Essential Tools

Introduction: The Importance of Shared Preferences in Android Security Analysis

Setting Up Your Environment for Frida Hooking

Prerequisites

Frida Server Installation

Understanding Android Shared Preferences Architecture

Frida Script: Intercepting All Shared Preferences Access

Executing the Frida Script

Understanding the Script’s Output

Advanced Considerations and Use Cases

Conclusion

Introduction to Android SharedPreferences and Frida

Prerequisites

Understanding Android SharedPreferences

Setting up Frida

Hooking Context.getSharedPreferences to Enumerate Files

Frida Script: enumerate_prefs.js

Running the script:

Hooking Read Operations: Intercepting Data Retrieval

Frida Script: log_prefs_read.js

Running the script:

Hooking Write Operations: Intercepting and Modifying Data Storage

Frida Script: intercept_prefs_write.js

Running the script:

Advanced Scenarios and Considerations

Encrypted SharedPreferences:

Runtime Modifications:

Multiple Hooks:

Error Handling:

Conclusion

Introduction to Frida and Shared Preferences Hooking

Understanding Shared Preferences Internals

Common Access Patterns

Basic Frida Script for Shared Preferences Hooking (Initial Attempt)

Diagnosing Failed Hooks: Common Pitfalls and Solutions

Pitfall 1: Incorrect Method Signature or Class Name

Solution: Verify Method Signature with Decompilation or frida-trace

Pitfall 2: Method Inlining and Obfuscation

Solution: Hooking Multiple Overloads or Core Implementations

Pitfall 3: Multiple SharedPreferences Instances or Custom Implementations

Solution: Identify and Hook the Specific Instance or Wrapper

Pitfall 4: Dynamic Class Loading

Solution: Monitor Class Loading or Hook at a Later Stage

Pitfall 5: Indirect Access (File I/O Layer)

Solution: Hook File I/O Operations

Intercepting `startActivity` Calls

Hooking `Context.getSharedPreferences` to Enumerate Files

Frida Script: `enumerate_prefs.js`

Frida Script: `log_prefs_read.js`

Frida Script: `intercept_prefs_write.js`

Solution: Verify Method Signature with Decompilation or `frida-trace`