Author: admin

Deep Dive: Reverse Engineering Android Apps to Locate & Exploit Insecure Storage with Frida Hooks
Introduction: The Peril of Insecure Data Storage

In the realm of mobile application security, insecure data storage remains a critical vulnerability. Android applications often store sensitive user data—ranging from authentication tokens to personal information—in locations that are inadequately protected. Attackers can leverage these weaknesses to extract valuable data, compromise user accounts, or escalate privileges. This guide will provide an expert-level walkthrough on how to identify and exploit insecure data storage mechanisms within Android applications using a powerful dynamic instrumentation toolkit: Frida. We’ll combine static analysis with real-time runtime manipulation to expose hidden vulnerabilities.

Prerequisites for This Deep Dive

Before embarking on this technical journey, ensure you have the following tools and setup ready:
- Rooted Android Device or Emulator: Necessary for running Frida server and accessing application private data.
- ADB (Android Debug Bridge): For interacting with your Android device.
- Frida-server & Frida-tools: The dynamic instrumentation toolkit. Install Frida-tools via pip install frida-tools.
- JADX-GUI or APKTool: For static analysis and decompiling APKs. JADX-GUI is recommended for its ease of use.
- Basic Understanding of Android Development & Java/Kotlin: To interpret decompiled code.
Understanding Android’s Data Storage Mechanisms

Android provides several ways for applications to store data, each with different security implications:

SharedPreferences

Used for storing primitive data types (booleans, floats, ints, longs, strings) in key-value pairs. Stored in XML files within the app’s private data directory. Misconfigurations like MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE can expose these files.

Internal Storage

Files saved to internal storage are private to your application and cannot be accessed by other applications (or the user) by default. This is generally secure, but insecure content within these files or improper access control can still lead to leaks.

External Storage

Files saved to external storage (e.g., SD card) are publicly readable. While suitable for public media, storing sensitive data here is a severe security risk.

SQLite Databases

Applications often use SQLite databases for structured data storage. These are typically private, but similar to internal storage, if the database contains unencrypted sensitive information, it’s vulnerable once an attacker gains access to the device or can inject malicious queries.

Phase 1: Static Analysis – Uncovering Potential Vulnerabilities

Static analysis is your initial reconnaissance, helping you pinpoint areas where sensitive data might be stored. We’ll use JADX-GUI to decompile the APK and scrutinize the source code.

Decompiling the APK with JADX-GUI

Open your target APK file with JADX-GUI (jadx-gui your_app.apk). This will decompile the DEX bytecode into human-readable Java code.

Identifying Storage Patterns

Search for keywords related to common storage methods:
- SharedPreferences: Look for getSharedPreferences, MODE_PRIVATE, MODE_WORLD_READABLE, MODE_WORLD_WRITEABLE. Pay close attention to calls using MODE_WORLD_READABLE, as this immediately flags a major vulnerability.
- Internal/External Files: Search for openFileOutput, FileOutputStream, FileWriter, getExternalStorageDirectory, Environment.getExternalStoragePublicDirectory.
- Databases: Identify classes extending SQLiteOpenHelper or methods like getWritableDatabase, execSQL, insert, update.
Example: Insecure SharedPreferences Usage
```
<code class=
```
May 30, 2026
From Zero to Hero: A Complete Guide to Exploiting Android’s Insecure Internal Storage via Frida
Introduction: The Peril of Insecure Internal Storage

Android applications often store various types of data internally, ranging from user preferences and session tokens to sensitive API keys and even biometric data. While Android provides mechanisms for secure storage, developers sometimes make critical errors, leading to plaintext storage of sensitive information in areas accessible by the app itself. This ‘insecure internal storage’ vulnerability poses a significant risk, as a compromised device or a malicious app with sufficient permissions could potentially access and exfiltrate this data.

This article will guide you through identifying and exploiting these vulnerabilities using Frida, a powerful dynamic instrumentation toolkit. Frida allows us to inject custom scripts into running processes, hook into functions, and modify runtime behavior, making it an invaluable tool for Android application penetration testing.

Setting Up Your Android Penetration Testing Environment

Before diving into exploitation, we need a properly configured environment.

1. Rooted Android Device Preparation

You’ll need a rooted Android device or emulator. Root access is crucial for pushing the Frida server and accessing protected application directories.
- Ensure ADB (Android Debug Bridge) is installed on your workstation.
- Connect your Android device and verify ADB connectivity:
```
adb devices
List of devices attached
XXXXXXXXXXXX    device
```
- Grant ADB root privileges, if your custom ROM allows (some production roots might not):
```
adb root
restarting adbd as root
```
2. Installing Frida Server

The Frida server runs on the Android device and communicates with your workstation’s Frida client.
- Determine your device’s CPU architecture (e.g., arm64-v8a, armeabi-v7a):
```
adb shell getprop ro.product.cpu.abi
arm64-v8a
```
- Download the appropriate `frida-server` for your architecture from the Frida GitHub releases page.
- Push the `frida-server` binary to a writable location on your device (e.g., `/data/local/tmp`):
```
adb push /path/to/frida-server /data/local/tmp/frida-server
/path/to/frida-server: 1 file pushed, 0 skipped. 16.5 MB/s (18260656 bytes in 1.050s)
```
- Set executable permissions and start the server:
```
adb shell
cd /data/local/tmp
chmod 755 frida-server
./frida-server &
```
The `&` puts it in the background. You can exit the ADB shell now.

3. Workstation Setup

Install `frida-tools` on your workstation:
```
pip install frida-tools
```
Verify Frida is communicating with your device:
```
frida-ps -U
PID NAME
[...]
```
Identifying Insecure Storage Practices

Before hooking, it’s beneficial to know where to look. Android apps typically store private data in `/data/data//`. Key subdirectories include `files`, `databases`, and `shared_prefs`.

1. Manual File System Inspection

Using `adb shell`, you can directly inspect these directories:
```
adb shell
ls -l /data/data/com.example.insecureapp/shared_prefs/
-rw-rw---- 1 u0_a232 u0_a232    1234 2023-10-27 10:30 user_settings.xml
ls -l /data/data/com.example.insecureapp/files/
-rw-rw---- 1 u0_a232 u0_a232     567 2023-10-27 10:35 sensitive_data.bin
```
Often, XML files in `shared_prefs` or `.json`, `.txt`, `.bin` files in `files` can contain plaintext sensitive data. Reading these files directly can sometimes reveal the vulnerability without Frida, but Frida is essential for dynamic data interception.

2. Common Vulnerabilities
- Plaintext Shared Preferences: Storing sensitive data like API keys, session tokens, or even passwords directly in `SharedPreferences` without encryption.
- Unencrypted Files: Writing sensitive data to application-specific files (`FileOutputStream`) without encryption.
Exploiting Shared Preferences with Frida

Let’s consider an application that stores a user’s API token in `SharedPreferences`. Our goal is to intercept this token as it’s being written.

Step 1: Identify the Target Application and Methods

First, find the package name of the target application using `frida-ps -Uai` (list installed apps).

We are interested in the `android.content.SharedPreferences$Editor` class, specifically its `putString` method, which is used to store string values, and its `commit()` or `apply()` methods, which save the changes.

Step 2: Crafting the Frida Script (`dump_prefs.js`)
```
Java.perform(function () {
    console.log("[*] Hooking SharedPreferences.Editor.putString");

    var SharedPreferencesEditor = Java.use("android.content.SharedPreferences$Editor");

    SharedPreferencesEditor.putString.overload('java.lang.String', 'java.lang.String').implementation = function (key, value) {
        console.log("--------------------------------------------------------------------------------");
        console.log("[*] SharedPreferences.Editor.putString called!");
        console.log("  Key: " + key);
        console.log("  Value: " + value);
        console.log("  Stack Trace:n" + Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        console.log("--------------------------------------------------------------------------------");
        return this.putString(key, value);
    };

    SharedPreferencesEditor.commit.implementation = function () {
        console.log("[*] SharedPreferences.Editor.commit() called. Data likely persisted.");
        return this.commit();
    };

    SharedPreferencesEditor.apply.implementation = function () {
        console.log("[*] SharedPreferences.Editor.apply() called. Data likely persisted (asynchronously).");
        return this.apply();
    };

    console.log("[*] SharedPreferences hooks loaded.");
});
```
Step 3: Executing the Script

Run the script, attaching to the target application’s package name. The `–no-pause` flag ensures the application starts immediately.
```
frida -U -l dump_prefs.js -f com.example.insecureapp --no-pause
```
Now, interact with the application. When it attempts to store data via `SharedPreferences.Editor.putString`, you will see output similar to this in your console:
```
[*] SharedPreferences.Editor.putString called!
  Key: user_api_token
  Value: sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Stack Trace:...
--------------------------------------------------------------------------------
```
Congratulations, you’ve intercepted sensitive data from `SharedPreferences`!

Intercepting FileStream Writes for Sensitive Data

Sometimes, applications write sensitive data directly to files using `java.io.FileOutputStream`. We can hook the `write` methods to capture this data.

Step 1: Hooking FileOutputStream.write

We’ll target the `write(byte[] b)` and `write(byte[] b, int off, int len)` methods of `java.io.FileOutputStream`.

Step 2: Crafting the Frida Script (`intercept_file_write.js`)
```
Java.perform(function () {
    console.log("[*] Hooking FileOutputStream.write");

    var FileOutputStream = Java.use("java.io.FileOutputStream");

    // Hooking write(byte[] b)
    FileOutputStream.write.overload('[B').implementation = function (b) {
        var data = Java.array('byte', b);
        var decoded = String.fromCharCode.apply(null, data);
        console.log("--------------------------------------------------------------------------------");
        console.log("[*] FileOutputStream.write(byte[] b) called!");
        console.log("  Data (String attempt): " + decoded);
        console.log("  Data (Hex): " + Array.prototype.map.call(data, function (byte) {
            return ('0' + (byte & 0xFF).toString(16)).slice(-2);
        }).join(' '));
        console.log("  Stack Trace:n" + Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        console.log("--------------------------------------------------------------------------------");
        return this.write(b);
    };

    // Hooking write(byte[] b, int off, int len)
    FileOutputStream.write.overload('[B', 'int', 'int').implementation = function (b, off, len) {
        var data = Java.array('byte', b);
        // Extract only the relevant part of the byte array based on offset and length
        var relevantData = data.slice(off, off + len);
        var decoded = String.fromCharCode.apply(null, relevantData);
        console.log("--------------------------------------------------------------------------------");
        console.log("[*] FileOutputStream.write(byte[] b, int off, int len) called!");
        console.log("  Offset: " + off + ", Length: " + len);
        console.log("  Data (String attempt): " + decoded);
        console.log("  Data (Hex): " + Array.prototype.map.call(relevantData, function (byte) {
            return ('0' + (byte & 0xFF).toString(16)).slice(-2);
        }).join(' '));
        console.log("  Stack Trace:n" + Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        console.log("--------------------------------------------------------------------------------");
        return this.write(b, off, len);
    };

    console.log("[*] FileOutputStream hooks loaded.");
});
```
Step 3: Running the Interception

Execute the script, again attaching to the target application:
```
frida -U -l intercept_file_write.js -f com.example.insecureapp --no-pause
```
As the application writes data to files, you will see output in your console. The script attempts to decode the bytes to a string and also provides a hex dump, which is useful for non-textual data or for identifying encoding issues.
```
[*] FileOutputStream.write(byte[] b) called!
  Data (String attempt): {"username":"testuser","password":"Pa$$w0rd!"}
  Data (Hex): 7b 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 65 73 74 75 73 65 72 22 2c 22 70 61 73 73 77 6f 72 64 22 3a 22 50 61 24 24 77 30 72 64 21 22 7d
  Stack Trace:...
--------------------------------------------------------------------------------
```
Mitigation Strategies: Securing Internal Storage

For developers, preventing these vulnerabilities is paramount:
- Android KeyStore: Use the Android KeyStore system to securely store cryptographic keys, which can then be used to encrypt sensitive data before writing it to `SharedPreferences` or files.
- Encryption: Always encrypt sensitive data before storing it in internal storage. Implement robust encryption schemes (e.g., AES-256) and manage keys securely.
- Password-based Encryption: For highly sensitive user-provided data, derive encryption keys from user passwords, ensuring proper key stretching (e.g., PBKDF2).
- Third-party Libraries: Utilize well-vetted libraries designed for secure storage, which often abstract away complex cryptographic operations.
- `MODE_PRIVATE` and `Context.MODE_PRIVATE`: While `SharedPreferences` and `FileOutputStream` default to `MODE_PRIVATE`, this only prevents other applications from accessing the data. It does not protect against a rooted device or dynamic analysis.
Conclusion

Exploiting insecure internal storage on Android is a common and critical finding in penetration tests. Frida empowers security researchers and ethical hackers to dynamically intercept and analyze data as it’s being written, providing undeniable proof of concept for these vulnerabilities. By understanding the underlying mechanisms and employing powerful tools like Frida, you can effectively identify weaknesses and help build more secure Android applications. Always remember to use these techniques ethically and only on systems you have explicit permission to test.
May 30, 2026
Bypassing Obfuscation: Using Frida to Reveal & Exploit Hidden Insecure Data Storage in Android Apps
Introduction: The Stealth of Insecure Data Storage

In the world of Android application security, insecure data storage remains a perennial vulnerability. Developers often inadvertently, or sometimes intentionally with misguided assumptions, store sensitive information like API keys, user tokens, or personal data in easily accessible locations. When combined with code obfuscation techniques (like ProGuard or R8), statically identifying these storage patterns becomes a daunting task. This article delves into how dynamic instrumentation with Frida can effectively bypass obfuscation, revealing and exploiting these hidden insecure data storage mechanisms.

Prerequisites for Your Android Pentesting Lab

Before we embark on this journey, ensure you have the following setup:
- Rooted Android Device or Emulator: Essential for running Frida server.
- ADB (Android Debug Bridge): For interacting with the device.
- Frida Server: Installed and running on your Android device/emulator.
- Frida-tools: Installed on your host machine (e.g., via pip install frida-tools).
- Basic Java/Kotlin Knowledge: Understanding Android API calls for data storage.
Setting Up Frida Server

To get started, download the appropriate Frida server binary for your Android device’s architecture (e.g., frida-server-*-android-arm64 from GitHub releases). Then push it to your device and execute it:
```
adb push frida-server-*-android-arm64 /data/local/tmp/frida-serveradb shell"chmod 755 /data/local/tmp/frida-server"adb shell"/data/local/tmp/frida-server &"
```
The Challenge: Obfuscation Hides All

Obfuscation transforms application code into a less readable format, making reverse engineering harder. Class names, method names, and variable names are often shortened to meaningless characters (e.g., a.b.c.d). While this deters casual analysis, it doesn’t prevent runtime execution. This is where Frida shines; it operates at runtime, where the Android system has already resolved the actual method calls, regardless of their original or obfuscated names.

Frida to the Rescue: Dynamic Instrumentation

Frida is a dynamic instrumentation toolkit that allows you to inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. For our purpose, we’ll use its JavaScript API to hook into critical Android framework methods responsible for data storage.

Targeting Insecure SharedPreferences

SharedPreferences is a common storage mechanism for small collections of key-value pairs. Insecure implementations often store sensitive data without encryption. We can hook methods used to write to SharedPreferences to intercept data before it’s written.

Key methods to target:
- android.content.SharedPreferences$Editor.putString(java.lang.String, java.lang.String)
- android.content.SharedPreferences$Editor.putInt(java.lang.String, int) (and other primitive types)
- android.content.SharedPreferences$Editor.apply()
- android.content.SharedPreferences$Editor.commit()
Here’s a Frida script to intercept putString calls:
```
Java.perform(function () {    var SharedPreferencesEditor = Java.use("android.content.SharedPreferences$Editor");    SharedPreferencesEditor.putString.implementation = function (key, value) {        console.log("[SharedPreferences.putString] Key: " + key + ", Value: " + value);        return this.putString(key, value);    };    SharedPreferencesEditor.apply.implementation = function () {        console.log("[SharedPreferences.apply] Data committed.");        return this.apply();    };    SharedPreferencesEditor.commit.implementation = function () {        console.log("[SharedPreferences.commit] Data committed synchronously.");        return this.commit();    };});
```
To run this script against an application (replace com.example.targetapp with the actual package name):
```
frida -U -f com.example.targetapp -l frida_prefs_hook.js --no-pause
```
As you interact with the app, any data written to SharedPreferences via putString will be logged to your console. This technique works even if the app’s own classes are heavily obfuscated, because we are hooking into the *Android framework’s* SharedPreferences methods, whose names remain consistent.

Intercepting SQLite Database Operations

SQLite databases are often used for structured data storage. Unencrypted SQLite databases, especially those containing sensitive user data, are a prime target. We can hook SQL execution methods to log queries and observe data.

Key methods to target:
- android.database.sqlite.SQLiteDatabase.execSQL(java.lang.String)
- android.database.sqlite.SQLiteDatabase.insert(java.lang.String, java.lang.String, android.content.ContentValues)
- android.database.sqlite.SQLiteDatabase.update(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[])
Frida script for execSQL and insert:
```
Java.perform(function () {    var SQLiteDatabase = Java.use("android.database.sqlite.SQLiteDatabase");    SQLiteDatabase.execSQL.implementation = function (sql) {        console.log("[SQLiteDatabase.execSQL] Query: " + sql);        return this.execSQL(sql);    };    SQLiteDatabase.insert.implementation = function (table, nullColumnHack, values) {        var contentValuesMap = Java.cast(values, Java.use("android.content.ContentValues")).toString();        console.log("[SQLiteDatabase.insert] Table: " + table + ", Values: " + contentValuesMap);        return this.insert(table, nullColumnHack, values);    };});
```
Run this script similarly:
```
frida -U -f com.example.targetapp -l frida_sqlite_hook.js --no-pause
```
This script will output SQL queries and inserted values, potentially revealing sensitive data. Once an unencrypted database is identified, you can often pull it directly from the device’s internal storage (e.g., /data/data/com.example.targetapp/databases/mydb.db) using ADB.
```
adb pull /data/data/com.example.targetapp/databases/mydb.db .
```
Hooking File I/O for Internal/External Storage

Sometimes, developers store data directly in files within internal or external storage. If these files are not encrypted, their contents can be easily read. We can hook file writing operations.

Key methods to target:
- java.io.FileOutputStream.write(byte[])
- java.io.FileWriter.write(java.lang.String)
Frida script for FileOutputStream.write:
```
Java.perform(function () {    var FileOutputStream = Java.use("java.io.FileOutputStream");    FileOutputStream.write.overload('[B').implementation = function (bytes) {        var filePath = "Unknown";        try {            // Attempt to get the file path from the FileDescriptor            var fd = this.getFD();            var fileDescriptor = Java.cast(fd, Java.use("java.io.FileDescriptor"));            // This part is tricky to get directly. You might need to hook File constructor.            // For demonstration, let's assume we know the file or deduce from context.            // More robust solution involves hooking constructor of FileOutputStream to get path.        } catch (e) {            console.warn("Could not get file descriptor: " + e);        }        var content = Java.use("java.lang.String").$new(bytes);        console.log("[FileOutputStream.write] File path (approx): " + filePath + ", Content: " + content.substring(0, Math.min(content.length, 200)) + "..."); // Log first 200 chars        return this.write(bytes);    };});
```
Note: Getting the exact file path from `FileOutputStream.write` is more complex as the `FileOutputStream` object itself doesn’t directly expose the path after creation. A more robust solution involves hooking the `File` constructors or `FileOutputStream` constructors to log the path at object instantiation.
```
Java.perform(function () {    var File = Java.use("java.io.File");    File.$init.overload('java.lang.String').implementation = function (path) {        console.log("[File Created] Path: " + path);        return this.$init(path);    };    File.$init.overload('java.lang.String', 'java.lang.String').implementation = function (parent, child) {        console.log("[File Created] Parent: " + parent + ", Child: " + child);        return this.$init(parent, child);    };    // ... (add other FileOutputStream or FileWriter hooks to capture data)});
```
Leveraging Frida for Obfuscation Bypass

The beauty of these techniques lies in their resilience to obfuscation. When an application calls SharedPreferences.Editor.putString(), it’s always calling the same underlying Android framework method, regardless of what the calling class in the obfuscated app is named. Frida hooks into that *specific* framework method, allowing us to see its arguments. This means we don’t need to decompile, deobfuscate, or statically analyze the app’s potentially complex or protected code.

Conclusion: Unmasking Hidden Dangers

Frida is an indispensable tool for Android penetration testers. Its dynamic instrumentation capabilities allow us to peer directly into the runtime behavior of applications, bypassing the obfuscation layers designed to obscure static analysis. By strategically hooking into common data storage APIs like SharedPreferences, SQLite, and File I/O, we can uncover insecure data storage practices that would otherwise remain hidden. Always remember to store sensitive data using robust encryption and secure storage mechanisms like Android Keystore to protect against such attacks.
May 30, 2026
Real-World Android Pentesting: Identifying and Exploiting Insecure External Storage with Frida
Introduction

In the realm of Android application penetration testing, insecure data storage remains a perennial vulnerability. While internal storage offers a degree of isolation, external storage (like SD cards or shared internal storage partitions) presents significant risks due to its less restrictive access controls. When applications store sensitive user data or critical configuration files on external storage without proper encryption or access restrictions, they expose this data to other applications, the user, and potentially even malicious actors with physical device access. This article delves into identifying and exploiting these insecure external storage vulnerabilities, leveraging the powerful dynamic instrumentation toolkit, Frida.

We will explore how to static and dynamically analyze Android applications for insecure storage practices, understand the nuances of Android’s storage mechanisms, and ultimately use Frida to intercept, inspect, and even manipulate data being written to or read from external storage in real-time, simulating a potent attack scenario.

Understanding Android Storage Mechanisms

Android provides several storage options for applications, each with distinct security implications.

Internal Storage

Internal storage is private to the application. Data stored here is typically only accessible by the application itself, and it’s automatically deleted when the application is uninstalled. This is the default and most secure location for sensitive application data because it’s sandboxed and requires root privileges for other apps to access.

External Storage

External storage is world-readable and world-writable. On most devices, this refers to a shared internal storage partition, though it can also include removable SD cards. While useful for storing large files that should be accessible by the user or other apps (e.g., photos, downloads), it is inherently insecure for sensitive data. Any application with the `READ_EXTERNAL_STORAGE` or `WRITE_EXTERNAL_STORAGE` permission can access files stored here, posing a significant risk if an application places private user data, tokens, or encryption keys in this area.

Identifying Insecure External Storage Vulnerabilities

Identifying these vulnerabilities involves a combination of static and dynamic analysis.

1. Static Analysis

Begin by decompiling the Android application (APK) using tools like JADX or Apktool. Focus on the `AndroidManifest.xml` and the application’s source code.

AndroidManifest.xml Inspection:

Check for the presence of external storage permissions. While `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` are common, their mere presence doesn’t confirm a vulnerability, but it indicates the app *can* access external storage.
```
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
```
Source Code Review:

Search the decompiled Java/Smali code for common API calls related to external storage. Look for:
- `Environment.getExternalStorageDirectory()`
- `Context.getExternalFilesDir()`
- `Context.getExternalCacheDir()`
- Usage of `java.io.File` with paths constructed from these methods.
- `FileOutputStream`, `FileWriter`, `BufferedWriter` used with external paths.
Pay close attention to what data is being written to these paths.

2. Dynamic Analysis with ADB

Install the application on a rooted device or emulator. Use `adb shell` to explore the common external storage paths while the application is running and performing its functions.
```
adb shell
cd /sdcard/Android/data/
ls -l
cd <package.name>/
ls -lR
cat <potentially_sensitive_file>
```
Also check the root of the `/sdcard` directory or `Environment.getExternalStorageDirectory()` for any files directly dropped there.

Leveraging Frida for Dynamic Exploitation

Frida is an unparalleled toolkit for dynamic instrumentation, allowing us to inject custom scripts into running processes. This enables us to hook into Java/Kotlin methods, inspect arguments, modify return values, and observe behavior in real-time without modifying the application binary.

Frida Setup Prerequisites
1. Rooted Android device or emulator.
2. Frida server running on the Android device.
3. Frida tools installed on your host machine (`pip install frida-tools`).
To run Frida server on your device:
```
# Download the appropriate frida-server for your device's architecture from GitHub
# Example for ARM64:
wget https://github.com/frida/frida/releases/download/16.1.4/frida-server-16.1.4-android-arm64.xz
unxz frida-server-16.1.4-android-arm64.xz
adb push frida-server-16.1.4-android-arm64 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
```
Hooking Storage APIs to Identify Sensitive Data Writes

Our goal is to intercept calls to file writing methods that involve external storage. We can hook methods like `java.io.FileOutputStream`’s constructor or `java.io.File`’s `createNewFile()` to get a clearer picture of file creation and writes.

Consider a simple Frida script to monitor all `FileOutputStream` creations:
```
Java.perform(function () {
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload('java.lang.String').implementation = function (path) {
        console.log("[+] FileOutputStream created for path: " + path);
        if (path.includes("/sdcard/") || path.includes("external_storage")) {
            console.warn("[!!!] Possible sensitive data written to external storage: " + path);
            // You can add more checks here, e.g., print stack trace
            // Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
        }
        return this.$init(path);
    };

    FileOutputStream.$init.overload('java.io.File').implementation = function (file) {
        console.log("[+] FileOutputStream created for file: " + file.getAbsolutePath());
        if (file.getAbsolutePath().includes("/sdcard/") || file.getAbsolutePath().includes("external_storage")) {
            console.warn("[!!!] Possible sensitive data written to external storage: " + file.getAbsolutePath());
        }
        return this.$init(file);
    };

    // Hooking write methods to see content
    var OutputStream = Java.use('java.io.OutputStream');
    OutputStream.write.overload('[B', 'int', 'int').implementation = function (b, off, len) {
        var data = Java.array('byte', b);
        var str = String.fromCharCode.apply(String, data);
        console.log("[+] Data being written: " + str);
        return this.write(b, off, len);
    };
});
```
Real-World Scenario: Intercepting and Manipulating Data

Let’s imagine a vulnerable application that stores a user’s session token or sensitive preferences in a file on external storage.

Example vulnerable Java/Kotlin code:
```
// In a hypothetical Android application
public void saveSessionToken(String token) {
    File externalDir = Environment.getExternalStorageDirectory();
    File tokenFile = new File(externalDir, "app_session.txt");
    try (FileOutputStream fos = new FileOutputStream(tokenFile)) {
        fos.write(token.getBytes());
        Log.d("App", "Session token saved to: " + tokenFile.getAbsolutePath());
    } catch (IOException e) {
        Log.e("App", "Error saving session token", e);
    }
}
```
A Frida script can not only detect this write but also intercept and modify the token being written or even read later.
```
Java.perform(function () {
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    var originalWrite = FileOutputStream.write.overload('[B');

    FileOutputStream.write.overload('[B').implementation = function (b) {
        var filePath = "Unknown";
        try {
            // Attempt to get the file path from the FileDescriptor associated with this FileOutputStream
            var fd = this.getFD();
            var FileDescriptor = Java.use('java.io.FileDescriptor');
            var pathField = FileDescriptor.class.getDeclaredField('path');
            pathField.setAccessible(true);
            filePath = pathField.get(fd);
        } catch (e) {
            // Handle cases where path might not be directly accessible or field name differs across Android versions
        }
        
        var originalData = Java.array('byte', b);
        var originalString = String.fromCharCode.apply(String, originalData);
        console.log("[*] Detected write to: " + filePath);
        console.log("[*] Original data: " + originalString);

        if (filePath.includes("app_session.txt") && originalString.startsWith("session_")) {
            console.warn("[!!!] Intercepting and altering sensitive session token!");
            var modifiedToken = "MALICIOUS_SESSION_TOKEN_INJECTED_BY_FRIDA";
            var modifiedData = modifiedToken.getBytes();
            console.log("[!!!] Modified data: " + modifiedToken);
            return originalWrite.call(this, modifiedData);
        }
        return originalWrite.call(this, b);
    };

    // Also hook reads to ensure consistency if app reads the token back
    var FileInputStream = Java.use("java.io.FileInputStream");
    FileInputStream.read.overload().implementation = function () {
        var ret = this.read();
        // You can similarly inspect and modify data read if needed
        return ret;
    };
});
```
To execute this script, ensure your target application is running, then use:
```
frida -U -f <package.name> -l your_frida_script.js --no-pause
```
Replace `<package.name>` with the actual package name of the target application (e.g., `com.example.vulnerableapp`). The `–no-pause` flag ensures the app starts immediately with the script injected.

Mitigation Strategies for Developers

To prevent insecure external storage vulnerabilities:
- **Avoid storing sensitive data on external storage.** If absolutely necessary, always encrypt the data with a strong, app-specific key.
- **Use internal storage for private data.** Leverage `Context.getFilesDir()` or `getCacheDir()` for application-private files.
- **Implement proper file access permissions.** For files that must be on external storage, use permissions that restrict access to the owning app if possible, though this is less effective for world-writable paths.
- **Sanitize and validate all inputs and outputs.** Never trust data coming from or going to external storage.
Conclusion

Insecure external storage remains a critical vulnerability in Android applications, often leading to sensitive data exposure. By mastering static analysis for initial identification and leveraging the dynamic power of Frida, penetration testers can effectively pinpoint, intercept, and even manipulate data flows to demonstrate the full impact of these vulnerabilities. Understanding both the attack vectors and robust mitigation strategies is crucial for securing the Android ecosystem against such prevalent threats.
May 30, 2026
Frida Troubleshooting: Common Challenges & Solutions When Exploiting Android Insecure Data Storage
Introduction to Insecure Data Storage and Frida

Insecure Data Storage remains a perennial vulnerability in Android applications, often leading to sensitive user data exposure. Whether it’s credentials, personal identifiable information (PII), or application configuration, storing data without proper protection poses significant risks. Dynamic analysis tools like Frida are indispensable for identifying and exploiting these vulnerabilities at runtime. Frida allows security researchers to inject custom scripts into running processes, hook into Java and native functions, and modify application behavior on the fly. However, leveraging Frida effectively, especially for complex tasks like exploiting insecure data storage, often involves navigating a series of troubleshooting challenges. This article delves into common pitfalls and provides expert solutions to streamline your Frida-based Android penetration testing efforts.

Understanding Insecure Data Storage on Android

Before diving into troubleshooting, it’s crucial to understand where and how Android apps typically store data insecurely:
- SharedPreferences: Lightweight key-value storage. While intended for simple settings, developers sometimes store sensitive data here, potentially with `MODE_WORLD_READABLE` (though deprecated, still found in older apps) or simply readable by a rooted device.
- Internal Storage: App-private files stored in `/data/data//files` or similar directories. Access is generally restricted to the app itself, but a rooted device can bypass this.
- External Storage: Accessible to all apps and users (e.g., SD card, `/sdcard`). Data here is considered public and should never contain sensitive information.
- SQLite Databases: Structured data storage often found in `/data/data//databases`. Like internal storage, these are protected by the sandbox but vulnerable on rooted devices.
- Custom Files/Caches: Application-specific files that might contain sensitive data, sometimes forgotten during cleanup or left exposed.
Frida’s strength lies in its ability to intercept application logic as it interacts with these storage mechanisms.

Frida for Dynamic Analysis of Data Storage

Frida allows you to hook methods responsible for reading from and writing to these storage locations. For instance, you can intercept calls to `SharedPreferences.getString()`, `SQLiteDatabase.rawQuery()`, or `FileOutputStream.write()` to inspect, modify, or log data as it’s being handled by the application. This provides a real-time view into the app’s data flow, which static analysis often misses.

Common Frida Troubleshooting Scenarios and Solutions

Challenge 1: Frida Server Not Running or App Not Found

Symptom:

Failed to attach: unable to find process with name 'com.example.app' or Failed to attach: remote system is unreachable.

Solution:

This is often the most basic yet frustrating issue. Ensure `frida-server` is running on the Android device and that you’re using the correct package name.
- Verify `frida-server` Status:
```
adb shell "ps -A | grep frida-server"
```
  If no output, push and run it:
```
adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"
```
- Check Device Connectivity:
```
adb devices
```
  Ensure your device is listed.
- Correct Package Name: Double-check the app’s package name. Use `adb shell pm list packages -f | grep ` or a tool like Apktool to get the manifest.
- Targeting by PID: Sometimes, targeting by PID (`frida -U -p `) is more reliable if the app restarts frequently.
Challenge 2: Permissions Issues for Storage Access

Symptom:

While Frida scripts run in the app’s context and usually have access to its private data, you might encounter `Permission denied` errors when trying to interact with certain files or if `frida-server` isn’t running with sufficient privileges.

Solution:

Frida scripts execute within the target application’s sandbox. Therefore, they inherently possess the same filesystem permissions as the application itself. If you’re trying to access files outside the app’s designated data directories (e.g., `/data/data/com.example.app`), the app (and thus your Frida script) will be denied access by the Android OS. However, if you are attempting to access the app’s private files and still face `Permission denied`, it usually indicates one of two scenarios:
- Root Privileges for Frida Server: If the device is rooted, ensure `frida-server` is run as root (e.g., via `su -c /data/local/tmp/frida-server &`). This grants `frida-server` the ability to manipulate files across the entire filesystem, including those with strict SELinux contexts.
- SELinux Restrictions: On modern Android versions, SELinux can impose further restrictions. Running `frida-server` as root often bypasses most user-space SELinux policies relevant to app data.
Example of accessing app’s internal storage via Frida:
```
Java.perform(function () {    var File = Java.use(
```
May 30, 2026
Beyond the Basics: Advanced Frida Scripts for Automated Android Insecure Data Storage Discovery & Extraction Introduction to Insecure Data Storage and Frida Insecure Data Storage (IDS) remains a persistent and critical vulnerability in Android applications. It occurs when sensitive user or application data is stored in locations accessible to other applications, or without proper protection, allowing unauthorized access. According to the OWASP Mobile Application Security Verification Standard (MASVS), proper data protection is a cornerstone of secure mobile development. Manually combing through an application’s storage directories for such vulnerabilities can be a tedious and time-consuming process. This article delves into leveraging Frida, a powerful dynamic instrumentation toolkit, to automate the discovery and extraction of insecurely stored data on Android, moving beyond basic hooking to more advanced, systematic approaches. Frida allows us to inject custom scripts into running processes, enabling us to hook into application functions, modify their behavior, and inspect data in real-time. This capability is invaluable for penetration testers and security researchers aiming to identify how, where, and what data an application is storing. Prerequisites Before diving into the advanced scripting, ensure you have the following setup: A rooted Android device or emulator (e.g., AVD, Genymotion, Nox Player) Frida server running on the Android device Frida-tools installed on your host machine (`pip install frida-tools`) Basic understanding of JavaScript and Android architecture Understanding Android Data Storage Mechanisms Android provides several storage options, each with different access permissions and typical use cases. Insecure implementations often stem from misunderstanding these mechanisms or misconfiguring their access controls. Internal Storage (Application-specific files) Internal storage is designed for application-specific data and is typically private to the app. Paths like `/data/data/YOUR_PACKAGE_NAME/files/` and `/data/data/YOUR_PACKAGE_NAME/cache/` are common. However, if files are created with modes like `MODE_WORLD_READABLE` or `MODE_WORLD_WRITABLE` (though deprecated, still found), or if the app’s internal directories themselves have lax permissions, other apps or even unprivileged users might access them. External Storage (Shared Storage) External storage (e.g., SD card or shared internal storage partition) is publicly readable and writable. While `Context.getExternalFilesDir()` provides an app-specific directory on external storage that is cleared on uninstall, legacy or poorly implemented apps might still use `Environment.getExternalStorageDirectory()` which points to a globally accessible directory. Data stored here should always be considered public and encrypted if sensitive. Shared Preferences Shared Preferences (`Context.getSharedPreferences()`) provide a lightweight mechanism to store key-value pairs of primitive data. These are typically stored as XML files within `/data/data/YOUR_PACKAGE_NAME/shared_prefs/`. While usually private to the app, misconfigurations (e.g., `MODE_WORLD_READABLE`) can expose these files, revealing sensitive configuration data, tokens, or user information. SQLite Databases Android applications commonly use SQLite databases for structured data storage. These databases are typically located in `/data/data/YOUR_PACKAGE_NAME/databases/`. Similar to Shared Preferences, if created with world-readable/writable flags or if the database directory itself is exposed, the entire database content can be compromised. Frida for Automated Discovery of Data Storage Access The core idea behind using Frida for IDS discovery is to hook into the Android API calls responsible for creating and interacting with various storage mechanisms. By doing so, we can log every instance an application attempts to write data, noting the path, mode, and sometimes even the content. Hooking File I/O for Internal Storage We can intercept calls to `openFileOutput()` to see what files an application creates in its internal storage and with what permissions. Java.perform(function() {Java.use('android.app.ContextImpl').openFileOutput.implementation = function(name, mode) {console.log("[Frida] openFileOutput called: File = " + name + ", Mode = " + mode);var result = this.openFileOutput(name, mode);if (mode === 1 || mode === 2) { // MODE_WORLD_READABLE (1) or MODE_WORLD_WRITABLE (2)console.warn("[Frida-IDS] Insecure File Creation Detected: " + name + " with mode: " + mode);}return result;};console.log("[*] Hooked openFileOutput");}); To run this script: frida -U -f com.example.insecureapp -l file_io_hook.js --no-pause This script will print details every time `openFileOutput` is invoked, highlighting potentially insecure modes. Intercepting Shared Preferences Access Monitoring `getSharedPreferences()` helps us identify the names of preference files. Furthermore, we can hook `putString()`, `putInt()`, etc., on the `SharedPreferences.Editor` object to capture the actual key-value pairs being stored. Java.perform(function() {var SharedPreferencesImpl = Java.use('android.app.SharedPreferencesImpl');SharedPreferencesImpl.constructor.overload('java.io.File', 'int').implementation = function(file, mode) {console.log("[Frida] SharedPreferences created: File = " + file.getAbsolutePath() + ", Mode = " + mode);if (mode === 1 || mode === 2) { // MODE_WORLD_READABLE (1) or MODE_WORLD_WRITABLE (2)console.warn("[Frida-IDS] Insecure SharedPreferences Creation: " + file.getAbsolutePath() + " with mode: " + mode);}return this.constructor.overload('java.io.File', 'int').call(this, file, mode);};var EditorImpl = Java.use('android.app.SharedPreferencesImpl$EditorImpl');EditorImpl.putString.overload('java.lang.String', 'java.lang.String').implementation = function(key, value) {console.log("[Frida] SharedPreferences putString: Key = " + key + ", Value = " + value);return this.putString(key, value);};EditorImpl.putInt.overload('java.lang.String', 'int').implementation = function(key, value) {console.log("[Frida] SharedPreferences putInt: Key = " + key + ", Value = " + value);return this.putInt(key, value);};console.log("[*] Hooked SharedPreferences");}); This script captures both the creation of Shared Preferences files and the individual key-value pairs being written, offering a comprehensive view of sensitive data storage in preferences. Monitoring SQLite Database Operations To detect insecure database storage, we can hook `openOrCreateDatabase()`. This reveals the database name and its creation mode. Java.perform(function() {Java.use('android.app.ContextImpl').openOrCreateDatabase.overload('java.lang.String', 'int', 'android.database.sqlite.SQLiteDatabase$CursorFactory').implementation = function(name, mode, factory) {console.log("[Frida] openOrCreateDatabase called: DB Name = " + name + ", Mode = " + mode);if (mode === 1 || mode === 2) { // MODE_WORLD_READABLE (1) or MODE_WORLD_WRITABLE (2)console.warn("[Frida-IDS] Insecure Database Creation: " + name + " with mode: " + mode);}return this.openOrCreateDatabase(name, mode, factory);};Java.use('android.app.ContextImpl').openOrCreateDatabase.overload('java.lang.String', 'int', 'android.database.sqlite.SQLiteDatabase$CursorFactory', 'android.database.DatabaseErrorHandler').implementation = function(name, mode, factory, errorHandler) {console.log("[Frida] openOrCreateDatabase called: DB Name = " + name + ", Mode = " + mode);if (mode === 1 || mode === 2) { // MODE_WORLD_READABLE (1) or MODE_WORLD_WRITABLE (2)console.warn("[Frida-IDS] Insecure Database Creation: " + name + " with mode: " + mode);}return this.openOrCreateDatabase(name, mode, factory, errorHandler);};console.log("[*] Hooked openOrCreateDatabase");}); This script will log the database file names and their associated modes when they are created or opened, allowing you to quickly identify databases with potentially weak permissions. Automated Extraction and Further Analysis Once you’ve discovered paths to sensitive files or databases, the next step is extraction and analysis. Frida can aid in identifying these paths, which you can then pull using `adb`. Pulling Files and Databases via ADB After Frida logs a suspicious file path, you can use `adb pull` to extract it. For files in `/data/data/APP_PACKAGE/`, direct `adb pull` often works on rooted devices. If not, you may need to copy it to a world-readable location first. # If direct pull works:adb pull /data/data/com.example.insecureapp/shared_prefs/my_prefs.xml. # If direct pull fails due to permissions (e.g., on some devices or non-root context):adb shell su -c "cp /data/data/com.example.insecureapp/files/sensitive.txt /sdcard/Download/sensitive.txt"adb pull /sdcard/Download/sensitive.txtrm /sdcard/Download/sensitive.txt For SQLite databases, you can use tools like `sqlitebrowser` (DB Browser for SQLite) to inspect their contents after pulling. Enumerating All Storage Artifacts (Advanced) Beyond hooking specific I/O calls, you can use Frida to programmatically enumerate an application’s entire private storage directory. This provides a holistic view of all files and directories created by the app, irrespective of whether they were explicitly hooked. Java.perform(function() {var File = Java.use('java.io.File');var Application = Java.use('android.app.Application');var currentApplication = Application.currentApplication();if (currentApplication) {var filesDir = currentApplication.getFilesDir();var cacheDir = currentApplication.getCacheDir();var dataDir = filesDir.getParentFile(); // Typically /data/data/PACKAGE_NAMEconsole.log("[Frida] Listing contents of application data directory: " + dataDir.getAbsolutePath());function listDirectoryRecursive(directory) {if (directory === null || !directory.exists()) {return;}var files = directory.listFiles();if (files) {for (var i = 0; i < files.length; i++) {var file = files[i];if (file.isDirectory()) {console.log("[Frida-Dir] " + file.getAbsolutePath());listDirectoryRecursive(file);} else {console.log("[Frida-File] " + file.getAbsolutePath() + " (Size: " + file.length() + " bytes)");}}}}listDirectoryRecursive(dataDir);} else {console.error("[*] Could not get current application context.");}}); This script obtains the application’s root data directory (e.g., `/data/data/com.example.app`) and then recursively lists all files and subdirectories within it. This is extremely powerful for identifying unexpected files or directories that might contain sensitive data, even if they weren’t created via standard Android API calls or were missed by specific I/O hooks. It gives you a complete inventory of an app’s internal storage footprint. Conclusion Frida provides an unparalleled level of introspection into Android applications, making it an indispensable tool for identifying insecure data storage vulnerabilities. By combining targeted API hooking with programmatic directory enumeration, security researchers can automate a significant portion of the discovery process, uncovering sensitive files, databases, and Shared Preferences that might otherwise be overlooked. Remember to always conduct such tests ethically and with proper authorization, reporting any findings responsibly to the application developers. Mastering these advanced Frida techniques will significantly enhance your Android penetration testing capabilities. May 30, 2026
Advanced Android NDK Root Detection Bypass: A Frida & Ghidra Deep Dive into Native Checks Introduction to Native Root Detection and Bypass Android applications, especially those handling sensitive data or digital rights management (DRM), frequently implement root detection mechanisms to prevent unauthorized access and manipulation. While many checks occur at the Java layer, more sophisticated applications offload these critical checks to native libraries (NDK), making them significantly harder to bypass. This article provides an expert-level guide on how to reverse engineer and bypass native root detection using a powerful combination of static analysis with Ghidra and dynamic instrumentation with Frida. Why Native Root Detection? Native root detection bypasses many common Java-level hooking frameworks and obfuscation techniques. By implementing checks in C/C++, developers gain finer control over system calls and memory, making the analysis and manipulation more challenging for attackers. Understanding Native Root Detection Techniques NDK-based root checks often leverage system calls and file system operations that are difficult to intercept from the Java layer. Common techniques include: File/Directory Presence Checks: Searching for known root-related files and directories (e.g., /system/bin/su, /sbin/su, /system/xbin/su, /data/local/tmp/su, /system/app/Superuser.apk). System Property Checks: Examining ro.build.tags for “test-keys” or ro.secure values. Process Checks: Looking for running processes associated with root tools (e.g., magiskd, daemonsu). ptrace Detection: Detecting if a debugger is attached by attempting to ptrace itself or checking /proc/self/status for TracerPid. Mount Information: Checking /proc/mounts for suspicious mounts (e.g., /dev/tmpfs on /magisk). Phase 1: Static Analysis with Ghidra Our journey begins with static analysis using Ghidra to understand the native library’s structure and identify potential root check functions. Locating the Native Library First, extract the APK and locate the relevant native library (e.g., libnative-lib.so) typically found in lib/armeabi-v7a/ or lib/arm64-v8a/. Loading into Ghidra Open Ghidra, create a new project, and import the .so file. Ensure the correct architecture (ARM/AArch64) is selected. Allow Ghidra to analyze the binary. Identifying Root Check Functions In Ghidra’s Symbol Tree, look for exported functions that might indicate root checks (e.g., Java_com_example_app_RootChecker_isRootedNative, checkRootStatus). If no clear symbols exist, resort to string searching: Navigate to Search -> For Strings. Search for common root indicators like /system/bin/su, /sbin/su, test-keys, magisk. Analyze the cross-references (Xrefs) to these strings to find the functions that use them. Let’s assume we find a function named isRootedCheck using string analysis. Its pseudocode might look something like this: BOOL isRootedCheck() { FILE *__s; BOOL bVar1; __s = fopen("/system/bin/su", "r"); if (__s != (FILE *)0x0) { fclose(__s); bVar1 = TRUE; } else { __s = fopen("/sbin/su", "r"); if (__s != (FILE *)0x0) { fclose(__s); bVar1 = TRUE; } else { // ... other checks ... bVar1 = FALSE; } } return bVar1;} From this, we see the function opens specific paths, suggesting file presence checks. Phase 2: Dynamic Instrumentation with Frida Once we’ve identified the native functions and logic, Frida comes into play for dynamic analysis and runtime patching. Setting up Frida Ensure you have a rooted Android device/emulator with Frida-server running and ADB configured. Install Frida on your host machine: pip install frida-tools. Basic Frida Script Structure To interact with native libraries, we use Module.findExportByName or Module.findBaseAddress and then offset functions. Let’s target the isRootedCheck function we found in Ghidra. Java.perform(function() { var module_name = "libnative-lib.so"; var target_module = Module.findExportByName(module_name, "isRootedCheck"); // If exported if (!target_module) { // If not exported, find by base address + offset var base_address = Module.findBaseAddress(module_name); if (base_address) { // Replace '0x1234' with the actual offset found in Ghidra target_module = base_address.add(0x1234); } } if (target_module) { console.log("[*] Hooking isRootedCheck at: " + target_module); Interceptor.attach(target_module, { onEnter: function(args) { console.log("[+] isRootedCheck called!"); }, onLeave: function(retval) { console.log("[*] Original return value: " + retval); retval.replace(0); // Force return FALSE console.log("[+] Modified return value to: " + retval); } }); } else { console.log("[-] Could not find isRootedCheck in " + module_name); }}); Run with: frida -U -l your_script.js -f com.your.package.name --no-pause Bypassing Specific Native Checks 1. File Presence Checks (fopen, access, stat) Instead of hooking the application’s internal check function, you can hook the underlying system calls it uses. This is more robust as it catches all file system checks, not just specific functions. Java.perform(function() { var fopenPtr = Module.findExportByName(null, "fopen"); if (fopenPtr) { Interceptor.attach(fopenPtr, { onEnter: function(args) { this.filePath = Memory.readUtf8String(args[0]); if (this.filePath.includes("/su") || this.filePath.includes("magisk")) { console.log("[+] fopen called for suspicious path: " + this.filePath); this.isSuspicious = true; } }, onLeave: function(retval) { if (this.isSuspicious) { console.log("[*] Blocking fopen for " + this.filePath + ". Original return: " + retval); retval.replace(0); // Return NULL (failure to open file) } } }); }}); Similarly, you can hook access, stat, lstat, etc., to return specific error codes or manipulate their return values. 2. ptrace Detection Bypass Applications might try to ptrace themselves to detect if a debugger is already attached. We can hook ptrace to make it always succeed or fail as desired. Java.perform(function() { var ptracePtr = Module.findExportByName(null, "ptrace"); if (ptracePtr) { Interceptor.attach(ptracePtr, { onEnter: function(args) { var request = args[0].toInt32(); var pid = args[1].toInt32(); console.log("[+] ptrace called: request=" + request + ", pid=" + pid); // PTRACE_TRACEME (0) is common for anti-debugging if (request === 0) { console.log("[*] Forcing PTRACE_TRACEME to fail to hide debugger."); this.skipCall = true; // Skip the original call } }, onLeave: function(retval) { if (this.skipCall) { retval.replace(-1); // Return -1 (failure) or 0 (success) depending on desired effect // To truly hide, sometimes returning 0 (success) is better if the app expects ptrace to attach. // Experimentation needed for specific implementation. console.log("[+] ptrace return value modified to " + retval + "."); } } }); }}); 3. System Property Checks If an app reads ro.build.tags, it might use __system_property_get. Hooking this can control the output. Java.perform(function() { var propGetPtr = Module.findExportByName(null, "__system_property_get"); if (propGetPtr) { Interceptor.attach(propGetPtr, { onEnter: function(args) { var propName = Memory.readUtf8String(args[0]); this.propValuePtr = args[1]; if (propName === "ro.build.tags") { console.log("[+] Intercepted __system_property_get for: " + propName); this.isTargetProp = true; } }, onLeave: function(retval) { if (this.isTargetProp) { Memory.writeUtf8String(this.propValuePtr, "release-keys"); console.log("[+] Modified ro.build.tags to 'release-keys'."); } } }); }}); Phase 3: Advanced Bypass with Memory Patching For more permanent or aggressive bypasses, especially when function hooks are detected or insufficient, direct memory patching can be used. This involves identifying the exact instruction in Ghidra that determines the root check outcome and then using Frida to modify it at runtime. Identifying Patch Points in Ghidra Revisit Ghidra’s disassembly view of our isRootedCheck function. Look for conditional jump instructions (e.g., BEQ, BNE, CMP followed by JMP) immediately after the root check logic. For example, if a check sets a register to 0 or 1, and then a CMP instruction checks that register, you might find something like: 0xXXXXXXXX: CMP R0, #0 ; Compare R0 (result of check) with 00xYYYYYYYY: BNE LAB_XXXXXXXX ; Branch if Not Equal (if R0 is 1, branch to 'rooted' logic) To bypass, we want to ensure the branch is never taken (or always taken, depending on logic). We can NOP out the branch or change its condition. Frida Memory Patching Assuming the BNE instruction is at 0xYYYYYYYY relative to the module base, we can patch it using Frida. For ARM, a NOP instruction is 0xF000F000 or 0x1EE0A000 (specific to Thumb/ARM mode). For AArch64, it’s 0xD503201F. Java.perform(function() { var module_name = "libnative-lib.so"; var base_address = Module.findBaseAddress(module_name); if (base_address) { // Replace 0xYYYYYYYY with the actual offset of the instruction to patch var target_address = base_address.add(0xYYYYYYYY); console.log("[+] Patching instruction at: " + target_address); // Example for AArch64 (4 bytes NOP) Memory.patchCode(target_address, 4, function(code) { var writer = new Arm64Writer(code, { pc: target_address }); writer.putNop(); // Write a NOP instruction writer.flush(); }); // Example for ARM (4 bytes NOP, adjust based on Thumb/ARM) // Memory.patchCode(target_address, 4, function(code) { // var writer = new ArmWriter(code, { pc: target_address }); // writer.putNop(); // writer.flush(); // }); console.log("[+] Patch applied successfully."); } else { console.log("[-] Could not find base address of " + module_name); }}); This approach directly modifies the machine code, making the branch instruction effectively disappear or change its behavior, thus altering the root detection logic at its core. Conclusion Bypassing advanced Android NDK root detection requires a systematic approach combining static and dynamic analysis. Ghidra empowers us to deeply understand the native code and identify critical functions and vulnerable instructions. Frida then provides an unparalleled platform for dynamically intercepting, modifying, and even patching these native checks at runtime. By mastering these tools and techniques, security researchers and penetration testers can effectively analyze and overcome even the most sophisticated native anti-tampering measures, ensuring comprehensive security assessments of Android applications. May 30, 2026
Dump Sensitive Data: A Frida Lab for Android Insecure Storage Exploitation (SQLite, SharedPreferences) Introduction In the realm of mobile application security, insecure data storage remains a perennial vulnerability. Android applications often store sensitive user data locally in various formats, including SQLite databases and SharedPreferences. When not properly protected, this data becomes a prime target for attackers with access to the device, potentially leading to information disclosure and further compromise. This expert-level guide delves into using Frida, a dynamic instrumentation toolkit, to identify and exploit these insecure storage practices in real-time. We’ll explore practical techniques to dynamically dump sensitive information from SQLite databases and SharedPreferences during an app’s runtime. Prerequisites for the Lab Before we embark on this exploitation journey, ensure you have the following setup: Rooted Android Device or Emulator: Necessary for Frida-server to operate and for filesystem access. ADB Installed and Configured: Android Debug Bridge for interacting with your device/emulator. Frida-server Running on Device: Download the appropriate `frida-server` for your device’s architecture and run it as root. Frida-tools Installed on Host: `pip install frida-tools` Basic Knowledge of JavaScript: Frida scripts are written in JavaScript. Target Android Application: A vulnerable application (or any app for demonstration purposes) installed on your device. For this lab, we will use `com.example.vulnerableapp` as a placeholder. Understanding Android Insecure Data Storage SQLite Databases Android applications frequently utilize SQLite databases to store structured data locally. These databases are typically stored within the app’s private directory at `/data/data/<package_name>/databases/`. Common vulnerabilities arise when sensitive data (e.g., user credentials, tokens, personal information) is stored in cleartext within these databases. Without proper encryption or access controls, an attacker gaining root access can easily extract and read this information using standard SQLite tools. SharedPreferences SharedPreferences provide a lightweight mechanism for Android apps to store simple key-value pairs, often used for user settings, session tokens, or other small pieces of data. These are typically stored as XML files in `/data/data/<package_name>/shared_prefs/`. Similar to SQLite, if sensitive data is stored unencrypted in SharedPreferences, it can be trivially read by an attacker with filesystem access. Frida for Dynamic Analysis Frida empowers security researchers to inject custom JavaScript into running processes, enabling dynamic instrumentation. This allows us to hook into native functions and Java methods, observe their arguments, modify return values, and even call private methods – all at runtime. This capability is invaluable for understanding an app’s behavior and identifying vulnerabilities that might not be obvious from static analysis alone. Exploiting SQLite Databases with Frida Method 1: Hooking SQL Operations to Log Queries One powerful technique is to hook into methods responsible for executing SQL queries. By intercepting calls to `execSQL` and `rawQuery`, we can log every SQL statement an application performs, potentially revealing sensitive data manipulation or extraction queries. Create a file named `frida_sqlite_hook.js`: Java.perform(function () { var SQLiteDatabase = Java.use( May 30, 2026
Frida for PenTesters: Exploiting Android Insecure Data Storage – A How-To Guide Introduction to Insecure Data Storage on Android Insecure data storage remains a pervasive vulnerability in Android applications, often leading to the exposure of sensitive user information. This vulnerability arises when applications store private data—such as API keys, authentication tokens, personal identifiable information (PII), or session details—in unprotected locations like SharedPreferences, internal storage, or external storage without proper encryption or access controls. For penetration testers, identifying and exploiting these flaws is crucial for assessing an application’s overall security posture. This guide will walk you through leveraging Frida, a dynamic instrumentation toolkit, to detect and exploit insecure data storage practices in Android applications. Why Frida is Essential for Exploitation While static analysis can reveal potential storage locations, dynamic analysis with Frida provides unparalleled visibility into an application’s runtime behavior. Frida allows you to hook into Java and native functions, intercepting data as it’s being read from or written to storage. This capability makes it an indispensable tool for: Observing actual data being stored. Identifying which specific APIs are used for storage. Modifying data before it’s written or after it’s read. Bypassing client-side encryption attempts to reveal plaintext. Prerequisites Before we begin, ensure you have the following set up: Rooted Android Device or Emulator: Necessary for running Frida server with elevated privileges. ADB (Android Debug Bridge): For connecting to your device and installing applications/Frida server. Frida Client and Server: Install the Python `frida-tools` on your host machine (`pip install frida-tools`) and download the appropriate Frida server binary for your device’s architecture (e.g., `frida-server-16.1.4-android-arm64`) from the Frida GitHub releases. Target Application: An Android APK to analyze (e.g., a dummy app with known insecure storage or a vulnerable CTF app). Setting Up Frida Server 1. Push the Frida server to your device: adb push frida-server /data/local/tmp/ 2. Set execute permissions and run: adb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &" 3. Verify Frida is running: frida-ps -U Understanding Insecure Data Storage Mechanisms Common Android Storage Locations SharedPreferences: Stores private primitive data in XML files. Often used for user preferences, but frequently abused for sensitive data. Internal Storage: Application-private directories on the device’s filesystem. Accessible only by the app itself, but root access bypasses this. External Storage: Publicly accessible storage (e.g., SD card). Highly insecure for sensitive data. Databases (SQLite): Stored within internal storage, but if unencrypted, easily dumped with root. Our focus will primarily be on intercepting data as it’s being handled by `SharedPreferences` and general file I/O operations. Leveraging Frida for Data Interception: A SharedPreferences Example Let’s assume our target application stores a user’s API key in `SharedPreferences` without encryption. We want to intercept this key. Analyzing the Application (Briefly) Before dynamic analysis, a quick static scan can give hints. Decompile the APK using `Jadx-GUI` or `apktool` and search for keywords like `SharedPreferences`, `putString`, `edit()`, `apply()`, `commit()`, `getSharedPreferences`. Writing the Frida Script for SharedPreferences We’ll hook into `android.content.SharedPreferences$Editor` to intercept calls to `putString` and `apply` or `commit`. This allows us to see what data is being written and potentially modify it. Java.perform(function() { console.log("[*] Frida script loaded for SharedPreferences interception."); var SharedPreferencesEditor = Java.use("android.content.SharedPreferences$Editor"); // Hook putString method SharedPreferencesEditor.putString.implementation = function(key, value) { console.log("[*] SharedPreferences.Editor.putString called!"); console.log(" Key: " + key); console.log(" Value: " + value); // You can modify the value here if needed // value = "MODIFIED_VALUE"; return this.putString(key, value); }; // Hook apply/commit methods to see when changes are saved SharedPreferencesEditor.apply.implementation = function() { console.log("[*] SharedPreferences.Editor.apply called! Changes are being saved."); return this.apply(); }; SharedPreferencesEditor.commit.implementation = function() { console.log("[*] SharedPreferences.Editor.commit called! Changes are being saved."); return this.commit(); }; // Optionally, hook SharedPreferences.getString to see data being read var SharedPreferences = Java.use("android.content.SharedPreferences"); SharedPreferences.getString.implementation = function(key, defValue) { var storedValue = this.getString(key, defValue); console.log("[*] SharedPreferences.getString called!"); console.log(" Key: " + key); console.log(" Read Value: " + storedValue); return storedValue; };}); Executing the Frida Script 1. Save the script as `frida_prefs.js`.2. Launch the target application on your device.3. Attach Frida to the running application’s process: frida -U -l frida_prefs.js -f com.example.targetapp --no-pause Replace `com.example.targetapp` with the actual package name of your target application. As you interact with the app, particularly actions that save or retrieve data via `SharedPreferences`, you will see the intercepted keys and values in your console. Interacting with Internal/External Storage (File I/O) For data stored directly in files, we can hook Java’s file I/O classes like `FileOutputStream`, `FileInputStream`, `FileWriter`, `FileReader`, etc. This allows us to intercept data before it hits the disk or after it’s read. Hooking FileOutputStream to Intercept Written Data Java.perform(function() { console.log("[*] Frida script loaded for FileOutputStream interception."); var FileOutputStream = Java.use("java.io.FileOutputStream"); FileOutputStream.$init.overload("java.lang.String").implementation = function(path) { console.log("[*] FileOutputStream initialized for path: " + path); this.$init(path); }; FileOutputStream.write.overload("[B").implementation = function(buffer) { var data = Java.array('byte', buffer); var text = new TextDecoder("utf-8").decode(data); console.log("[*] FileOutputStream.write called! Data:"); console.log(" " + text); // You can modify the buffer here if needed return this.write(buffer); }; FileOutputStream.write.overload("[B", "int", "int").implementation = function(buffer, offset, length) { var data = Java.array('byte', buffer); var subArray = data.slice(offset, offset + length); var text = new TextDecoder("utf-8").decode(subArray); console.log("[*] FileOutputStream.write (offset, length) called! Data:"); console.log(" " + text); return this.write(buffer, offset, length); };}); Run this script similarly to the SharedPreferences example. When the application writes to a file, you’ll see the data in your console. Mitigation Strategies To prevent insecure data storage vulnerabilities, developers should implement: Encryption: Always encrypt sensitive data at rest using strong, industry-standard algorithms (e.g., AES-256) with securely managed keys. Android’s EncryptedSharedPreferences and FileEncryptionHelper from the Jetpack Security library are good starting points. Android Keystore System: Utilize the Android Keystore system for secure generation and storage of cryptographic keys. Input Validation: Sanitize and validate all user inputs to prevent injection attacks that could lead to data compromise. Principle of Least Privilege: Store sensitive data only when absolutely necessary and for the shortest possible duration. Secure Coding Practices: Adhere to secure coding guidelines and conduct regular security audits. Conclusion Frida provides an incredibly powerful and flexible platform for dynamically analyzing Android applications and exploiting insecure data storage vulnerabilities. By mastering its hooking capabilities, penetration testers can effectively uncover hidden sensitive data, understand an application’s data handling mechanisms, and provide concrete evidence of security flaws. Remember, responsible disclosure is key when dealing with discovered vulnerabilities. May 30, 2026
Demystifying Android NDK JNI: A Ghidra & Frida Workflow for Beginners to Advanced Introduction to Android NDK, JNI, Ghidra, and Frida Android’s Native Development Kit (NDK) allows developers to implement parts of their applications using native code languages like C and C++. This is often done for performance-critical sections, code obfuscation, or leveraging existing native libraries. The Java Native Interface (JNI) acts as the bridge, enabling Java code to interact with these native libraries. Reverse engineering these native components is crucial for security researchers, penetration testers, and anyone looking to understand proprietary application logic or uncover vulnerabilities. This article provides a comprehensive guide, from beginner concepts to advanced techniques, leveraging Ghidra for static analysis and Frida for dynamic instrumentation. Why Reverse Engineer NDK/JNI? Security Research: Discover vulnerabilities in native code, such as buffer overflows or format string bugs. Malware Analysis: Understand the true behavior of Android malware that hides malicious logic in native libraries. Intellectual Property Protection: Analyze how sensitive algorithms or cryptographic operations are implemented. Obfuscation Bypass: Native code is often used to make reverse engineering harder; understanding it helps bypass these measures. Prerequisites and Setup Before diving in, ensure you have the following tools and knowledge: Android SDK & Platform Tools: For adb (Android Debug Bridge). A Rooted Android Device or Emulator: Necessary for running Frida server. Ghidra: A powerful open-source reverse engineering framework. Frida: A dynamic instrumentation toolkit. Basic Understanding of C/C++ and ARM Assembly: Essential for native code analysis. Frida Setup on Device adb shellmkdir /data/local/tmp/frida/adb push frida-server /data/local/tmp/frida/frida-serveradb shell 'chmod 755 /data/local/tmp/frida/frida-server'adb shell '/data/local/tmp/frida/frida-server &' Understanding Android NDK and JNI Basics The Android NDK allows you to build `.so` (shared object) files, which are ELF binaries containing native code. JNI provides a standard way for Java code to call native functions and vice-versa. Key concepts include: JNIEnv*: A pointer to a pointer to the JNI function table. It’s the primary way to interact with the Java VM from native code. jclass, jobject, jmethodID, jfieldID: JNI types used to reference Java classes, objects, methods, and fields from native code. Native Method Registration: Static Registration: Methods are named using a specific convention: Java_PackageName_ClassName_MethodName. The JVM resolves these names directly. Dynamic Registration: Methods are registered explicitly using RegisterNatives, often called within JNI_OnLoad. This is common for obfuscation. JNI_OnLoad: An optional function exported by the native library, called when the library is loaded by the JVM. It’s a common place for dynamic method registration, environment setup, and anti-tampering checks. Phase 1: Static Analysis with Ghidra Obtaining the Native Library First, extract the `.so` file from the target APK. APKs are essentially ZIP archives. unzip target.apk -d extracted_apkmv extracted_apk/lib/armeabi-v7a/libnative-lib.so . # Or arm64-v8a, x86, etc. Loading into Ghidra Open Ghidra and create a new project. Go to File -> Import File and select your libnative-lib.so. Confirm the language (e.g., ARMv7:le:32:v7 or AARCH64:le:64:v8a). Once imported, double-click to open it in the Code Browser. When prompted, analyze the binary. Ensure ‘Create Function Signatures’ and ‘Non-Returning Functions’ are selected for better analysis. Identifying JNI Export Functions In Ghidra’s Symbol Tree, navigate to ‘Exports’. You’ll often find: JNI_OnLoad: This is your primary entry point for dynamic analysis. Statically Registered Methods: Functions prefixed with Java_ (e.g., Java_com_example_NativeLib_stringFromJNI). Let’s consider a simple C example for a native method: <code class= May 30, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
170
171
172
173
174
…
705
			Next Page→

Author: admin

Introduction: The Peril of Insecure Data Storage

Prerequisites for This Deep Dive

Understanding Android’s Data Storage Mechanisms

SharedPreferences

Internal Storage

External Storage

SQLite Databases

Phase 1: Static Analysis – Uncovering Potential Vulnerabilities

Decompiling the APK with JADX-GUI

Identifying Storage Patterns

Introduction: The Peril of Insecure Internal Storage

Setting Up Your Android Penetration Testing Environment

1. Rooted Android Device Preparation

2. Installing Frida Server

3. Workstation Setup

Identifying Insecure Storage Practices

1. Manual File System Inspection

2. Common Vulnerabilities

Exploiting Shared Preferences with Frida

Step 1: Identify the Target Application and Methods

Step 2: Crafting the Frida Script (`dump_prefs.js`)

Step 3: Executing the Script

Intercepting FileStream Writes for Sensitive Data

Step 1: Hooking FileOutputStream.write

Step 2: Crafting the Frida Script (`intercept_file_write.js`)

Step 3: Running the Interception

Mitigation Strategies: Securing Internal Storage

Conclusion

Introduction: The Stealth of Insecure Data Storage

Prerequisites for Your Android Pentesting Lab

Setting Up Frida Server

The Challenge: Obfuscation Hides All

Frida to the Rescue: Dynamic Instrumentation

Targeting Insecure SharedPreferences

Intercepting SQLite Database Operations

Hooking File I/O for Internal/External Storage

Leveraging Frida for Obfuscation Bypass

Conclusion: Unmasking Hidden Dangers

Introduction

Understanding Android Storage Mechanisms

Internal Storage

External Storage

Identifying Insecure External Storage Vulnerabilities

1. Static Analysis

AndroidManifest.xml Inspection:

Source Code Review:

2. Dynamic Analysis with ADB

Leveraging Frida for Dynamic Exploitation

Frida Setup Prerequisites

Hooking Storage APIs to Identify Sensitive Data Writes

Real-World Scenario: Intercepting and Manipulating Data

Mitigation Strategies for Developers

Conclusion

Introduction to Insecure Data Storage and Frida

Understanding Insecure Data Storage on Android

Frida for Dynamic Analysis of Data Storage

Common Frida Troubleshooting Scenarios and Solutions

Challenge 1: Frida Server Not Running or App Not Found

Symptom:

Solution:

Challenge 2: Permissions Issues for Storage Access

Symptom:

Solution:

Introduction to Insecure Data Storage and Frida

Prerequisites

Understanding Android Data Storage Mechanisms

Internal Storage (Application-specific files)

External Storage (Shared Storage)

Shared Preferences

SQLite Databases

Frida for Automated Discovery of Data Storage Access

Hooking File I/O for Internal Storage

Intercepting Shared Preferences Access

Monitoring SQLite Database Operations

Automated Extraction and Further Analysis

Pulling Files and Databases via ADB

Enumerating All Storage Artifacts (Advanced)

Conclusion

Introduction to Native Root Detection and Bypass

1. File Presence Checks (`fopen`, `access`, `stat`)

2. `ptrace` Detection Bypass