Author: admin

Mastering Android App Memory Dumping: A Comprehensive Frida Workshop for Pentesters
Introduction: Unveiling Hidden Secrets in Android App Memory

Android application penetration testing often focuses on static analysis, traffic interception, and reverse engineering APKs. However, critical vulnerabilities and sensitive data frequently reside in an application’s runtime memory, eluding typical static checks. API keys, encryption secrets, user credentials, and other sensitive information might be temporarily stored in RAM, making memory dumping a powerful technique for ethical hackers. This comprehensive guide will equip you with the knowledge and practical skills to master Android app memory dumping using Frida, the dynamic instrumentation toolkit.

Why Memory Dumping is Essential for Pentesters

Memory dumping involves extracting the contents of an application’s memory at a specific point in time. For Android apps, this can reveal:
- Hardcoded Secrets: API keys, encryption algorithms, and sensitive strings that are obfuscated or encrypted on disk but loaded into memory in plaintext.
- Runtime Data: Usernames, passwords, session tokens, and other authentication credentials before they are sent over the network or after decryption.
- Internal Logic: Understanding how an application processes data, especially when dealing with custom data structures or anti-tampering mechanisms.
- Exploitation Artifacts: Identifying memory regions susceptible to buffer overflows, heap sprays, or other memory-corruption vulnerabilities.
Frida stands out as an indispensable tool for this task due to its powerful JavaScript API, allowing direct interaction with an application’s memory space and runtime. It enables us to enumerate memory regions, read their contents, and even search for specific patterns dynamically.

Setting Up Your Frida Environment

Before diving into memory dumping, ensure you have a properly configured Frida environment:

Prerequisites:
- Rooted Android Device or Emulator: Necessary for `frida-server` to run with sufficient privileges.
- ADB (Android Debug Bridge): For connecting to your device.
- Python 3: With `frida-tools` installed.
Installation Steps:
1. Install Frida-tools:
```
pip3 install frida-tools
```
2. Download Frida Server: Navigate to the Frida releases page and download the appropriate `frida-server` binary for your device’s architecture (e.g., `frida-server-*-android-arm64`).
3. Push to Device and Run:
```
adb push frida-server /data/local/tmp/frida-serveradb shell"cd /data/local/tmp && chmod +x frida-server && ./frida-server &"
```
4. Forward Frida Port (if needed):
```
adb forward tcp:27042 tcp:27042adb forward tcp:27043 tcp:27043
```
5. Verify Setup:
```
frida-ps -U
```
  This command should list all running processes on your Android device.
Understanding Android Process Memory Layout

Before we dump, it’s crucial to understand what we’re looking at. Every process on a Linux-based system (including Android) has a `/proc//maps` file that describes its virtual memory layout. This file details memory regions, their permissions (read, write, execute), and the files they map to. We can access this information via ADB:
```
adb shell cat /proc/$(adb shell pidof com.example.targetapp)/maps
```
You’ll see output similar to this:
```
00008000-00009000 r-xp 00000000 00:00 0          [heap]00009000-0000a000 rw-p 00000000 00:00 0          [heap]70000000-70010000 r-xp 00000000 103:07 1234       /system/lib/libc.so...
```
Key permissions:
- `r`: Read
- `w`: Write
- `x`: Execute
- `p`: Private (changes are not written back to the original file)
For memory dumping, we are often interested in `rw-p` regions (writable, private) where dynamic data like heap allocations reside.

Frida for Memory Enumeration and Dumping

Frida’s JavaScript API provides powerful functions to interact with a process’s memory.

1. Enumerating Memory Ranges

We can use `Process.enumerateRangesSync()` to list memory regions based on their protection. For dumping, `rw-` (read-write) is often a good starting point.
```
/* enumerate_ranges.js */console.log("Enumerating readable and writable memory ranges...");Process.enumerateRangesSync({ protection: 'rw-', coalesce: false }).forEach(function(range) {    console.log(JSON.stringify(range));});
```
Run this script using:
```
frida -U -f com.example.targetapp -l enumerate_ranges.js --no-pause
```
This will print a list of memory ranges, including their base address, size, and protection.

2. Dumping Specific Memory Ranges

Once you’ve identified an interesting memory range, you can dump its contents using `Memory.readByteArray()`.
```
/* dump_range.js */var targetAddress = ptr("0x70000000"); // Replace with your target addressvar targetSize = 0x1000;              // Replace with your target size (e.g., 4096 bytes)console.log("Dumping memory from " + targetAddress + " with size " + targetSize);var buffer = Memory.readByteArray(targetAddress, targetSize);send(buffer);
```
To capture this binary data, you’ll need a Python script:
```
# dump_capture.pyimport fridaimport sysdef on_message(message, data):    if message['type'] == 'send':        print(f"[+] Received {len(data)} bytes of data.")        with open("memory_dump.bin", "wb") as f:            f.write(data)        print("[+] Data saved to memory_dump.bin")    elif message['type'] == 'error':        print(f"[-] Error: {message['description']}")process_name = "com.example.targetapp"try:    session = frida.get_usb_device().attach(process_name)    with open("dump_range.js", 'r') as f:        script_code = f.read()    script = session.create_script(script_code)    script.on('message', on_message)    print(f"[*] Attaching to {process_name}...")    script.load()    print("[*] Script loaded. Waiting for data...")    sys.stdin.read()except frida.core.RPCException as e:    print(f"[-] Frida error: {e}")except Exception as e:    print(f"[-] An unexpected error occurred: {e}")
```
Run the Python script:
```
python3 dump_capture.py
```
Remember to adjust `targetAddress` and `targetSize` in `dump_range.js` to match the specific region you want to dump. For a full app memory dump, you’d iterate through all `rw-` ranges and dump each one.

3. Searching Memory for Patterns

Frida can also actively search for specific byte patterns or strings within a process’s memory. This is incredibly useful for finding known secrets or data structures.
```
/* search_memory.js */var searchPattern = "4d61737465724b6579"; // Example: "MasterKey" in hexvar searchString = "MySecretAPIKey";   // Example: a sensitive stringconsole.log("Searching for patterns...");Process.enumerateRangesSync({ protection: 'rw-', coalesce: false }).forEach(function(range) {    // Search for hex pattern    Memory.scanSync(range.base, range.size, searchPattern).forEach(function(match) {        console.log("[*] Found hex pattern at: " + match.address);    });    // Search for string (convert string to hex pattern for Memory.scanSync)    // Note: This simple conversion assumes ASCII. For UTF-8, more complex handling is needed.    var stringHexPattern = stringToHex(searchString);    Memory.scanSync(range.base, range.size, stringHexPattern).forEach(function(match) {        console.log("[*] Found string '" + searchString + "' at: " + match.address);    });});function stringToHex(s) {  var hex = '';  for (var i = 0; i < s.length; i++) {    hex += s.charCodeAt(i).toString(16);  }  return hex;}
```
Run this using `frida -U -f com.example.targetapp -l search_memory.js –no-pause` and observe the console output for matched addresses.

Analyzing Dumped Memory

Once you have a `memory_dump.bin` file, you’ll need tools to analyze it:
- `hexdump -C memory_dump.bin`: Displays the content in both hexadecimal and ASCII.
- `strings memory_dump.bin`: Extracts printable strings from the binary file.
- `grep`: Use with `strings` to search for specific keywords.
- Disassemblers/Debuggers (IDA Pro, Ghidra): Load the dump as a binary file to analyze its structure and identify code segments if applicable.
Practical Scenario: Dumping an API Key

Let’s imagine a simple Android app that stores a hardcoded API key in memory after initialization.
1. Identify Target Process: Find the package name (e.g., `com.example.secureapp`).
2. Start App and Attach Frida: Launch the app, then attach with a script.
3. Search for Known Strings (if any): If you suspect the API key might contain a known prefix (e.g., “pk_test_”), use the `search_memory.js` script to locate it.
4. Enumerate `rw-` Regions: If direct searching doesn’t yield results, enumerate the `rw-` regions to get potential addresses.
5. Dump and Analyze: Dump promising regions using `dump_range.js` and `dump_capture.py`, then use `strings` and `grep` to find the key in the `memory_dump.bin` file.
For example, if you know the API key is `shhh_this_is_my_secret_key_123`, you would search for `736868685f746869735f69735f6d795f7365637265745f6b65795f313233` (hex representation) or simply `shhh_this_is_my_secret_key_123` if your search function handles strings directly.

Conclusion

Mastering Android app memory dumping with Frida is an invaluable skill for any penetration tester. It allows you to peer into the runtime state of an application, uncover dynamically generated or temporarily stored sensitive data, and gain a deeper understanding of an app’s internal workings. By combining memory enumeration, targeted dumping, and intelligent analysis, you can significantly enhance the depth and effectiveness of your Android penetration tests. Always ensure you have proper authorization before performing such tests, adhering strictly to ethical hacking guidelines.
May 30, 2026

Building a Frida RPC Toolkit: Customizing Android App Interaction Scripts

Introduction to Frida RPC for Android App Penetration Testing

Frida is a dynamic instrumentation toolkit that allows injecting custom scripts into processes. While its basic hooking capabilities are powerful for observing runtime behavior, Frida’s Remote Procedure Call (RPC) feature elevates dynamic analysis to an entirely new level. RPC enables seamless communication between your Python (or other language) client script and the injected JavaScript agent, allowing you to invoke JavaScript functions from your client and receive results. This capability is invaluable for building custom toolkits to interact with Android applications dynamically, bypass client-side controls, and exfiltrate sensitive data.

This article will guide you through building a practical Frida RPC toolkit. We’ll focus on creating a JavaScript agent that exposes several functions for interacting with an Android application, and a Python client to leverage these functions for common penetration testing scenarios like data exfiltration and runtime modification.

Prerequisites and Setup

Before diving into RPC, ensure you have the following setup:

Android Device/Emulator: A rooted Android device or an emulator (e.g., AVD, Genymotion) running Frida-server.
Frida-server: Download the appropriate frida-server binary for your device’s architecture from Frida’s GitHub releases. Push it to the device and run it.
Frida-tools: Install the Python client tools:pip install frida-tools
ADB (Android Debug Bridge): For interacting with your Android device.
Python Environment: A working Python 3 environment.

To start frida-server on your device:


adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell"chmod 755 /data/local/tmp/frida-server"adb shell"/data/local/tmp/frida-server &"

Understanding Frida RPC: The Basics

Frida RPC works by exposing specific JavaScript functions from your injected script to the Python client. In your JavaScript code, you define an Rpc.exports object, which serves as a dictionary of functions accessible from the outside. The Python client then loads this script, and these exported functions become directly callable as methods on the script object.

This allows for a clean separation of concerns: your JavaScript agent handles the low-level instrumentation and interaction with the target application’s runtime, while your Python client orchestrates the attack logic, data processing, and user interaction.

Building the Frida RPC Agent (JavaScript)

Let’s create a Frida JavaScript agent (e.g., rpc_agent.js) that exposes functions for common tasks:

dumpField(className, fieldName, instancePtr): To dump the value of an instance field.
callStaticMethod(className, methodName, argTypes, args): To invoke a static method.
interceptMethodAndReturn(className, methodName, returnValue): To hook a method and force it to return a specific value.


// rpc_agent.jsJava.perform(function () {    // Helper to get an instance from a pointer (or just use a fully qualified class name for static contexts)    function getInstance(className, instancePtr) {        if (instancePtr && instancePtr !== '0x0') {            return new Java.Class(className).wrap(ptr(instancePtr));        }        return Java.use(className); // For static access or new instance creation    }    Rpc.exports = {        // Dumps the value of a specific field from an object instance        dumpField: function (className, fieldName, instancePtr) {            try {                var targetClass = getInstance(className, instancePtr);                var targetInstance = instancePtr && instancePtr !== '0x0' ? targetClass : null;                // If instancePtr is null/0x0, we assume it's a static field if not found on instance                var value = null;                if (targetInstance) {                    value = targetInstance[fieldName].value;                } else {                    // Try static field                    value = targetClass[fieldName].value;                }                return JSON.stringify({ status: 'success', fieldName: fieldName, value: String(value) });            } catch (e) {                return JSON.stringify({ status: 'error', message: e.message });            }        },        // Calls a static method with specified arguments        callStaticMethod: function (className, methodName, argTypes, args) {            try {                var targetClass = Java.use(className);                var methodSignature = methodName + '(' + argTypes.join(',') + ')';                var method = targetClass[methodSignature];                var result = method.apply(targetClass, args);                return JSON.stringify({ status: 'success', method: methodName, result: String(result) });            } catch (e) {                return JSON.stringify({ status: 'error', message: e.message });            }        },        // Intercepts a method and forces it to return a specified value        interceptMethodAndReturn: function (className, methodName, returnVal) {            try {                var targetClass = Java.use(className);                var originalMethod = targetClass[methodName];                var returnType = typeof returnVal === 'boolean' ? 'boolean' : typeof returnVal === 'string' ? 'java.lang.String' : 'int'; // Simplified type inference                originalMethod.implementation = function () {                    console.log("[Frida] Intercepted " + className + "." + methodName + ", returning custom value: " + returnVal);                    if (returnType === 'boolean') return Boolean(returnVal);                    if (returnType === 'java.lang.String') return Java.use('java.lang.String').$new(returnVal);                    return returnVal;                };                return JSON.stringify({ status: 'success', message: 'Method ' + methodName + ' intercepted to return ' + returnVal });            } catch (e) {                return JSON.stringify({ status: 'error', message: e.message });            }        }    };});

Building the Python RPC Client

Now, let’s create a Python script (e.g., rpc_client.py) to interact with our Frida agent. This script will attach to a target Android application, load the rpc_agent.js, and then call the exposed functions.


# rpc_client.pyimport fridaimport sysimport jsondef on_message(message, data):    if message['type'] == 'send':        print("[+] {0}".format(message['payload']))    elif message['type'] == 'error':        print("[!] {0}".format(message['stack']))def main():    if len(sys.argv) != 2:        print("Usage: python rpc_client.py ")        sys.exit(1)    package_name = sys.argv[1]    try:        device = frida.get_usb_device(timeout=10)        pid = device.spawn([package_name])        print(f"[+] Spawning {package_name} with PID: {pid}")        session = device.attach(pid)        device.resume(pid)        print(f"[+] Attached to {package_name} (PID: {pid})")        with open("rpc_agent.js", 'r') as f:            script_code = f.read()        script = session.create_script(script_code)        script.on('message', on_message)        script.load()        print("[+] Frida agent loaded. RPC exports available.")        # --- Example 1: Call a static method ---        print("n--- Calling Static Method ---")        result_json = script.exports.call_static_method(            "com.example.myapp.SomeUtilityClass",            "generateSecretToken",            [],            []        )        result = json.loads(result_json)        if result['status'] == 'success':            print(f"[+] generateSecretToken result: {result['result']}")        else:            print(f"[!] Error calling generateSecretToken: {result['message']}")        # --- Example 2: Intercept a method to bypass a check ---        print("n--- Intercepting a Method ---")        result_json = script.exports.intercept_method_and_return(            "com.example.myapp.AuthManager",            "isPremiumUser",            True        )        result = json.loads(result_json)        if result['status'] == 'success':            print(f"[+] {result['message']}")            print("[!] Now 'isPremiumUser()' will always return true.")        else:            print(f"[!] Error intercepting method: {result['message']}")        # --- Example 3: Dump a field from an instance (requires knowing instance pointer, or attach during runtime) ---        # This example assumes you might have obtained an instance pointer from another hook        # For demonstration, let's assume '0x12345678' is a valid pointer we found earlier        print("n--- Dumping Field from Instance (Example with dummy pointer) ---")        dummy_instance_ptr = '0x0' # In a real scenario, this would be a real pointer        result_json = script.exports.dump_field(            "com.example.myapp.UserSession",            "_authToken",            dummy_instance_ptr        )        result = json.loads(result_json)        if result['status'] == 'success':            print(f"[+] Field '_authToken' value: {result['value']}")        else:            print(f"[!] Error dumping field: {result['message']}")        # Keep the script running for a while, or prompt user to exit        input("nPress Enter to detach from the process...")        session.detach()        print("[+] Detached from process.")    except frida.core.RPCException as e:        print(f"[!] RPC Error: {e}")        sys.exit(1)    except Exception as e:        print(f"[!] An error occurred: {e}")        sys.exit(1)if __name__ == '__main__':    main()

Executing the RPC Toolkit

To run this toolkit, ensure your rpc_agent.js and rpc_client.py files are in the same directory. Replace com.example.myapp.SomeUtilityClass, AuthManager, and UserSession with actual class names from your target Android application.

Execute the Python client from your terminal:


python rpc_client.py com.your.target.package

You’ll see output showing the Frida agent attaching, the RPC calls being made, and their results. The interceptMethodAndReturn function effectively demonstrates how you can dynamically alter application logic, for instance, bypassing a premium user check. The dumpField and callStaticMethod functions illustrate powerful data extraction and direct method invocation capabilities, crucial for exfiltrating sensitive information or triggering hidden functionalities.

Advanced Data Exfiltration with RPC

The examples above return simple stringified results. For more complex data structures, your JavaScript agent can convert Java objects to JSON strings using JSON.stringify() before returning them. The Python client can then parse these strings back into Python dictionaries or objects using json.loads(). This allows for exfiltrating entire object graphs, including nested properties and array contents.

Consider a scenario where an object holds an entire session state. Your RPC function could enumerate its fields, recursively dump their values, and return a comprehensive JSON representation, providing deep insights into the application’s internal workings.

Conclusion

Frida’s RPC capabilities transform dynamic analysis from mere observation to active interaction. By building custom RPC toolkits, penetration testers and security researchers can programmatically control Android applications, bypass client-side security mechanisms, and extract critical runtime data with unprecedented flexibility. This approach significantly speeds up the analysis process and uncovers vulnerabilities that might be missed with static analysis or basic hooking techniques. Embrace Frida RPC to unlock the full potential of your Android app penetration testing engagements.

May 30, 2026

Frida & ART: Dumping Java Objects and Native Structures for Android App Reverse Engineering
Introduction to Memory Dumping in Android Applications

Android application reverse engineering often involves peering into the app’s runtime state. While static analysis provides valuable insights into an application’s structure and potential vulnerabilities, dynamic analysis, specifically memory dumping, allows reverse engineers to extract crucial data such as cryptographic keys, user credentials, and sensitive application logic that might only exist transiently in memory. Frida, a dynamic instrumentation toolkit, combined with an understanding of the Android Runtime (ART), provides unparalleled capabilities for this task.

ART, the default runtime for Android since Lollipop, compiles application bytecode (DEX) into machine code. This compilation means that Java objects and their underlying data structures are managed by ART’s memory allocator and garbage collector, ultimately residing in native memory. For reverse engineers, this implies that both the high-level Java object model and the low-level native memory representation must be understood to effectively extract information.

Setting Up Your Environment (Prerequisites)

Before diving into memory dumping, ensure you have a working Frida setup. This typically involves:
- A rooted Android device or emulator.
- adb installed and configured on your host machine.
- Frida client (frida-tools) installed on your host (pip install frida-tools).
- Frida server running on your Android device, matching its architecture (e.g., frida-server-16.1.4-android-arm64).
Once Frida server is running (e.g., adb shell /data/local/tmp/frida-server & and port forwarding adb forward tcp:27042 tcp:27042), you’re ready to inject scripts.

Dumping Java Objects with Frida

Understanding Java Object Representation in ART

In ART, every Java object is a region of native memory. Frida’s Java API provides a powerful abstraction layer to interact with these objects directly. When you obtain a reference to a Java object using Java.use(), Java.choose(), or by hooking a method, Frida internally handles the complexities of ART’s object model, allowing you to access fields, invoke methods, and even inspect the object’s memory address.

Locating and Interacting with Java Objects

A common scenario is to dump the contents of a specific Java object instance. Let’s imagine an application stores a sensitive configuration or a decrypted key in an instance of com.example.app.SecureConfig. We can hook the constructor of this class to get a reference to an active instance and then dump its fields.

Consider a simplified SecureConfig class:
```
package com.example.app;public class SecureConfig {    private String apiKey;    private byte[] secretBlob;    private int configVersion;    public SecureConfig(String key, byte[] blob, int version) {        this.apiKey = key;        this.secretBlob = blob;        this.configVersion = version;    }    // ... other methods ...}
```
Here’s a Frida script to dump its contents:
```
Java.perform(function() {    const SecureConfig = Java.use('com.example.app.SecureConfig');    SecureConfig.$init.overload('java.lang.String', '[B', 'int').implementation = function(key, blob, version) {        console.log('SecureConfig constructor called!');        console.log('  apiKey: ' + key);        console.log('  configVersion: ' + version);        if (blob) {            console.log('  secretBlob length: ' + blob.length);            // Convert byte array to hex string for display            let hexBlob = '';            for (let i = 0; i < blob.length; i++) {                hexBlob += ('0' + (blob[i] & 0xFF).toString(16)).slice(-2);            }            console.log('  secretBlob (hex): ' + hexBlob);        }        this.$init(key, blob, version); // Call original constructor    };    // Alternatively, to find existing instances (less precise without proper hooks)    // Java.choose('com.example.app.SecureConfig', {    //     onMatch: function(instance) {    //         console.log('Found existing SecureConfig instance at ' + instance.toString());    //         console.log('  apiKey: ' + instance.apiKey.value); // Accessing fields    //         // ... dump other fields as above ...    //     },    //     onComplete: function() {    //         console.log('SecureConfig search complete!');    //     }    // });});
```
To run this, save it as `dump_java.js` and inject it:
```
frida -U -f com.example.app --no-pause -l dump_java.js
```
Dumping Native Structures and Memory

Native Memory Layout in Android Applications

Android applications extensively use native libraries (.so files) for performance-critical operations, cryptographic routines, or integration with system services. These libraries manage their own memory, often storing sensitive data in custom C/C++ structs. To dump these, we need to understand the application’s memory map, which can be viewed via /proc//maps on the device.

Frida’s Module and Memory APIs are indispensable for native memory operations. Module.findBaseAddress() helps locate the base address of a loaded library, and Memory.readByteArray(), Memory.readPointer(), and Memory.readUtf8String() allow reading raw bytes, pointers, and strings respectively from specified memory addresses.

Identifying Target Native Structures

Identifying native structures usually involves prior static analysis using tools like Ghidra or IDA Pro. You’d look for custom structures passed as arguments to functions, or global variables, especially in libraries dealing with cryptography or sensitive data handling. For example, a `struct CryptoContext` might contain an encryption key and an IV (Initialization Vector).

Let’s assume static analysis reveals that libnativecrypt.so has an exported function get_crypto_context() which returns a pointer to a struct CryptoContext defined as:
```
typedef struct {    char key[32];      // 256-bit key    char iv[16];       // 128-bit IV    uint32_t algorithm_id;} CryptoContext;
```
Reading Native Memory with Frida

We can hook get_crypto_context to obtain the pointer and then read the memory block corresponding to the CryptoContext structure.
```
Java.perform(function() {    const libNativeCrypt = Module.findBaseAddress('libnativecrypt.so');    if (libNativeCrypt) {        console.log('Found libnativecrypt.so at: ' + libNativeCrypt);        // Assuming get_crypto_context is at a known offset (e.g., 0x1234) or exported        // For exported function: Module.findExportByName(null, 'get_crypto_context');        // Let's assume an offset for this example        const getCryptoContextPtr = libNativeCrypt.add(0x1234); // Replace 0x1234 with actual offset        console.log('Hooking get_crypto_context at: ' + getCryptoContextPtr);        Interceptor.attach(getCryptoContextPtr, {            onLeave: function(retval) {                console.log('get_crypto_context returned: ' + retval);                if (retval.isNull()) {                    console.warn('CryptoContext pointer is null!');                    return;                }                const cryptoContextAddr = retval;                console.log('Dumping CryptoContext at: ' + cryptoContextAddr);                // Read the key (32 bytes)                const keyBytes = Memory.readByteArray(cryptoContextAddr, 32);                console.log('  Key (hex): ' + hexdump(keyBytes, { ansi: false }));                // Read the IV (16 bytes) - offset + 32                const ivBytes = Memory.readByteArray(cryptoContextAddr.add(32), 16);                console.log('  IV (hex): ' + hexdump(ivBytes, { ansi: false }));                // Read the algorithm_id (4 bytes) - offset + 32 + 16                const algorithmId = Memory.readU32(cryptoContextAddr.add(32 + 16));                console.log('  Algorithm ID: ' + algorithmId);            }        });    } else {        console.log('libnativecrypt.so not found.');    }});
```
Inject this script similarly:
```
frida -U -f com.example.app --no-pause -l dump_native.js
```
Practical Scenarios and Advanced Tips

The real power emerges when combining Java and native memory dumping. For instance, you might retrieve a Java object that internally holds a pointer to a native structure. You can use Java.cast(javaObject, nativePointerClass).nativePointer.readPointer() to extract the native address, then use Frida’s native memory APIs to inspect it.

When dealing with obfuscation, class names, method names, and even string literals might be mangled. This necessitates more robust hooking strategies, such as hooking common Android framework APIs that process sensitive data (e.g., javax.crypto.Cipher methods or JNI calls like GetStringUTFChars) to intercept data before or after obfuscation/encryption.

For continuous monitoring or larger memory regions, consider writing data to a file on the device or host using send() and a Python handler script. This can be critical for forensic analysis of an app’s runtime state over time.

Conclusion

Frida is an indispensable tool for Android app reverse engineers, providing deep insights into both the Java and native layers of an application’s memory. By understanding how ART manages Java objects and how native libraries interact with memory, you can leverage Frida’s powerful APIs to dump sensitive data structures, cryptographic keys, and other critical information that might otherwise remain hidden. Mastering these memory dumping techniques is a crucial step towards comprehensive Android application security analysis and exploitation.
May 30, 2026
Deep Dive: Reconstructing Android App Runtime Data from Raw Frida Memory Dumps
Introduction: Unveiling Hidden Runtime Secrets

Android application penetration testing often hits a wall when critical data resides only in memory, dynamically generated, or heavily obfuscated. While static analysis provides insights into an app’s structure, runtime memory dumping with tools like Frida offers an unparalleled vantage point into the live state of an application. This expert-level guide delves into the intricate process of extracting raw memory dumps using Frida and subsequently reconstructing meaningful data, from session tokens to encryption keys, that would otherwise remain hidden.

Understanding an app’s runtime memory can expose sensitive information that is never written to disk, or is processed in a transient, unencrypted form before being secured for storage or transmission. Our focus will be on practical techniques to identify target memory regions, perform efficient dumps, and then leverage post-processing to piece together complex data structures.

Prerequisites for Memory Forensics

Before we dive into the technical details, ensure you have the following tools and knowledge:
- Rooted Android Device or Emulator: Essential for running Frida’s `frida-server`.
- Frida-tools: Installed on your host machine (`pip install frida-tools`).
- ADB (Android Debug Bridge): For device communication.
- Python: For scripting Frida interactions and post-processing.
- Basic JavaScript Knowledge: For writing Frida scripts.
- Hex Editor / Disassembler (Optional but Recommended): Tools like HxD, 010 Editor, Ghidra, or IDA Pro can assist in understanding memory layouts and data structures.
Identifying Target Memory Regions with Frida

The first crucial step is to pinpoint *where* the data of interest resides in the app’s memory space. This often involves a combination of dynamic and static analysis.

Dynamic Analysis: Exploring Live Objects

Frida’s JavaScript API allows us to interact directly with the Java Virtual Machine (JVM) and native libraries. We can enumerate instances of specific classes, hook methods to observe object states, or scan for byte patterns.

Consider an app that stores an authentication token in a custom Java object. We can hook the object’s constructor or a getter method to get a reference to it.
```
Java.perform(function () {  var TargetClass = Java.use("com.example.myapp.AuthTokenManager");  TargetClass.$init.implementation = function () {    // Call the original constructor    this.$init();    console.log("AuthTokenManager instance created!");    // Get a reference to the instance's memory address    var instancePtr = this.handle;    console.log("Instance pointer: " + instancePtr);    // Let's assume the token is a String field at a known offset    // For demonstration, we'll dump the entire object's memory region    var memorySize = 0x100; // Example size, needs to be determined via RE    var dump = Memory.readByteArray(instancePtr, memorySize);    send({"type": "memory_dump", "address": instancePtr.toString(), "size": memorySize}, dump);  };});
```
Static Analysis: Understanding Memory Layouts

For more complex data structures, especially those in native libraries (C/C++), a disassembler is invaluable. Ghidra or IDA Pro can help reverse engineer native functions to understand how structs are defined, what fields they contain, and their respective offsets. This knowledge is critical for correctly parsing raw byte arrays.

Performing Automated Memory Dumps

Once you have a Frida script sending memory dumps, you’ll need a Python script to interact with Frida and save the received data to disk.
```
import fridaimport sysimport osdef on_message(message, data):    if message["type"] == "send":        payload = message["payload"]        if payload["type"] == "memory_dump":            address = payload["address"]            size = payload["size"]            filename = f"dump_{address}_{size}.bin"            with open(filename, "wb") as f:                f.write(data)            print(f"[*] Dumped {size} bytes from {address} to {filename}")    else:        print(message)def attach_and_dump(process_name_or_pid):    try:        session = frida.get_usb_device().attach(process_name_or_pid)    except frida.ServerNotRunningError:        print("Frida server not running. Start it on the device: 'frida-server'")        sys.exit(1)    except frida.NotSupportedError:        print("Device not found or not supported. Ensure adb is running and device is connected.")        sys.exit(1)    script_path = "dump_script.js" # Your Frida JS script    with open(script_path, "r") as f:        script_code = f.read()    script = session.create_script(script_code)    script.on("message", on_message)    script.load()    print(f"[*] Attached to {process_name_or_pid}. Press Ctrl+C to detach.")    sys.stdin.read() # Keep the script running until interrupted    session.detach()if __name__ == "__main__":    if len(sys.argv) != 2:        print("Usage: python dump_manager.py <process_name_or_pid>")        sys.exit(1)    attach_and_dump(sys.argv[1])
```
To run this:
1. Save the JavaScript code as `dump_script.js`.
2. Save the Python code as `dump_manager.py`.
3. Ensure `frida-server` is running on your Android device/emulator.
4. Execute: `python dump_manager.py com.example.myapp` (replace with target app package name or PID).
Post-Processing: Reconstructing Data from Raw Dumps

This is where the real challenge and art of memory forensics lies. Raw byte arrays are meaningless without context. You need to know the structure of the data you’ve dumped.

Example: Reconstructing a Simple Java Object

Let’s assume we dumped a custom Java object like this:
```
public class UserSession {    private String token;    private int userId;    private long expiryTime;}
```
When a Java object is in memory, it has an object header, followed by its fields. The exact layout (offsets, sizes) depends on the JVM implementation (ART for Android) and architecture. For simplicity, let’s assume `String` is stored as a pointer (4 or 8 bytes depending on architecture) and `int`/`long` are their standard sizes. We’ll simulate a 64-bit ART environment where pointers are 8 bytes.

A `String` in Java is itself an object, containing a pointer to its underlying `char[]` array and other metadata (like length). When you dump the `UserSession` object, you’ll see a pointer for `token`. You’d need to follow that pointer and dump the `String` object, and then its `char[]` data.

For our demonstration, let’s assume we’re dumping a very simple custom native struct directly or a byte array that holds known data types.
```
import structdef parse_user_data_dump(filepath):    try:        with open(filepath, "rb") as f:            raw_data = f.read()    except FileNotFoundError:        print(f"Error: File not found at {filepath}")        return    # Assuming a simple native struct:    # struct UserData {    #   char username[32]; // 32 bytes    #   uint32_t id;      // 4 bytes    #   float score;      // 4 bytes    # };    # Total size = 32 + 4 + 4 = 40 bytes    # Define the unpack format string:    # '<' for little-endian, '32s' for 32-byte string, 'I' for unsigned int, 'f' for float    if len(raw_data) < 40:        print(f"Error: Dumped data too small ({len(raw_data)} bytes) for expected struct (40 bytes).")        return    unpacked_data = struct.unpack("<32sIf", raw_data[:40])    username_bytes = unpacked_data[0]    user_id = unpacked_data[1]    score = unpacked_data[2]    # Null-terminate and decode username    username = username_bytes.split(b'x00', 1)[0].decode('utf-8')    print(f"Reconstructed User Data:")    print(f"  Username: {username}")    print(f"  User ID: {user_id}")    print(f"  Score: {score}")# Example usage:parse_user_data_dump("dump_0x7f8d42a000_200.bin") # Replace with your actual dump filename
```
In a real-world Java object reconstruction, you’d be parsing Java object headers, field offsets (which can be derived by inspecting the ART runtime or by dynamic analysis), and then recursively parsing referenced objects (like `String` objects pointing to `char[]`). This often requires a more sophisticated parser that understands ART’s internal memory representation.

Reconstructing Complex Structures

For more complex scenarios, such as reconstructing a `List` or `Map` of objects, the process involves:
1. Dumping the container object: Get the raw bytes of the `List` or `Map` instance.
2. Identifying internal pointers: The container will hold pointers to its elements. These pointers need to be followed.
3. Recursively dumping elements: For each element pointer, perform another memory dump of that element’s memory region.
4. Parsing each element: Apply the same reconstruction logic as above to each individual element.
This iterative process often leads to a
May 30, 2026
Targeted Memory Dumping: Pinpointing Specific Data Structures in Android Apps with Frida
Introduction: Beyond Generic Memory Dumps

In the realm of Android application penetration testing and reverse engineering, memory dumping is a powerful technique to extract sensitive information. While a full memory dump can yield vast amounts of data, it often presents an overwhelming challenge in terms of analysis, requiring significant effort to sift through gigabytes of raw bytes. This is where targeted memory dumping with Frida shines. Instead of indiscriminately dumping an entire process’s memory, we can use Frida to precisely locate, intercept, and extract specific data structures, object instances, or memory regions that are known or suspected to hold sensitive information.

This expert-level guide will walk you through the methodologies and Frida scripts to perform highly granular memory dumping, focusing on particular data structures within an Android application. We’ll explore techniques for both Java and native memory manipulation, providing actionable examples.

The Power of Precision: Why Targeted Dumping Matters

Targeted memory dumping offers several key advantages:
- Efficiency: Reduces the amount of data to analyze, saving time and computational resources.
- Precision: Directly extracts the relevant data, bypassing obfuscation or encryption mechanisms that might be present in storage.
- Bypassing Anti-Tampering: Often allows extraction of data that is only briefly in memory, avoiding persistent storage analysis.
- Dynamic Analysis: Captures data during runtime, reflecting the application’s current state and active secrets.
Prerequisites

Before diving in, ensure you have the following setup:
- A rooted Android device or an emulator (e.g., AVD, Genymotion).
- Frida installed on your host machine and Frida server running on the Android device.
- Basic familiarity with Android application reverse engineering (e.g., using Jadx, Ghidra, or APKTool).
- Basic understanding of JavaScript for writing Frida scripts.
Method 1: Scanning for Known Patterns in Memory (e.g., Strings)

Sometimes, a target value like an API key, a specific identifier, or a unique string might be residing directly in memory. Frida’s Memory.scanSync() API allows us to search for specific byte patterns within the process’s memory regions.

Scenario: Locating a Hardcoded API Key

Let’s assume we’ve identified through static analysis (e.g., decompiling with Jadx) that an application uses a string like "pk_live_some_very_secret_api_key", but it’s generated or placed in memory dynamically. We want to find its exact memory location and value during runtime.
```
Java.perform(function () { const pattern = "70 6B 5F 6C 69 76 65 5F 73 6F 6D 65 5F 76 65 72 79 5F 73 65 63 72 65 74 5F 61 70 69 5F 6B 65 79"; // Hex representation of "pk_live_some_very_secret_api_key" const pageSize = Process.pageSize; // Get system page size console.log("Searching for pattern: " + pattern); Process.enumerateRanges('r--').forEach(function (range) { try { const matches = Memory.scanSync(range.base, range.size, pattern); matches.forEach(function (match) { console.log("Found pattern at: " + match.address); const data = Memory.readCString(match.address); console.log("Extracted string: " + data); }); } catch (e) { // Handle potential access violations or other errors console.error("Error scanning range " + range.base + ": " + e.message); } }); console.log("Scan complete.");});
```
Explanation:
- We convert the target string into its hexadecimal byte pattern.
- Process.enumerateRanges('r--') iterates through all readable memory regions.
- Memory.scanSync(address, size, pattern) attempts to find occurrences of our pattern within each region.
- Upon finding a match, we print the address and use Memory.readCString() to extract the string from that address.
Method 2: Extracting Data from Live Java Object Instances

Often, sensitive data is stored within instances of specific Java classes. Frida’s Java API allows us to hook methods, access fields, and even instantiate objects to extract their internal state.

Scenario: Dumping a `byte[]` field from a Custom Secret Holder Class

Imagine an application has a class named com.example.app.SecretHolder which holds an encrypted key in a private byte[] field named encryptedKeyData.
```
Java.perform(function () { const SecretHolder = Java.use('com.example.app.SecretHolder'); // Hook the constructor to get instances when they are created SecretHolder.$init.implementation = function () { console.log('SecretHolder constructor called!'); this.$init(); // Call original constructor // Now 'this' refers to the new instance, we can access its fields const encryptedKeyData = this.encryptedKeyData.value; // Access the byte[] field if (encryptedKeyData) { console.log('Dumping encryptedKeyData (length: ' + encryptedKeyData.length + '):'); // Convert byte[] to Hex string for easy viewing let hexString = ''; for (let i = 0; i < encryptedKeyData.length; i++) { hexString += ('0' + (encryptedKeyData[i] & 0xFF).toString(16)).slice(-2); } console.log(hexString); } else { console.log('encryptedKeyData field is null or empty.'); } }; // Alternatively, if instances already exist and are static/globally accessible: /* Java.choose('com.example.app.SecretHolder', { onMatch: function(instance) { console.log('Found an existing SecretHolder instance: ' + instance); const encryptedKeyData = instance.encryptedKeyData.value; if (encryptedKeyData) { let hexString = ''; for (let i = 0; i < encryptedKeyData.length; i++) { hexString += ('0' + (encryptedKeyData[i] & 0xFF).toString(16)).slice(-2); } console.log('Dumping from existing instance: ' + hexString); } }, onComplete: function() { console.log('Java.choose complete.'); } }); */});
```
Explanation:
- Java.use('com.example.app.SecretHolder') gets a JavaScript wrapper for the Java class.
- SecretHolder.$init.implementation allows us to intercept the constructor. When a SecretHolder object is created, our custom logic runs.
- Inside the constructor hook, this refers to the newly created instance. We can then directly access its public or private fields (Frida can often bypass Java visibility restrictions, though sometimes `Java.cast` or other techniques are needed for complex objects).
- We extract the encryptedKeyData byte array and convert it to a hexadecimal string for display.
- The commented-out Java.choose demonstrates how to find *existing* instances of a class in the heap, useful if you miss the constructor or need to interact with objects already alive.
Method 3: Intercepting Native Memory Operations

Many performance-critical or security-sensitive operations in Android apps are implemented in native code (C/C++), often through JNI. Frida’s Interceptor.attach() is crucial for hooking native functions and inspecting their arguments or return values, which frequently include pointers to memory buffers.

Scenario: Dumping Data Passed to a Native Crypto Function

Consider a native library (e.g., libnativecrypto.so) that has a function encryptData(const void* inputBuffer, size_t inputSize, void* outputBuffer, size_t outputSize). We want to dump the inputBuffer before encryption occurs.
```
Interceptor.attach(Module.findExportByName('libnativecrypto.so', 'encryptData'), { onEnter: function (args) { // args[0] is inputBuffer, args[1] is inputSize console.log('Hooked encryptData!'); this.inputBuffer = args[0]; this.inputSize = args[1].toInt32(); // Cast NativePointer to int32 }, onLeave: function (retval) { // We can dump the input buffer here or in onEnter if (this.inputBuffer && this.inputSize > 0) { console.log('Dumping inputBuffer before encryption (size: ' + this.inputSize + ' bytes):'); const dumpedBytes = Memory.readByteArray(this.inputBuffer, this.inputSize); // Convert ArrayBuffer to Hex String for display function arrayBufferToHexString(buffer) { const byteArray = new Uint8Array(buffer); let hexString = ''; for (let i = 0; i < byteArray.byteLength; i++) { hexString += ('0' + byteArray[i].toString(16)).slice(-2); } return hexString; } console.log(arrayBufferToHexString(dumpedBytes)); } else { console.log('Input buffer not available or size is zero.'); } }});
```
Explanation:
- Module.findExportByName('libnativecrypto.so', 'encryptData') locates the address of the exported native function.
- Interceptor.attach() hooks this function.
- onEnter is called when the function is entered. We store the relevant arguments (inputBuffer and inputSize) in this context, making them accessible in onLeave.
- onLeave is called when the function returns. Here, we use Memory.readByteArray(address, size) to dump the raw bytes from the inputBuffer. The result is an ArrayBuffer, which we then convert to a hexadecimal string for logging.
Analyzing Dumped Data

Once you have dumped the raw bytes or hex strings, you’ll need tools to analyze them. Depending on the data type, this could involve:
- Hex Editors: For visual inspection of raw bytes (e.g., HxD, 010 Editor).
- CyberChef: For various encoding/decoding, encryption, and data manipulation tasks.
- Custom Scripts: Python scripts are ideal for parsing structured data, decrypting, or reassembling fragmented information.
Conclusion

Targeted memory dumping with Frida is an indispensable skill for advanced Android penetration testers and reverse engineers. By moving beyond full memory dumps and focusing on specific data structures and memory regions, you can significantly streamline your analysis, efficiently extract sensitive information, and gain deeper insights into an application’s runtime behavior. Mastering these techniques empowers you to pinpoint critical data, whether it’s an API key in a string, an encrypted blob in a Java object, or sensitive plaintext in a native buffer, ultimately enhancing your ability to identify and exploit vulnerabilities.
May 30, 2026

Frida RPC Lab: Reverse Engineering Android API Calls & Object States in Real-Time

Introduction to Frida RPC for Android Penetration Testing

Frida is an invaluable dynamic instrumentation toolkit for security researchers and penetration testers. While basic hooking allows intercepting method calls and modifying arguments, Frida’s Remote Procedure Call (RPC) capabilities unlock a far more powerful dimension: direct, programmatic interaction with the target application’s runtime environment from your host machine. This enables real-time querying of object states, invoking arbitrary methods, and exfiltrating data, making it an indispensable tool for deep Android app analysis and exploitation.

This lab will guide you through setting up and utilizing Frida RPC to interact with an Android application. We’ll explore how to identify target APIs and objects, craft a Frida agent with RPC exports, and develop a Python client to control and query the application’s internal state remotely. The goal is to demonstrate how to dynamically interact with an app’s Java and native layers to extract information or manipulate its behavior without modifying the APK.

Prerequisites and Setup

Before diving into RPC, ensure you have Frida installed on your host machine and frida-server running on your Android device (rooted recommended for ease of use). You’ll need:

A rooted Android device or emulator with ADB access.
Frida tools installed on your host: pip install frida-tools.
frida-server pushed to your device and running:

adb push frida-server /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Identifying the Target Application and Process

First, identify the package name of the Android application you wish to analyze. For this example, let’s assume our target package is com.example.androidapp. You can list running processes with Frida:

frida-ps -Uai

This command lists all installed applications and their process IDs (PIDs) if they are running. Note the PID or package name for subsequent steps.

Building the Frida RPC Agent

The core of Frida RPC lies in defining functions in your JavaScript agent that can be called remotely by a client. These functions are exposed via rpc.exports. Let’s create a file named rpc_agent.js.

// rpc_agent.js

Java.perform(function() {
    // Helper function to get a Java class
    function getJavaClass(className) {
        try {
            return Java.use(className);
        } catch (e) {
            console.error("Error loading class " + className + ": " + e.message);
            return null;
        }
    }

    rpc.exports = {
        // Example 1: Read a static string field from a class
        getstaticstring: function(className, fieldName) {
            var targetClass = getJavaClass(className);
            if (targetClass && targetClass[fieldName] !== undefined) {
                return targetClass[fieldName].value;
            }
            return null;
        },

        // Example 2: Invoke a method on an existing instance and return its value
        // This assumes we have a way to get an instance, e.g., by hooking a constructor
        invokeinstancemethod: function(instancePtr, methodName, args) {
            try {
                var instance = Java.cast(ptr(instancePtr), Java.use('java.lang.Object'));
                var method = instance[methodName];
                if (method) {
                    // Prepare arguments for method invocation. Frida often handles basic types.
                    // For complex types, you might need to convert them from JSON-serializable to Java objects.
                    return method.apply(instance, args);
                }
            } catch (e) {
                console.error("Error invoking method: " + e.message);
            }
            return null;
        },

        // Example 3: Create a new Java object and return its reference (as a string pointer)
        createnewobject: function(className, constructorArgs) {
            var targetClass = getJavaClass(className);
            if (targetClass) {
                try {
                    var newObject = targetClass.$new.apply(targetClass, constructorArgs);
                    // Return the object's pointer as a string for the client to refer to
                    return newObject.toString(); // e.g., 'android.content.ContextWrapper@c72a59a'
                } catch (e) {
                    console.error("Error creating new object: " + e.message);
                }
            }
            return null;
        },

        // Example 4: Manipulate a private field of an existing instance
        setprivatefield: function(instancePtr, fieldName, newValue) {
            try {
                var instance = Java.cast(ptr(instancePtr), Java.use('java.lang.Object'));
                var field = instance.getClass().getDeclaredField(fieldName);
                field.setAccessible(true);
                field.set(instance, newValue);
                return true;
            } catch (e) {
                console.error("Error setting private field: " + e.message);
            }
            return false;
        }
    };
});

In this agent:

Java.perform() ensures our code runs within the context of the Java Virtual Machine.
rpc.exports is the crucial object that exposes our functions to the remote client.
getstaticstring demonstrates reading a static field directly.
invokeinstancemethod shows calling a method on a given instance. Obtaining the instance pointer (instancePtr) typically requires prior hooking of a constructor or a method that returns an instance.
createnewobject illustrates how to instantiate new Java objects, returning their string representation of the pointer, which can then be cast back in the agent for further interaction.
setprivatefield shows how to access and modify private fields using reflection, a common requirement in reverse engineering.

Developing the Python RPC Client

Now, let’s create a Python script, rpc_client.py, to connect to Frida, inject our agent, and call the exported RPC functions.

# rpc_client.py

import frida
import sys

def on_message(message, data):
    print(f"[on_message] {message} {data}")

def main(target_package):
    try:
        # Connect to the USB device or remote host
        device = frida.get_usb_device(timeout=5) # or frida.get_remote_device()
        
        # Attach to the specified package name
        session = device.attach(target_package)
        print(f"Attached to {target_package}")

        # Load the Frida agent script
        with open("rpc_agent.js", "r") as f:
            script_code = f.read()
        script = session.create_script(script_code)
        script.on('message', on_message)
        script.load()
        print("Frida agent loaded.")

        # Access the exported RPC methods
        rpc_exports = script.exports

        # --- Example 1: Get a static string ---
        # Assume com.example.androidapp.Config has a static field 'API_KEY'
        api_key = rpc_exports.getstaticstring('com.example.androidapp.Config', 'API_KEY')
        print(f"[+] Static API Key: {api_key}")

        # --- Example 2: Create a new object ---
        # Assume com.example.androidapp.DataModel has a constructor DataModel(String data)
        new_data_model_ref = rpc_exports.createnewobject('com.example.androidapp.DataModel', ['SecretData123'])
        print(f"[+] New DataModel instance reference: {new_data_model_ref}")
        
        # Note: To invoke methods on this new_data_model_ref, you'd need another RPC export
        # that takes the string ref, casts it back to the specific Java class, and then calls a method.
        # E.g., in rpc_agent.js:
        // getdatamodeldata: function(instanceRef) {
        //     var instance = Java.cast(ptr(instanceRef.split('@')[1]), Java.use('com.example.androidapp.DataModel'));
        //     return instance.getData();
        // }

        # --- Example 3: Demonstrate setting a private field (requires an existing instance) ---
        # For this, we'd typically hook a constructor or method that returns an instance first.
        # Let's assume we previously hooked a constructor and got an instance pointer '0xcafebabe'
        # For a real scenario, you'd hook a constructor or a method that returns an instance
        # and use send() to pass its pointer to your client, then call another RPC method.
        # For demonstration, let's pretend we have an instance pointer for a 'UserSession' object.
        dummy_instance_ptr = '0x12345678' # Placeholder: In a real scenario, this comes from a hook.
        print(f"[!] Attempting to set private field on dummy instance {dummy_instance_ptr}")
        # success = rpc_exports.setprivatefield(dummy_instance_ptr, 'privateToken', 'NEW_TOKEN_FROM_FRIDA')
        # print(f"[+] Private field set: {success}")

        # Keep the script running if you need continuous interaction or hooks to fire
        sys.stdin.read() 

    except frida.core.RPCException as e:
        print(f"RPC Error: {e}")
    except Exception as e:
        print(f"General Error: {e}")
    finally:
        if 'session' in locals() and session:
            session.detach()
            print("Detached from process.")

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("Usage: python rpc_client.py <package_name>")
        sys.exit(1)
    main(sys.argv[1])

To run the client:

python3 rpc_client.py com.example.androidapp

In this Python client:

We connect to a Frida-enabled device.
Attach to the target application by its package name.
Load our rpc_agent.js script.
Access the exported functions via script.exports.
Demonstrate calling getstaticstring and createnewobject.
The setprivatefield example is commented out because it requires an actual instance pointer, which would typically be obtained by hooking a method (e.g., a constructor or a getter) that returns an instance of the class you want to modify, and then sending that instance’s pointer (instance.handle.toString()) back to the Python client via send().
sys.stdin.read() keeps the Python script alive, allowing the Frida agent to continue running in the background and potentially respond to callbacks or perform further RPC calls.

Real-World Scenarios and Advanced Techniques

Frida RPC excels in scenarios where simple hooking is insufficient:

Data Exfiltration: Instead of just logging data to console, you can use RPC to retrieve sensitive strings, arrays, or entire objects from the app’s memory and send them directly to your host for analysis.
State Manipulation: Call methods to change the application’s internal state, bypass checks, or trigger hidden functionalities. For instance, you could invoke a private method to simulate a successful login or bypass license checks.
Object Instantiation and Interaction: Create new instances of complex objects (e.g., cryptographic ciphers, network handlers) and interact with them in ways the app might not normally expose, for testing or exploitation.
Dynamic Patching: Beyond just hooking, RPC allows you to invoke methods that effectively

May 30, 2026

Android App Data Exfiltration Lab: Memory Dumping Live Processes with Frida
Introduction to Android Memory Dumping with Frida

In the realm of Android application penetration testing, gaining access to data residing in an app’s live memory can be a goldmine for uncovering sensitive information. This technique, known as memory dumping, allows security researchers to extract critical data like API keys, session tokens, user credentials, or even encryption keys that are temporarily stored in volatile memory. While traditional forensics often involves static analysis or disk imaging, live memory analysis provides a snapshot of the application’s state during runtime, revealing data that might never be written to persistent storage.

Frida, a dynamic instrumentation toolkit, stands out as an indispensable tool for this purpose. Its powerful JavaScript API allows for injecting custom code into running processes on Android, enabling sophisticated memory manipulation and data exfiltration. This guide will walk you through setting up a lab environment and crafting Frida scripts to effectively dump and analyze the memory of a live Android application.

Prerequisites for Your Exfiltration Lab

Before diving into the technical steps, ensure you have the following prerequisites in place:
- Rooted Android Device or Emulator: Frida requires root privileges to attach to and instrument most applications.
- ADB (Android Debug Bridge): Essential for interacting with your Android device from your host machine.
- Frida-server on Android device: The agent that runs on the Android device, listening for commands from the Frida-tools on your host.
- Frida-tools on Host Machine (Python): The Python client library for interacting with the Frida-server.
- Python 3: Required to run the host-side Frida script.
Understanding Android Process Memory Regions

Every running process on an operating system, including Android apps, is allocated its own virtual memory space. This space is divided into various regions, each with specific permissions (read, write, execute) and purposes (code, data, stack, heap). Understanding these regions is crucial for effective memory dumping:
- Code/Text Segment: Contains the executable instructions of the program and its loaded libraries. Typically read-only and executable (r-x).
- Data Segment: Stores global and static variables. Can be read-only (initialized data, r--) or read-write (uninitialized data, rw-).
- Heap: Dynamically allocated memory during runtime (e.g., objects created with new in Java/Kotlin). This is a primary target for sensitive application data and is typically read-write (rw-).
- Stack: Used for local variables, function call frames, and return addresses. Also dynamically allocated and typically read-write (rw-).
For data exfiltration, we are primarily interested in memory regions with read permissions, particularly r-- and rw-, as these are most likely to contain application data rather than executable code.

Setting Up Frida-Server on Android

1. Download Frida-server

First, identify the architecture of your Android device. Then, download the corresponding Frida-server binary from the official Frida releases page on GitHub.
```
adb shell getprop ro.product.cpu.abi
# Example output: arm64-v8a
wget https://github.com/frida/frida/releases/download/16.1.4/frida-server-16.1.4-android-arm64 -O frida-server
```
2. Push to Device and Execute

Push the downloaded frida-server binary to a writable directory on your device (e.g., /data/local/tmp/), set executable permissions, and then run it in the background.
```
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
```
Identifying the Target Process

Before attaching Frida, you need to know the package name or Process ID (PID) of your target Android application. Ensure the app is running on your device.
```
adb shell ps -A | grep com.example.targetapp
# Example output (PID is the second column):
# u0_a123   12345 1234  ... com.example.targetapp
```
Note down the PID (e.g., 12345) or the package name (e.g., com.example.targetapp).

Crafting the Frida Memory Dumping Script

Our memory dumping solution will consist of two parts: a Python host script that manages the Frida connection and saves the dumped data, and a JavaScript payload that Frida injects into the target process to perform the actual memory enumeration and dumping.

1. Python Host Script (frida_dump.py)

Create a Python file named frida_dump.py:
```
import frida
import sys
import os

# --- CONFIGURATION ---
PACKAGE_NAME = "com.example.targetapp" # Replace with your target app package
PID = 12345 # Or specify PID directly if preferred
OUTPUT_DIR = "memory_dumps"
# ---------------------

def on_message(message, data):
    if message['type'] == 'send':
        print(f"[+] {message['payload']}")
        if data:
            # Sanitize region name for filename
            region_info = message['payload'].split("Dumping region: ")[1].strip()
            filename = os.path.join(OUTPUT_DIR, f"dump_{region_info.replace('/', '_').replace('[', '').replace(']', '').replace(' ', '-')}.bin")
            os.makedirs(OUTPUT_DIR, exist_ok=True)
            with open(filename, "wb") as f:
                f.write(data)
            print(f"    Dumped {len(data)} bytes to {filename}")
    elif message['type'] == 'error':
        print(f"[-] Script Error: {message['description']}n{message['stack']}")

def main():
    try:
        device = frida.get_usb_device(timeout=10) # Connect to USB device
    except frida.TimedOutError:
        print("[-] Device not found. Ensure Frida-server is running and device is connected.")
        sys.exit(1)

    try:
        # Attach to the application by package name or PID
        if PID:
            process = device.attach(PID)
            print(f"[+] Attached to PID {PID} (Name: {process.name})")
        else:
            process = device.attach(PACKAGE_NAME)
            print(f"[+] Attached to {PACKAGE_NAME} (PID: {process.pid})")

    except frida.ProcessNotFoundError:
        print(f"[-] Process '{PACKAGE_NAME}' (or PID {PID}) not found. Is the app running?")
        sys.exit(1)

    # The JavaScript payload for memory enumeration and dumping
    frida_js_code = """
        console.log("[*] Frida payload injected. Enumerating memory regions...");

        // Define a minimum and maximum size for regions to dump (adjust as needed)
        // This helps in filtering out very small or excessively large (e.g., system) regions
        var MIN_DUMP_SIZE = 0x100; // 256 bytes
        var MAX_DUMP_SIZE = 0x20000000; // 512 MB (adjust based on expected memory usage)

        // Iterate over 'r--' (read-only) and 'rw-' (read-write) memory regions
        Process.enumerateRanges('r--').concat(Process.enumerateRanges('rw-')).forEach(function(range) {
            // Filter out system libraries, too small/large regions, and file-backed memory
            // We want to focus on dynamically allocated heap/stack data.
            if (range.size > MIN_DUMP_SIZE && range.size < MAX_DUMP_SIZE && !range.file && !range.base.isNull()) {
                try {
                    var data = range.readByteArray(range.size);
                    if (data) {
                        // Send the region base address and size information, along with the binary data
                        send("Dumping region: " + range.base + "_" + range.size + "_" + range.protection, data);
                    }
                } catch (e) {
                    console.log("[-] Error reading region " + range.base + ": " + e.message);
                }
            }
        });

        console.log("[*] Memory enumeration complete.");
    """

    script = process.create_script(frida_js_code)
    script.on('message', on_message)
    script.load()

    print("[*] Script loaded. Waiting for dumps. Press Ctrl+C to detach.")
    sys.stdin.read() # Keep script running until Ctrl+C
    process.detach()
    print("[*] Detached from process.")

if __name__ == "__main__":
    main()
```
Before running, ensure you replace PACKAGE_NAME or PID with your target application’s details.

2. Frida JavaScript Payload (Embedded)

The core logic for memory dumping resides within the frida_js_code string in the Python script. This JavaScript executes directly within the target Android application’s process:
- Process.enumerateRanges('r--').concat(Process.enumerateRanges('rw-')): This crucial Frida API call enumerates all memory regions accessible by the process that have read-only (r--) or read-write (rw-) permissions. These are the most likely candidates for sensitive application data.
- Filtering Regions: The script includes logic to filter out regions that are too small (e.g., 0x100 bytes) or excessively large (e.g., 0x20000000 bytes), and critically, it ignores file-backed memory (!range.file). This focuses the dump on dynamically allocated memory on the heap and stack, where application secrets are typically found.
- range.readByteArray(range.size): For each identified region, this function attempts to read its entire content as a byte array.
- send(
May 30, 2026
Beyond Encryption: How Frida Hooks Dump User Credentials from Android App Memory Introduction: The Elusive Credentials In the realm of Android application penetration testing, a common hurdle is the encryption of sensitive data, especially user credentials, both at rest and in transit. While network traffic can often be intercepted and decrypted with tools like Burp Suite, and static analysis can reveal cryptographic implementations, the ultimate challenge lies in capturing credentials that are actively being processed or temporarily stored in an application’s memory in their decrypted, plaintext form. This is where dynamic instrumentation frameworks like Frida become indispensable. This article delves into the expert-level application of Frida hooks to actively intercept and dump user credentials directly from an Android application’s runtime memory, bypassing conventional encryption and obfuscation techniques. Why Memory Dumping? Modern Android applications frequently employ robust security measures. Credentials might be encrypted before storage or transmission, obfuscated in code, or transmitted over secure channels with certificate pinning. However, at some point, these credentials must exist in plaintext or a readily usable decrypted form within the application’s memory space for processing. By hooking into critical functions that handle string manipulation, byte array operations, or network I/O, we can effectively catch these fleeting moments and extract the data. Setting Up Your Android Penetration Testing Environment Before diving into Frida, ensure your environment is correctly configured. Prerequisites Rooted Android Device or Emulator: Necessary for running Frida server and accessing app processes. Android Debug Bridge (ADB): For interacting with the device/emulator. Frida-server: The Frida agent running on the target Android device. Frida-tools: Python library and command-line tools for interacting with Frida-server. Install via `pip install frida-tools`. Python 3: For writing and executing Frida scripts. Installing Frida on Android 1. Download Frida-server: Visit Frida’s GitHub releases page and download the appropriate `frida-server` for your device’s architecture (e.g., `arm64`, `x86`). wget https://github.com/frida/frida/releases/download/16.1.4/frida-server-16.1.4-android-arm64.xz xz -d frida-server-16.1.4-android-arm64.xz 2. Push to Device and Grant Permissions: adb push frida-server-16.1.4-android-arm64 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-16.1.4-android-arm64" 3. Run Frida-server: adb shell "/data/local/tmp/frida-server-16.1.4-android-arm64 &" Confirm it’s running by executing `frida-ps -U` on your host machine. Understanding In-Memory Credential Exposure Common Scenarios Credentials can manifest in memory through various operations: String Object Creation: When `java.lang.String` objects are instantiated from character arrays, byte arrays, or other strings. Base64 Decoding: Many apps encode sensitive data with Base64 before storing or transmitting; the decoded form will temporarily exist in memory. Network I/O: Just before sending data over the network or immediately after receiving it, credentials often appear in plaintext. Decryption Operations: After retrieving encrypted credentials, the decryption routine will produce a plaintext output that resides in memory. Frida for Memory Analysis: The Core Concepts Attaching to a Process and Enumerating Memory Frida allows you to attach to a running process and interact with its memory. You can enumerate memory ranges, read/write to specific addresses, and scan for patterns. Java.perform(function() { var targetApp = Java.use('android.app.ActivityThread').currentApplication(); var packageName = targetApp.getPackageName(); console.log('[*] Attached to: ' + packageName); // Example: enumerate memory ranges (can be very verbose) Process.enumerateRanges('r--', { onMatch: function(range) { // console.log(JSON.stringify(range)); }, onComplete: function() { console.log('[*] Memory enumeration complete.'); } }); }); Hooking Constructors and Methods for Credential Interception The most effective strategy is to hook functions responsible for handling data at critical junctures. For credentials, this often means monitoring `java.lang.String` constructors and methods that perform decryption or decoding. Step-by-Step Guide: Dumping Credentials with Frida Hooks 1. Identifying the Target Application First, identify the package name of the target Android application. You can use `adb shell pm list packages | grep ` or `frida-ps -Uai` to list running apps and their package names. adb shell pm list packages | grep whatsapp // Example output: package:com.whatsapp 2. Crafting the Frida Script We’ll create a comprehensive Frida script (`dump_creds.js`) that targets common points where credentials might appear. Java.perform(function () { console.log('[*] Frida script loaded. Monitoring for credentials...'); // --- Hooking String Constructors --- // Capture new String objects created from byte arrays, char arrays, etc. var String = Java.use('java.lang.String'); // String(byte[] bytes, int offset, int length) String.$init.overload('[B', 'int', 'int').implementation = function (bytes, offset, length) { var result = this.$init(bytes, offset, length); try { var str = String.$new(bytes, offset, length); if (str.length > 5) { // Filter short strings to reduce noise // Add keyword filtering here if needed, e.g., str.includes('password') send('[String-bytes-offset-length]: ' + str); } } catch (e) { // Handle potential encoding issues } return result; }; // String(byte[] bytes) String.$init.overload('[B').implementation = function (bytes) { var result = this.$init(bytes); try { var str = String.$new(bytes); if (str.length > 5) { send('[String-bytes]: ' + str); } } catch (e) { // Handle potential encoding issues } return result; }; // String(char[] value) String.$init.overload('[C').implementation = function (value) { var result = this.$init(value); try { var str = String.$new(value); if (str.length > 5) { send('[String-chars]: ' + str); } } catch (e) { // Handle potential encoding issues } return result; }; // --- Hooking Base64 Decoding --- // Often used for decoding credentials from configuration files or network responses. var Base64 = Java.use('android.util.Base64'); Base64.decode.overload('java.lang.String', 'int').implementation = function (str, flags) { var decodedBytes = this.decode(str, flags); var decodedStr = String.$new(decodedBytes); if (decodedStr.length > 5) { send('[Base64.decode(String)]: ' + decodedStr); } return decodedBytes; }; Base64.decode.overload('[B', 'int').implementation = function (bytes, flags) { var decodedBytes = this.decode(bytes, flags); var decodedStr = String.$new(decodedBytes); if (decodedStr.length > 5) { send('[Base64.decode(bytes)]: ' + decodedStr); } return decodedBytes; }; // --- Hooking Network I/O (Example: OkHttp body writes) --- // This is an advanced example, requires knowing the app's network library. // If using OkHttp, you might hook RequestBody.writeTo or okhttp3.Call.enqueue // For generic network write, consider OutputStream.write (but it's very noisy) // Example for a generic OutputStream.write (CAUTION: extremely verbose, filter carefully) /* var OutputStream = Java.use('java.io.OutputStream'); OutputStream.write.overload('[B', 'int', 'int').implementation = function (buffer, offset, count) { var result = this.write(buffer, offset, count); try { var dataWritten = String.$new(buffer, offset, count); if (dataWritten.length > 5 && (dataWritten.includes('user') || dataWritten.includes('pass'))) { send('[OutputStream.write]: ' + dataWritten); } } catch (e) {} return result; }; */ console.log('[*] Hooks installed. Interact with the application to trigger them.'); }); Explanation of the Script: `Java.perform()`: Ensures the script executes within the Java VM context of the target app. `Java.use(‘java.lang.String’)`: Obtains a handle to the `java.lang.String` class. `$init.overload(‘[B’, ‘int’, ‘int’)`: Targets specific constructors. `[B` denotes a byte array, `[C` a char array. We hook multiple `String` constructors to catch various ways strings are formed. `implementation = function (…)`: Overrides the original method/constructor. Inside, we call the original using `this.$init(…)` to allow the app to function normally, then log the string. `String.$new(bytes)`: Creates a new Java `String` object from the byte array for logging. `send(‘[Tag]: ‘ + str)`: Sends the extracted string to the Frida client on the host machine. `android.util.Base64.decode`: Hooks the `Base64.decode` methods. Many applications use Base64 to encode sensitive strings before encryption or transmission, and decoding yields the plaintext. Filtering: `str.length > 5` helps reduce noise by ignoring very short, often irrelevant strings. For targeted attacks, you might add `str.includes(‘password’)` or similar keyword filters. 3. Executing the Hook and Analyzing Output Once the script is ready, run it against your target application. Replace `com.example.app` with the actual package name. frida -U -l dump_creds.js -f com.example.app --no-pauserequire('frida-java'); // For older Frida versions, might be needed. Now, interact with the application. Log in, register, or perform any action that might involve credential handling. Frida will print any intercepted strings to your console. Advanced Considerations and Mitigation Targeting Specific Libraries and Network Calls For more focused credential extraction, you’ll need to reverse engineer the application (e.g., using Jadx or Ghidra) to identify specific classes and methods responsible for encryption/decryption, network communication (e.g., `okhttp3.RequestBody`, `javax.crypto.Cipher`), or database interactions. Hooking these specific points will provide cleaner, more relevant output. For example, if an app uses `javax.crypto.Cipher` to decrypt, you could hook `Cipher.doFinal([B)`: var Cipher = Java.use('javax.crypto.Cipher'); Cipher.doFinal.overload('[B').implementation = function (input) { var decryptedBytes = this.doFinal(input); var decryptedStr = String.$new(decryptedBytes); if (decryptedStr.length > 5) { send('[Cipher.doFinal]: ' + decryptedStr); } return decryptedBytes; }; Developer Mitigations Developers can implement several strategies to reduce the risk of memory dumping: Ephemeral Data: Clear sensitive data from memory as soon as it’s no longer needed. Use character arrays (`char[]`) instead of `String` for passwords and zero them out after use. Secure Memory Allocation: Employ OS-level secure memory features (e.g., `mprotect` on Linux) to make sensitive memory regions read-only or inaccessible after use. Hardware-Backed Keystores: Store cryptographic keys in hardware-backed keystores, making them extremely difficult to extract. Anti-Frida Measures: Implement checks for the presence of Frida server or Frida’s instrumentation framework, though these can often be bypassed. Conclusion Frida is an exceptionally powerful tool for dynamic analysis and penetration testing of Android applications. By leveraging its ability to hook into arbitrary Java methods and native functions, security researchers can bypass traditional encryption layers and gain direct access to sensitive data, such as user credentials, as it exists in the application’s runtime memory. While this technique highlights significant security vulnerabilities, it also underscores the critical need for developers to implement robust memory hygiene and secure coding practices to protect user data from sophisticated attacks. May 30, 2026
Frida Memory Dumping 101: Extracting Sensitive Android App Data Step-by-Step Introduction to Android Memory Dumping with Frida In the realm of mobile application penetration testing, understanding and manipulating an app’s memory space is a critical skill. Sensitive data, such as API keys, session tokens, user credentials, encryption keys, and other proprietary information, often resides unencrypted in memory at various points during an application’s lifecycle. Memory dumping allows security researchers and pentesters to extract these in-memory artifacts directly. While traditional methods involve using `procdump` or `gdb`, Frida, the dynamic instrumentation toolkit, offers a powerful and flexible approach to interact with and dump an application’s memory on Android devices. This expert-level guide will walk you through the process of setting up Frida, identifying interesting memory regions, and programmatically dumping their contents. By the end, you’ll have a robust methodology for extracting sensitive data from Android applications. Prerequisites and Setup Before diving into memory dumping, ensure you have the following setup: Rooted Android Device or Emulator: Frida requires elevated privileges to attach to processes and perform memory operations. ADB (Android Debug Bridge): Installed and configured on your host machine to communicate with the Android device. Frida-Server: Download the appropriate `frida-server` binary for your device’s architecture (e.g., `arm64`, `x86_64`) from the Frida releases page. Push it to your device, make it executable, and run it. Frida-Tools: Installed on your host machine (`pip install frida-tools`). Basic JavaScript Knowledge: Frida scripts are written in JavaScript. Frida Server Setup: 1. Download `frida-server-*-android-arm64` (or your device’s architecture) from Frida’s GitHub releases. 2. Push it to your device: adb push frida-server-*-android-arm64 /data/local/tmp/frida-server 3. Make it executable and run it: adb shell "chmod +x /data/local/tmp/frida-server && /data/local/tmp/frida-server &" Identifying Target Memory Regions The first step in effective memory dumping is to understand which parts of an application’s memory might contain valuable data. On Linux-based systems like Android, the `/proc/[PID]/maps` file provides a map of the process’s virtual memory regions. Inspecting `/proc/[PID]/maps` The `maps` file details each memory region, its permissions (read, write, execute), offset, and the file or device it’s mapped from. We’re primarily interested in regions with write permissions (`rw-`) as these often correspond to heap allocations, stack frames, and other dynamic data structures where application-specific data is stored. 1. Find the Package ID (PID) of your target application: adb shell pidof com.example.targetapp # Example output: 12345 2. Inspect its memory map: adb shell cat /proc/12345/maps You’ll see output similar to this, detailing address ranges, permissions, and what’s mapped: 00a00000-00a21000 rw-p 00000000 00:00 0 [heap] 00a21000-00e21000 rw-p 00000000 00:00 0 [anon:libc_malloc] 7000000000-7000100000 rw-p 00000000 00:00 0 [anon:dalvik-main space] ... (many more lines) Frida’s `Process.enumerateRanges` Manually parsing `/proc/[PID]/maps` can be tedious. Frida provides a much more programmatic way to enumerate memory regions using `Process.enumerateRanges()`. This function allows you to filter regions based on their protection (read, write, execute). Let’s create a basic Frida script to list writable memory regions: /* enumerate_writable_ranges.js */ console.log("Enumerating writable memory ranges..."); Process.enumerateRanges('rw-').forEach(function(range) { console.log(`Base: ${range.base}, Size: ${range.size}, Protection: ${range.protection}, File: ${range.file ? range.file.path : '[anonymous]'}`); }); console.log("Done."); To run this script against an application (replace `com.example.targetapp` with your actual target): frida -U -l enumerate_writable_ranges.js com.example.targetapp This will output a list of all readable and writable memory regions, giving you a better idea of where to focus your dumping efforts. Pay close attention to regions marked as `[heap]`, `[anon:libc_malloc]`, or `[anon:dalvik-main space]`, as these are common locations for dynamic data. The Core: Dumping Memory with Frida Once you’ve identified a promising memory region (or simply want to dump all writable regions), Frida’s `Memory.readByteArray()` function comes into play. This function reads a specified number of bytes from a given memory address. Building the Dumping Script We’ll combine memory enumeration with `readByteArray()` and Frida’s `File` API to dump the contents of these regions to files on the Android device. /* frida_memory_dump.js */ function dumpMemoryRegion(address, size, filename) { try { console.log(`Attempting to dump ${size} bytes from ${address} to /data/local/tmp/${filename}`); let data = Memory.readByteArray(address, size); if (data) { let file = new File(`/data/local/tmp/${filename}`, "wb"); file.write(data); file.close(); console.log(`Successfully dumped ${size} bytes from ${address} to ${filename}`); } else { console.warn(`Failed to read data from ${address}.`); } } catch (e) { console.error(`Error dumping ${address}: ${e.message}`); } } function startMemoryDump() { const DUMP_THRESHOLD_MB = 10; // Only dump regions smaller than this to avoid massive files const DUMP_PATH = '/data/local/tmp/'; console.log("Starting memory dump for writable regions..."); Process.enumerateRanges('rw-').forEach(function(range) { // Filter out excessively large regions or system-level regions if needed if (range.size > 0 && range.size < DUMP_THRESHOLD_MB * 1024 * 1024) { let filename = `dump_${range.base.toString().substr(2)}_${range.size}.bin`; dumpMemoryRegion(range.base, range.size, filename); } else { console.log(`Skipping large or empty region: Base: ${range.base}, Size: ${range.size}`); } }); console.log("Memory dump finished. Files are in " + DUMP_PATH); console.log("Use 'adb pull /data/local/tmp/dump_*.bin .' to retrieve them."); } // We can call startMemoryDump directly, or hook into a specific function // if you want to dump memory at a particular point in the app's execution. // For a general dump on app startup, run it directly. setImmediate(startMemoryDump); // Alternatively, if you want to trigger it from the console after attaching: // rpc.exports = { // dump: startMemoryDump // }; Executing the Dump and Retrieval 1. Save the above script as `frida_memory_dump.js`. 2. Run Frida, injecting your script into the target application. Ensure the app is running or Frida will launch it for you (`-f` flag): frida -U -f com.example.targetapp -l frida_memory_dump.js --no-pause 3. Monitor the console output for success or error messages. Frida will create `.bin` files in `/data/local/tmp/` on your Android device. 4. After the script completes, pull the dumped files to your host machine: adb pull /data/local/tmp/ . This command will pull all files from `/data/local/tmp/` to your current directory. You can be more specific with `adb pull /data/local/tmp/dump_*.bin .`. Analyzing the Dumped Data Once you have the `.bin` files, you can use various tools for analysis: `strings` command: Often the quickest way to find plaintext strings within binary data. `strings dump_*.bin | grep “sensitive_keyword”` Hex Editor: Tools like HxD, 010 Editor, or even `xxd` (Linux command-line) can help you visually inspect the raw bytes and identify patterns. Grep: For searching specific byte sequences or patterns. Look for common indicators of sensitive data: API keys (e.g., “AIza”), URLs, JSON structures, session IDs, user credentials, hardcoded secrets, or anything that looks like plain text in an unexpected place. Advanced Techniques and Considerations Hooking Memory Allocation Functions Instead of just dumping static regions, you can hook functions like `malloc`, `calloc`, `new`, or `mmap` to inspect buffers as they are allocated. This is particularly useful for dynamically generated or transient data. You can then dump specific buffers of interest when they are created or modified. // Example: Hooking malloc to log allocations (simplified) Interceptor.attach(Module.findExportByName(null, 'malloc'), { onEnter: function(args) { this.size = args[0].toInt32(); }, onLeave: function(retval) { if (this.size > 0 && this.size < 1024) { // Small allocations // console.log(`malloc(${this.size}) returned ${retval}`); // You could dump this small buffer here if it's interesting // dumpMemoryRegion(retval, this.size, `malloc_dump_${retval}.bin`); } } }); Context-Aware Dumping For more targeted analysis, you can integrate memory dumping with function hooking. For instance, if you suspect a particular function handles sensitive data (e.g., `decryptPassword`, `sendApiKey`), you can hook that function and dump memory regions (parameters, return values, nearby heap allocations) only when that function is executed. Dealing with Large Dumps and Performance Dumping entire memory spaces can generate very large files and be slow. Refine your `Process.enumerateRanges` filters to exclude irrelevant regions (e.g., read-only code sections, very large anonymous regions that are likely just large internal buffers). You can also introduce logic to sample dumps or dump only regions matching specific criteria (e.g., containing certain string patterns after a quick read). Obfuscation and Encryption Remember that data found in memory might still be obfuscated or encrypted. In such cases, memory dumping serves as a first step. You may then need to identify decryption routines and their keys by hooking relevant cryptographic APIs (e.g., `Cipher.init`, `KeyFactory.generateSecret`) and extracting the keys at runtime. Ethical Considerations Memory dumping is a powerful technique. Always ensure you have explicit authorization before performing such actions on any system or application. Unauthorized access and data extraction can have severe legal consequences. This guide is for educational and authorized security testing purposes only. Conclusion Frida provides an unparalleled level of control and insight into Android application runtime. By mastering memory enumeration and dumping techniques, you equip yourself with a crucial capability for identifying and extracting sensitive data that might otherwise remain hidden. This step-by-step guide offers a robust foundation, and by combining these techniques with targeted function hooking, you can unlock even deeper levels of application security analysis. Happy hunting! May 30, 2026
Frida RPC for Android: Dumping Private Keys & Sensitive Information from App Memory Introduction: Unveiling Secrets with Frida RPC Android application penetration testing often involves scrutinizing how sensitive data, such as private keys, API keys, and user credentials, are handled in memory. While static analysis provides insights into potential vulnerabilities, dynamic analysis with tools like Frida is crucial for observing runtime behavior and extracting ephemeral data. Frida’s powerful Interceptor and Java API allow for deep introspection, but for more complex, orchestrated data exfiltration and two-way communication, its Remote Procedure Call (RPC) feature is indispensable. This guide delves into using Frida RPC to interact with an Android application’s runtime and dump sensitive information directly from memory. Setting Up Your Android Pentesting Environment Before diving into Frida RPC, ensure your environment is correctly configured. You’ll need a rooted Android device or emulator, along with `adb` and Python installed on your host machine. Prerequisites: Rooted Android Device/Emulator: Essential for running Frida Server. ADB (Android Debug Bridge): For connecting to the device and pushing files. Python 3: For writing the host-side RPC client script. Pip: Python package installer. Frida Installation: Install Frida Tools on Host: pip install frida-tools Download Frida Server for Android:Visit Frida Releases and download the appropriate `frida-server` binary for your device’s architecture (e.g., `frida-server-*-android-arm64`). Push and Run Frida Server on Device: adb push frida-server-*-android-arm64 /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &" Confirm it’s running by executing `frida-ps -U` on your host. You should see a list of processes from your Android device. Understanding Frida RPC for Dynamic Interaction Frida’s standard JavaScript API allows you to hook methods, inspect arguments, and modify return values. However, imagine a scenario where you want to trigger a specific function within the app’s context, wait for a complex computation, and then retrieve the result – possibly multiple times – without restarting the script. This is where Frida RPC shines. RPC enables you to define functions in your Frida JavaScript agent that can be called directly from your Python host script. It facilitates a robust, bi-directional communication channel, making it ideal for interacting with an application’s internal logic and exfiltrating data in a controlled manner. Key Concepts: `rpc.exports`: An object in your Frida script where you expose functions to the host. Asynchronous Operations: RPC functions can return Promises, allowing for asynchronous operations within the target process without blocking the host script. Data Marshalling: Frida handles the serialization and deserialization of data between the JavaScript agent and the Python client. Case Study: Dumping a Hypothetical Private Key from Memory Let’s consider a common scenario: an Android application performs some cryptographic operation, perhaps generating or decrypting a private key, and briefly holds it in memory as a `String` or `byte[]` before using it or persisting it securely. Our goal is to intercept and exfiltrate this key. Identifying the Target For a real-world assessment, you’d typically start with decompilation (e.g., using Jadx or Ghidra) to understand the app’s code flow and pinpoint where sensitive operations occur. Look for classes related to `KeyStore`, `Cipher`, `MessageDigest`, `SecretKeySpec`, or custom encryption utilities. For this example, let’s assume we’ve identified a class `com.example.myapp.CryptoManager` with a method `getPrivateKeyString()` that returns a `String` containing the private key. Frida RPC Agent Script (`agent.js`) We’ll write a JavaScript agent that hooks `getPrivateKeyString()` and exposes an RPC function to retrieve its value. Java.perform(function () { var CryptoManager = Java.use('com.example.myapp.CryptoManager'); var privateKeyHolder = null; // Hook the method that returns the private key CryptoManager.getPrivateKeyString.implementation = function () { var privateKey = this.getPrivateKeyString(); // Call original method console.log('[+] Intercepted Private Key:', privateKey); privateKeyHolder = privateKey; // Store the key return privateKey; }; // Expose an RPC function to retrieve the stored private key rpc.exports = { dumpPrivateKey: function () { if (privateKeyHolder) { console.log('[RPC] Returning stored private key.'); return privateKeyHolder; } else { console.log('[RPC] Private key not yet captured. Trigger app logic.'); return null; } }, // Example of an RPC function that takes arguments triggerKeyGeneration: function (arg1, arg2) { console.log('[RPC] Triggering key generation with args:', arg1, arg2); // You could call an internal method here, e.g., // CryptoManager.generateNewKey(arg1, arg2); return 'Operation triggered'; } };}); Python Host Client Script (`client.py`) Now, let’s write the Python script to attach to the target app, load our agent, and call the `dumpPrivateKey` RPC function. import fridaimport sysimport time# Package name of the target Android applicationTARGET_PACKAGE = "com.example.myapp"def on_message(message, data): # Callback for messages from the Frida agent (e.g., console.log) if message['type'] == 'send': print(f"[*] Received from agent: {message['payload']}") elif message['type'] == 'error': print(f"[!] Error from agent: {message['description']}")def main(): print(f"[*] Attaching to {TARGET_PACKAGE}...") try: # Attach to the application # If the app is not running, you can use frida.spawn() and then session.resume() session = frida.get_usb_device().attach(TARGET_PACKAGE) except frida.core.RPCException as e: print(f"[!] Failed to attach: {e}") print(f"[!] Make sure '{TARGET_PACKAGE}' is running on the device.") sys.exit(1) print(f"[*] Attached to {TARGET_PACKAGE}. Loading agent.js...") # Load the Frida JavaScript agent with open("agent.js", "r") as f: script_code = f.read() script = session.create_script(script_code) script.on('message', on_message) script.load() print("[+] Agent loaded successfully.") # Now, interact with the exposed RPC functions # We might need to wait for the app to perform the action that generates the key. print("[+] Waiting for the app to generate/decrypt the private key...") # In a real scenario, you'd interact with the app manually or programmatically # to trigger the function that makes the private key available. time.sleep(5) # Give some time for the app to run private_key = None attempts = 0 MAX_ATTEMPTS = 10 while not private_key and attempts < MAX_ATTEMPTS: print(f"[*] Attempt {attempts + 1}: Calling dumpPrivateKey RPC...") try: private_key = script.exports.dump_private_key() if private_key: print(f"[SUCCESS] Captured Private Key: {private_key}") else: print("[INFO] Private key not yet available. Retrying...") except Exception as e: print(f"[!] Error calling RPC function: {e}") attempts += 1 time.sleep(2) # Wait a bit before retrying if not private_key: print("[!] Failed to capture private key after multiple attempts.") # Example of calling another RPC function # result = script.exports.trigger_key_generation('param1', 'param2') # print(f"[+] Trigger result: {result}") session.detach() print("[+] Detached from application.")if __name__ == '__main__': main() Execution Steps: Save the JavaScript code as `agent.js` and the Python code as `client.py` in the same directory on your host machine. Ensure `com.example.myapp` is running on your Android device/emulator. Run the Python client: python3 client.py Interact with the `com.example.myapp` on your device to trigger the `getPrivateKeyString()` method. The Frida agent will intercept it, store the key, and the Python client will retrieve it via RPC. Advanced Considerations and Techniques Memory Scanning If you can’t pinpoint an exact method to hook, or if the sensitive data is allocated dynamically, Frida’s `Memory.scan` and `Memory.scanSync` can be used to search for specific byte patterns or strings within the application’s memory regions. You could expose an RPC function that performs a memory scan and returns any matches. Bypassing Obfuscation and Root Detection Real-world applications often employ obfuscation techniques (like ProGuard or DexGuard) and root detection. Frida can also be used to bypass these: Deobfuscation: During your initial static analysis, you might rename obfuscated classes/methods in Jadx. Root Bypass: Hook `android.util.Log` or other common root detection indicators to return false or null. Handling Different Data Types Frida RPC is not limited to strings. You can return `byte[]` arrays (which will be marshalled as Python `bytes` objects), numbers, booleans, and even JSON-serializable objects (dictionaries, lists). Conclusion Frida RPC provides an incredibly powerful mechanism for deeply interacting with Android applications at runtime. By orchestrating communication between a JavaScript agent and a Python client, penetration testers can move beyond simple method hooking to trigger complex application logic, exfiltrate sensitive data like private keys and API credentials, and gain a profound understanding of an app’s security posture. Mastering Frida RPC is an essential skill for anyone involved in advanced Android application security assessments, offering the precision and flexibility needed to uncover hidden vulnerabilities and secure critical information. May 30, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
173
174
175
176
177
…
705
			Next Page→

Author: admin

Introduction: Unveiling Hidden Secrets in Android App Memory

Why Memory Dumping is Essential for Pentesters

Setting Up Your Frida Environment

Prerequisites:

Installation Steps:

Understanding Android Process Memory Layout

Frida for Memory Enumeration and Dumping

1. Enumerating Memory Ranges

2. Dumping Specific Memory Ranges

3. Searching Memory for Patterns

Analyzing Dumped Memory

Practical Scenario: Dumping an API Key

Conclusion

Introduction to Frida RPC for Android App Penetration Testing

Prerequisites and Setup

Understanding Frida RPC: The Basics

Building the Frida RPC Agent (JavaScript)

Building the Python RPC Client

Executing the RPC Toolkit

Advanced Data Exfiltration with RPC

Conclusion

Introduction to Memory Dumping in Android Applications

Setting Up Your Environment (Prerequisites)

Dumping Java Objects with Frida

Understanding Java Object Representation in ART

Locating and Interacting with Java Objects

Dumping Native Structures and Memory

Native Memory Layout in Android Applications

Identifying Target Native Structures

Reading Native Memory with Frida

Practical Scenarios and Advanced Tips

Conclusion

Introduction: Unveiling Hidden Runtime Secrets

Prerequisites for Memory Forensics

Identifying Target Memory Regions with Frida

Dynamic Analysis: Exploring Live Objects

Static Analysis: Understanding Memory Layouts

Performing Automated Memory Dumps

Post-Processing: Reconstructing Data from Raw Dumps

Example: Reconstructing a Simple Java Object

Reconstructing Complex Structures

Introduction: Beyond Generic Memory Dumps

The Power of Precision: Why Targeted Dumping Matters

Prerequisites

Method 1: Scanning for Known Patterns in Memory (e.g., Strings)

Scenario: Locating a Hardcoded API Key

Method 2: Extracting Data from Live Java Object Instances

Scenario: Dumping a `byte[]` field from a Custom Secret Holder Class

Method 3: Intercepting Native Memory Operations

Scenario: Dumping Data Passed to a Native Crypto Function

Analyzing Dumped Data

Conclusion

Introduction to Frida RPC for Android Penetration Testing

Prerequisites and Setup

Identifying the Target Application and Process

Building the Frida RPC Agent

Developing the Python RPC Client

Real-World Scenarios and Advanced Techniques

Introduction to Android Memory Dumping with Frida

Prerequisites for Your Exfiltration Lab

Understanding Android Process Memory Regions

Setting Up Frida-Server on Android

1. Download Frida-server

2. Push to Device and Execute

Identifying the Target Process

Crafting the Frida Memory Dumping Script

1. Python Host Script (frida_dump.py)

2. Frida JavaScript Payload (Embedded)

Introduction: The Elusive Credentials

Why Memory Dumping?

Setting Up Your Android Penetration Testing Environment

Prerequisites

Installing Frida on Android

Understanding In-Memory Credential Exposure

Common Scenarios

Frida for Memory Analysis: The Core Concepts

Attaching to a Process and Enumerating Memory

Hooking Constructors and Methods for Credential Interception

Step-by-Step Guide: Dumping Credentials with Frida Hooks

1. Python Host Script (`frida_dump.py`)