Author: admin

Android RE Lab: Mapping Runtime Classes and Methods with Frida & Objection
Introduction: Unlocking Android App Internals

Android reverse engineering (RE) is a crucial skill for security researchers, penetration testers, and malware analysts. While static analysis (disassembling APKs) provides a foundational understanding, it often falls short in revealing the dynamic behavior of an application. Modern Android apps employ various obfuscation techniques and dynamically load classes, making static analysis alone insufficient. This is where dynamic analysis tools like Frida and Objection become indispensable. They allow us to interact with a running application’s memory, hooking functions, modifying behavior, and, critically, enumerating its runtime classes and methods.

This advanced tutorial will guide you through using Frida and Objection to dynamically map the classes and methods loaded into an Android application’s memory space. This technique is invaluable for discovering hidden functionalities, identifying interesting API calls, and pinpointing potential hooking targets during a penetration test.

The Power of Runtime Enumeration

Why is runtime enumeration so powerful? Consider these scenarios:
- Dynamic Loading: Many applications load classes and methods only when needed, or even download them from remote servers, making them invisible to static analysis.
- Obfuscation: Tools like ProGuard and DexGuard rename classes and methods to unreadable names. Dynamic enumeration allows us to see these entities with their runtime (potentially de-obfuscated) names.
- Understanding Behavior: By listing methods, we can infer functionalities, especially when looking for specific patterns (e.g., cryptographic operations, network communication, authentication checks).
Setting Up Your Android RE Lab

Before we dive in, ensure you have the following:
- Rooted Android Device or Emulator: Necessary for running the Frida server.
- Frida Server: Download the appropriate `frida-server` binary for your device’s architecture (e.g., `frida-server-*-android-arm64`) from the Frida releases page.
- Frida-tools and Objection: Installed on your host machine via pip.
```
pip install frida-tools objection
```
Push `frida-server` to your device, set execute permissions, and run it:
```
# Push to device (replace with your device's architecture and IP)adb push frida-server-*-android-arm64 /data/local/tmp/# Grant execute permissionsadb shell "chmod 755 /data/local/tmp/frida-server-*-android-arm64"# Run frida-server in the backgroundadb shell "/data/local/tmp/frida-server-*-android-arm64 &"
```
Method 1: Deep Dive with Frida Scripts

Frida provides a JavaScript API to interact with the target process. We’ll start by crafting a Frida script to enumerate classes and methods.

1. Enumerating All Loaded Classes

We use `Java.enumerateClasses()` within a `Java.perform()` block to ensure our script runs in the context of the Android application’s Java VM. This will list all classes currently loaded by the Java Virtual Machine.
```
// list_all_classes.jsJava.perform(function() {    console.log("[*] Listing all loaded classes...");    Java.enumerateClasses({        onMatch: function(className) {            console.log("[+] Found class: " + className);        },        onComplete: function() {            console.log("[*] Class enumeration complete.");        }    });});
```
To run this script against a target application (e.g., `com.example.targetapp`):
```
frida -U -l list_all_classes.js -f com.example.targetapp --no-pause
```
The `-U` flag targets a USB-connected device, `-l` loads our script, `-f` spawns the application, and `–no-pause` allows it to run immediately. You’ll see a flood of class names in your console.

2. Filtering Classes by Package Name

Listing all classes can be overwhelming. We often want to focus on application-specific classes. We can filter them by checking if the class name starts with the application’s package name.
```
// filter_classes.jsJava.perform(function() {    var packageName = "com.example.targetapp"; // Replace with your target app's package    console.log("[*] Listing classes for package: " + packageName);    Java.enumerateClasses({        onMatch: function(className) {            if (className.startsWith(packageName)) {                console.log("[+] Found app class: " + className);            }        },        onComplete: function() {            console.log("[*] App class enumeration complete.");        }    });});
```
```
frida -U -l filter_classes.js -f com.example.targetapp --no-pause
```
3. Enumerating Methods for a Specific Class

Once you’ve identified an interesting class, you can list its methods using `Java.use()` and the `$ownMethods` property.
```
// list_methods.jsJava.perform(function() {    var targetClassName = "com.example.targetapp.MySecretManager"; // Replace with an interesting class name    try {        var targetClass = Java.use(targetClassName);        console.log("[*] Listing methods for class: " + targetClassName);        var methods = targetClass.$ownMethods;        methods.forEach(function(methodName) {            console.log("[+] Method: " + methodName);        });        console.log("[*] Method enumeration complete.");    } catch (e) {        console.error("[-] Error enumerating class or methods: " + e.message);    }});
```
```
frida -U -l list_methods.js -f com.example.targetapp --no-pause
```
This script will give you a clear view of all the methods defined within `MySecretManager`, including constructors, private, and public methods.

Method 2: Streamlining with Objection

While Frida scripts offer ultimate flexibility, Objection acts as a powerful runtime mobile exploration toolkit built on top of Frida. It provides a user-friendly command-line interface to perform common RE tasks, including class and method enumeration, without writing custom JavaScript.

1. Connecting to the Application

Launch Objection and attach to your target application. If the app is not running, Objection can spawn it:
```
objection -g com.example.targetapp explore
```
This command will spawn `com.example.targetapp` (if not running) and attach Objection to it, dropping you into an interactive shell.

2. Listing All Classes

To get a list of all classes loaded in the application’s memory:
```
android hooking list classes
```
Similar to the Frida script, this will output a very long list. You can pipe the output to a file or scroll through it.

3. Searching for Specific Classes

Objection’s `android hooking search classes` command is incredibly useful for finding classes matching a specific keyword or pattern:
```
android hooking search classes secretandroid hooking search classes encryption
```
This will return all class names containing
May 30, 2026
Practical Guide to Frida: Dynamic Class & Method Enumeration for Android Pen Testing
Introduction

Android application penetration testing often involves reverse engineering and understanding the application’s runtime behavior. While static analysis (decompilation) provides a wealth of information, many crucial details, such as dynamically loaded classes, obfuscated method names resolved at runtime, or methods called based on user interaction, are only visible during execution. This is where Frida, a dynamic instrumentation toolkit, becomes indispensable. This guide will focus on leveraging Frida for dynamic enumeration of Android classes and methods at runtime, a fundamental technique for uncovering an application’s hidden logic and identifying potential hooking targets.

Why Dynamic Enumeration?

Static analysis tools like Jadx or Ghidra provide a comprehensive view of an APK’s bytecode. However, modern Android applications frequently employ techniques such as:
- Dynamic class loading
- Reflection
- Code obfuscation (ProGuard, DexGuard)
- Anti-tampering and anti-debugging checks that modify runtime behavior
These techniques make it challenging to fully comprehend an application’s execution flow purely from static analysis. Dynamic enumeration with Frida allows testers to:
- Discover all classes currently loaded into the Dalvik/ART runtime.
- Identify all methods (including constructors) within a specific class, regardless of obfuscation.
- Pinpoint classes or methods that are only initialized or called under specific conditions.
- Formulate precise hooking strategies for runtime manipulation.
Prerequisites

Before diving in, ensure you have the following:
- An Android device or emulator (rooted is preferred for easier setup, but not strictly necessary for basic Frida usage if you can inject into a debuggable app).
- ADB (Android Debug Bridge) installed and configured on your host machine.
- Frida-tools installed on your host machine.
- Frida-server running on your Android device.
Setting Up Frida

Install Frida Tools (Host)

On your host machine (Linux, macOS, or Windows), install Frida-tools via pip:
```
pip install frida-tools
```
Install Frida Server (Device)
1. Download the correct Frida-server binary for your Android device’s architecture (e.g., frida-server-*-android-arm64) from the Frida releases page.
2. Push the binary to your device:
3. Make it executable and run it:
You should see a message confirming Frida-server is listening.

Core Concepts: Java.use() and Java.enumerateLoadedClasses()

Frida’s JavaScript API provides powerful tools for interacting with the Android runtime. Two fundamental functions for enumeration are:
- Java.enumerateLoadedClasses(callbacks): This function iterates over all classes currently loaded in the Java VM, executing a callback for each. It’s excellent for broad discovery.
- Java.use(className): This function provides a JavaScript wrapper around a specific Java class, allowing you to interact with its static and instance methods, fields, and even create new instances. It’s crucial for targeted enumeration and hooking.
Enumerating Loaded Classes

Let’s start by listing all classes loaded by an Android application. This can give you an immediate overview of the app’s components, libraries, and custom code.

Frida Script: Listing All Loaded Classes

Create a file named enumerate_classes.js with the following content:
```
Java.perform(function () {    console.log("[*] Enumerating loaded classes...");    Java.enumerateLoadedClasses({        onMatch: function (className) {            if (className.startsWith("com.example.your_app_package")) { // Optional: Filter by package                console.log("[+] Found class: " + className);            } else {                // console.log("[.] Found other class: " + className); // Uncomment to see all classes            }        },        onComplete: function () {            console.log("[*] Class enumeration complete.");        }    });});
```
Replace com.example.your_app_package with the actual package name of the target application you’re testing. You can find this using adb shell pm list packages or by inspecting the APK.

Running the Script

Attach Frida to your target application. We’ll use the -f flag to spawn the application (if not already running) and --no-pause to let it run immediately:
```
frida -U -f com.example.your_app_package -l enumerate_classes.js --no-pause
```
You will see a stream of class names printed to your console. This list can be extensive, often including Android system classes, third-party libraries, and the application’s own classes.

Filtering Classes

As shown in the example script, using className.startsWith() is an effective way to focus on the application’s specific code, filtering out common Android framework and standard library classes that might not be relevant to your immediate goal.

Enumerating Methods of a Specific Class

Once you’ve identified an interesting class, the next step is to enumerate its methods and constructors to understand its functionality and potential attack surface.

Frida Script: Enumerating Class Members

Create a file named enumerate_methods.js:
```
Java.perform(function () {    var targetClassName = "com.example.your_app_package.TargetClass"; // Replace with your target class name    try {        var targetClass = Java.use(targetClassName);        console.log("[*] Enumerating methods for class: " + targetClassName);        // Enumerate constructors        var constructors = targetClass.$init.overloads;        if (constructors.length > 0) {            console.log("  [+] Constructors:");            constructors.forEach(function (constructor) {                console.log("    - " + targetClassName + constructor.argumentTypes.map(function(t){return t.className;}).join(', ') + ")");            });        } else {            console.log("  [-] No constructors found.");        }        // Enumerate methods        var methods = targetClass.class.getMethods();        console.log("  [+] Methods:");        methods.forEach(function (method) {            console.log("    - " + method.getName() + "(" + method.getParameterTypes().map(function(t){return t.getName();}).join(', ') + ")");        });        console.log("[*] Method enumeration complete for " + targetClassName + ".");    } catch (e) {        console.error("[*] Error enumerating class or methods: " + e.message);    }});
```
This script first obtains a reference to TargetClass using Java.use(). Then, it enumerates constructors via targetClass.$init.overloads and methods using targetClass.class.getMethods(). The getParameterTypes() and argumentTypes are used to display the full method signature, which is crucial for handling overloaded methods.

Run it similarly:
```
frida -U -f com.example.your_app_package -l enumerate_methods.js --no-pause
```
Understanding Method Signatures

When enumerating methods, pay close attention to their signatures. Java allows method overloading, meaning multiple methods can share the same name but have different parameter lists. Frida’s API exposes these overloads. For instance, you might see:
```
- myMethod(java.lang.String)- myMethod(int, java.lang.String)
```
These are two distinct methods. Knowing the exact signature is vital when you later want to hook a specific overload of a method.

Advanced Use Cases and Tips

Identifying Hooking Targets

The primary goal of enumeration is often to identify interesting classes and methods for hooking. Look for:
- Methods related to authentication, encryption, network communication, or data storage.
- Constructors ($init) to observe object creation.
- Methods that accept or return sensitive data types.
- Methods that might implement anti-tampering or root detection logic.
Exploring Libraries

Many Android apps rely on third-party libraries. By enumerating classes and methods within these libraries (e.g., specific SDKs like Firebase, payment gateways, analytics tools), you can uncover how the app integrates with them and potentially find vulnerabilities in the interaction.

Automating with Python

While the JavaScript snippets are great for quick exploration, for more complex scenarios, consider embedding Frida scripts within a Python script. This allows for programmatic interaction, data parsing, and more sophisticated analysis workflows. You can dynamically generate and inject scripts, or process the output from enumeration more efficiently.
```
# Example Python snippet to list processesimport fridafor device in frida.get_usb_device().enumerate_applications():    print(device)
```
Conclusion

Dynamic class and method enumeration with Frida is a cornerstone technique in modern Android application penetration testing. It provides unparalleled visibility into the runtime behavior of applications, allowing testers to overcome the challenges posed by obfuscation and dynamic code loading. By mastering Java.enumerateLoadedClasses() and Java.use(), you gain the power to uncover hidden functionalities, understand complex execution flows, and precisely identify targets for further instrumentation and manipulation. Integrate these techniques into your workflow, and you’ll significantly enhance your ability to discover vulnerabilities in Android applications.
May 30, 2026
The Ultimate Guide to Android Native Function Hooking with Frida (JNI_OnLoad & Beyond)
Introduction to Android Native Hooking and Frida

Android applications often leverage native code (written in C/C++ and compiled into shared libraries like .so files) for performance-critical operations, obfuscation, or platform-specific interactions via the Java Native Interface (JNI). For penetration testers and security researchers, understanding and manipulating this native layer is paramount. Frida, a dynamic instrumentation toolkit, stands out as an invaluable tool for this purpose, allowing us to inspect, modify, and even inject code into running processes.

While hooking Java methods is relatively straightforward with Frida, interacting with native functions, especially early in the application’s lifecycle like during JNI_OnLoad, presents unique challenges and opportunities. This guide will walk you through the intricacies of hooking native functions, from the crucial JNI_OnLoad to arbitrary exported and unexported functions, using practical Frida scripts and real-world examples.

Understanding JNI_OnLoad: The Native Entry Point

What is JNI_OnLoad?

JNI_OnLoad is a special native function that acts as the entry point for a native library. When a Java application calls System.loadLibrary(), the Android system loads the specified .so file. If the library exports a function named JNI_OnLoad, the Java Virtual Machine (JVM) automatically invokes it immediately after the library is loaded and before any other JNI-related calls (like registering native methods dynamically or resolving static native methods). This makes JNI_OnLoad an ideal place for:
- Initializing native components.
- Setting up global variables or environments.
- Performing anti-tampering checks.
- Dynamically registering native methods with the JVM.
Why Hook JNI_OnLoad?

Hooking JNI_OnLoad is critical for several reasons:
1. Early Interaction: It allows you to intercept logic that happens very early in the native library’s lifecycle, often before other security checks or key initializations.
2. Dynamic Method Registration: If an application uses RegisterNatives within JNI_OnLoad to register its native methods, hooking JNI_OnLoad enables you to observe or even alter these registrations.
3. Bypassing Protections: Many anti-tampering or anti-debugging mechanisms are initialized or checked within JNI_OnLoad. Intercepting it can help bypass or understand these protections.
Setting Up Your Frida Environment

Before we dive into hooking, ensure your Frida environment is set up:
- Frida-tools: Install on your host machine: pip install frida-tools
- Frida-server: Download the appropriate frida-server binary for your Android device’s architecture (e.g., arm64, x86) from Frida Releases.
- Push and Run Frida-server:
```
adb push /path/to/frida-server /data/local/tmp/frida-server adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &"
```
- ADB Access: Ensure ADB is configured and your device is accessible.
Scenario 1: Hooking JNI_OnLoad

Let’s consider a simple native library (libnativehooktest.so) that contains a JNI_OnLoad function. Here’s an example C++ snippet:
```
#include  #include  #define LOG_TAG "NativeHookTest" #define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__) extern "C" JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved) { LOGD("JNI_OnLoad called!"); // Further initializations or method registrations return JNI_VERSION_1_6; }
```
Identifying JNI_OnLoad

You can verify if a library exports JNI_OnLoad using nm -D:
```
adb pull /data/app/~~.../com.example.app-XYZ/lib/arm64/libnativehooktest.so ./ arm-linux-androideabi-nm -D libnativehooktest.so | grep JNI_OnLoad # Example output: # 0000000000001234 T JNI_OnLoad
```
The `T` indicates it’s a defined text (code) symbol.

Frida Script to Hook JNI_OnLoad

Frida allows you to attach to functions by their exported name. We’ll use Module.findExportByName.
```
/** * jni_onload_hook.js */ console.log("Frida script loaded!"); var moduleName = "libnativehooktest.so"; var jniOnLoadPtr = Module.findExportByName(moduleName, "JNI_OnLoad"); if (jniOnLoadPtr) { console.log("Found JNI_OnLoad at: " + jniOnLoadPtr); Interceptor.attach(jniOnLoadPtr, { onEnter: function (args) { console.log("[*] JNI_OnLoad called in " + moduleName); console.log("    JavaVM*: " + args[0]); console.log("    reserved: " + args[1]); // You can inspect or modify args here }, onLeave: function (retval) { console.log("[*] JNI_OnLoad returned: " + retval); // You can inspect or modify retval here } }); } else { console.log("JNI_OnLoad not found in " + moduleName + "."); } console.log("Hooking JNI_OnLoad completed.");
```
Running the Script
```
frida -U -l jni_onload_hook.js --no-pause -f com.example.app
```
This command launches your target app (com.example.app), injects the Frida script, and then immediately pauses to allow Frida to attach before the app fully initializes. The --no-pause option is often useful here, but for early hooks, -f (spawn mode) with the script loaded will attach Frida before the app’s process starts. If you see the output from JNI_OnLoad in your Frida console, you’ve successfully hooked it!

Scenario 2: Hooking Other Native Functions

Beyond JNI_OnLoad, you’ll often need to hook other specific native functions.

Identifying Native Functions
1. Exported Functions: These are the easiest. Use nm -D again to list all exported symbols. For example:
```
extern "C" JNIEXPORT jstring JNICALL Java_com_example_app_NativeLib_getSecretKey(JNIEnv* env, jobject /* this */) { std::string secret = "SUPER_SECRET_KEY_12345"; return env->NewStringUTF(secret.c_str()); }
```
  `nm -D libnativehooktest.so | grep getSecretKey` would likely show `Java_com_example_app_NativeLib_getSecretKey`.
2. Unexported (Internal) Functions: These functions are not listed by nm -D. You’ll need reverse engineering tools like IDA Pro or Ghidra to analyze the disassembly, identify the function’s starting address relative to the module’s base address (its offset), and determine its signature (arguments and return type).
Frida Script for Exported Functions

Hooking exported functions is similar to JNI_OnLoad.
```
/** * exported_func_hook.js */ console.log("Frida script loaded!"); var moduleName = "libnativehooktest.so"; var targetFunctionPtr = Module.findExportByName(moduleName, "Java_com_example_app_NativeLib_getSecretKey"); if (targetFunctionPtr) { console.log("Found getSecretKey at: " + targetFunctionPtr); Interceptor.attach(targetFunctionPtr, { onEnter: function (args) { console.log("[*] Java_com_example_app_NativeLib_getSecretKey called!"); console.log("    JNIEnv*: " + args[0]); console.log("    jobject (this): " + args[1]); }, onLeave: function (retval) { var secretKey = new NativePointer(retval); console.log("[*] getSecretKey returned: " + secretKey.readCString()); // Read the returned jstring (UTF-8) this.retval = Memory.allocUtf8String("HOOKED_SECRET_KEY_BY_FRIDA"); // Modify the return value } }); } else { console.log("getSecretKey not found in " + moduleName + "."); } console.log("Hooking getSecretKey completed.");
```
Here, we demonstrate how to read the returned `jstring` and even modify it to return a different value.

Frida Script for Unexported Functions (Offset-Based Hooking)

Suppose you’ve found an internal function, say nativeMultiply, at an offset of `0x1A40` from the base of `libnativehooktest.so` using IDA Pro:
```
extern "C" JNIEXPORT jint JNICALL nativeMultiply(JNIEnv* env, jobject /* this */, jint a, jint b) { LOGD("nativeMultiply called with %d and %d!", a, b); return a * b; }
```
```
/** * offset_func_hook.js */ console.log("Frida script loaded!"); var moduleName = "libnativehooktest.so"; var moduleBase = Module.findBaseAddress(moduleName); if (moduleBase) { console.log("Base address of " + moduleName + ": " + moduleBase); var targetOffset = new NativePointer("0x1A40"); // This offset is found via reverse engineering tools var targetFunctionPtr = moduleBase.add(targetOffset); console.log("Calculated nativeMultiply address: " + targetFunctionPtr); Interceptor.attach(targetFunctionPtr, { onEnter: function (args) { console.log("[*] nativeMultiply called!"); console.log("    JNIEnv*: " + args[0]); console.log("    jobject (this): " + args[1]); console.log("    arg a (jint): " + args[2].toInt32()); console.log("    arg b (jint): " + args[3].toInt32()); args[2] = ptr(100); // Modify 'a' to 100 }, onLeave: function (retval) { console.log("[*] nativeMultiply original return value: " + retval.toInt32()); retval.replace(ptr(200)); // Force return 200 } }); } else { console.log("Module " + moduleName + " not found."); } console.log("Hooking nativeMultiply completed.");
```
In this example, we:
- Find the base address of the module using Module.findBaseAddress().
- Calculate the target function’s absolute address by adding the known offset.
- Hook the function, inspect arguments, and even modify both input arguments and the return value.
Advanced Considerations and Techniques

Handling JNIEnv* and JavaVM*

The JNIEnv* pointer provides access to a table of functions that allow native code to interact with the JVM (e.g., creating new strings, calling Java methods, throwing exceptions). When you get JNIEnv* as an argument, you can cast it to a C function pointer and use it in Frida, though this is often more complex than direct parameter manipulation. Similarly, JavaVM* allows obtaining a JNIEnv* for the current thread.

Argument Type Casting and Reading

Frida’s `args` array provides raw `NativePointer` objects. You need to know the expected C/JNI type to cast and read them correctly:
- .toInt32(), .toInt64(), .readCString(), .readUtf16String(), .readByteArray()
- For `jobject` references, these are pointers to Java objects. You can pass them back to Java code or use methods like `Java.cast()` if the object is already a `Wrapper` in Frida’s JavaScript environment.
Bypassing Anti-Frida/Anti-Tampering

Many applications implement checks within JNI_OnLoad or other native functions to detect debuggers, root, or Frida itself. Hooking these functions provides an opportunity to patch out or modify the logic of these checks, effectively bypassing them. This often involves inspecting the return value or specific arguments that control the flow of such checks.

Conclusion

Native function hooking with Frida is an incredibly powerful technique for reverse engineering and penetration testing Android applications. By mastering the ability to intercept functions like JNI_OnLoad and other native methods—whether exported or hidden behind offsets—you gain unparalleled visibility and control over an application’s deepest layers. This guide provides a solid foundation for your journey into advanced Android security analysis, equipping you with the knowledge to dissect complex native implementations and uncover hidden vulnerabilities.
May 30, 2026
Frida Deep Dive: Uncovering All Android App Classes & Methods at Runtime
Introduction: The Power of Runtime Analysis with Frida

Android application penetration testing often begins with static analysis, dissecting APK files to understand their structure and identify potential vulnerabilities. However, static analysis has its limitations; critical logic, dynamically loaded components, and obfuscated code can remain hidden until runtime. This is where Frida, a dynamic instrumentation toolkit, becomes indispensable. Frida allows security researchers and reverse engineers to inject custom scripts into running processes, enabling unprecedented insight and control over an application’s behavior. In this deep dive, we’ll explore how to leverage Frida to enumerate all loaded classes and their methods within an Android application at runtime, a crucial step for comprehensive security assessments.

Understanding the full landscape of an application’s classes and methods dynamically helps in discovering hidden APIs, understanding undocumented functionalities, and identifying attack surfaces that might be missed by static inspection alone.

Setting Up Your Frida Environment

Before we dive into the scripts, ensure you have a working Frida environment. This typically involves:
- A rooted Android device or an emulator.
- The appropriate frida-server running on the Android device.
- frida-tools installed on your host machine (pip install frida-tools).
To start frida-server on your device, push it to /data/local/tmp/, make it executable, and run it:
```
adb push frida-server /data/local/tmp/frida-serveradb shell "chmod +x /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"
```
Unveiling All Loaded Classes at Runtime

Frida’s JavaScript API exposes the Java object, which provides powerful introspection capabilities for Android (Dalvik/ART) processes. One of the most fundamental functions for discovery is Java.enumerateLoadedClasses(). This function iterates through all classes currently loaded into the Dalvik/ART runtime and allows you to perform actions on each class name.

Frida Script to Enumerate All Classes

Let’s create a Frida script named enumerate_classes.js:
```
/* enumerate_classes.js */Java.perform(function () {    console.log("[*] Enumerating all loaded classes...");    var loadedClasses = Java.enumerateLoadedClassesSync();    console.log("[+] Found " + loadedClasses.length + " classes.");    loadedClasses.forEach(function (className) {        console.log("  - " + className);    });    console.log("[*] Class enumeration complete.");});
```
To inject this script into a running application (replace com.example.app with your target package name), use the following command:
```
frida -U -l enumerate_classes.js com.example.app
```
The output will be a lengthy list of all loaded classes, including system classes, third-party libraries, and the application’s own classes. This can be overwhelming, so filtering is often necessary.

Filtering Classes by Package Name

To focus on application-specific classes, you can modify the script to filter by package name:
```
/* filter_classes.js */Java.perform(function () {    var targetPackagePrefix = "com.example.app"; // Adjust this to your target application's package    console.log("[*] Enumerating classes for package: " + targetPackagePrefix + "...");    var appClasses = [];    Java.enumerateLoadedClassesSync().forEach(function (className) {        if (className.startsWith(targetPackagePrefix)) {            appClasses.push(className);        }    });    if (appClasses.length > 0) {        console.log("[+] Found " + appClasses.length + " application-specific classes:");        appClasses.forEach(function (className) {            console.log("  - " + className);        });    } else {        console.log("[-] No application-specific classes found for " + targetPackagePrefix + ".");    }    console.log("[*] Filtered class enumeration complete.");});
```
Inject it: frida -U -l filter_classes.js com.example.app

Diving Deeper: Enumerating Methods within a Class

Once you’ve identified interesting classes, the next logical step is to explore their methods. Frida allows you to instantiate or obtain a reference to a Java class and then inspect its methods.

Frida Script to Enumerate Methods of a Specific Class

Let’s say we found a class like com.example.app.AuthManager. We can now enumerate its methods:
```
/* enumerate_methods.js */Java.perform(function () {    var targetClassName = "com.example.app.AuthManager"; // Replace with an interesting class name    try {        var targetClass = Java.use(targetClassName);        console.log("[*] Enumerating methods for class: " + targetClassName + "...");        // Iterate over own methods (excluding inherited ones for cleaner output)        var methods = targetClass.$ownMethods;        if (methods.length > 0) {            console.log("[+] Found " + methods.length + " methods:");            methods.forEach(function (methodName) {                // Get method signature for more details                var method = targetClass[methodName];                if (method && method.overloads) {                    method.overloads.forEach(function (overload) {                        var argTypes = overload.argumentTypes.map(function(type) { return type.className; }).join(', ');                        var returnType = overload.returnType.className;                        console.log("  - " + returnType + " " + methodName + "(" + argTypes + ")");                    });                } else {                    console.log("  - " + methodName + "()"); // For methods without overloads property                    // Note: This might not give full signature for all method types                }            });        } else {            console.log("[-] No methods found for " + targetClassName + ".");        }    } catch (e) {        console.log("[-] Error loading class " + targetClassName + ": " + e.message);    }    console.log("[*] Method enumeration complete.");});
```
Inject it: frida -U -l enumerate_methods.js com.example.app

This script uses Java.use(targetClassName) to obtain a wrapper around the target class. The $ownMethods property then provides an array of method names declared directly within that class. For each method name, we then try to get its overloads to print the full signature including return types and argument types.

Handling Constructors and Overloaded Methods

The $ownMethods property generally includes constructors (often named $init internally). When a class has overloaded methods (methods with the same name but different parameters), targetClass[methodName] will return an object containing an overloads array. Our script above already handles this by iterating through overload objects to display full signatures.

Advanced Techniques and Considerations
- Performance and Output Size
  
  Enumerating all classes in a large application can produce a significant amount of output, potentially slowing down Frida or making the console difficult to parse. Consider redirecting output to a file or using more granular filtering.
- Dynamic Class Loading
  
  Some applications load classes dynamically at different stages (e.g., after login, specific feature activation). To catch these, you might need to run your enumeration script at different points in the application’s lifecycle, or use Frida’s hooking capabilities to intercept class loaders.
- Deobfuscation
  
  If an app is obfuscated (e.g., using ProGuard/R8), class and method names might be meaningless (e.g., a.b.c or a()). While Frida reveals these names at runtime, correlating them back to meaningful functions might require combining Frida with static analysis tools that deobfuscate (e.g., Ghidra, JADX).
- Method Visibility
  
  The $ownMethods property gives you access to all methods defined in the class, regardless of their public, private, or protected visibility. This is crucial for penetration testers to discover internal APIs.
Practical Applications in Penetration Testing

The ability to enumerate classes and methods dynamically is a cornerstone of effective Android app penetration testing:
- Discovering Hidden APIs: Uncover internal APIs that might not be exposed through public SDKs or apparent in static analysis.
- Mapping Application Logic: Gain a deeper understanding of how different components interact, especially in complex or obfuscated applications.
- Identifying Attack Surfaces: Pinpoint methods that handle sensitive data, perform cryptographic operations, or interact with native code, which could be potential points of interest for further exploitation.
- Bypassing Security Controls: Once sensitive methods are identified, Frida can be used to hook them, modify their behavior, or log their arguments and return values to bypass security checks.
Conclusion

Frida is an exceptionally powerful tool for dynamic analysis of Android applications. By mastering techniques like enumerating loaded classes and their respective methods at runtime, security researchers can gain an unparalleled view into an application’s internal workings. This deep introspection capability not only aids in discovering vulnerabilities but also significantly enhances the efficiency and depth of any Android app penetration test, bridging the gaps left by static analysis alone. Incorporate these Frida scripts into your toolkit to unlock a new level of insight into Android applications.
May 30, 2026
Understanding & Exploiting JNI_OnLoad: A Frida-Powered Android Security Deep Dive
Introduction to JNI_OnLoad and Native Libraries in Android

Android applications often leverage native libraries (shared objects, .so files) written in C/C++ for performance-critical tasks, platform-specific interactions, or to protect sensitive logic from easy reverse-engineering. The Java Native Interface (JNI) acts as a bridge, allowing Java code to interact with these native libraries. A crucial, yet often overlooked, component of many native libraries is the JNI_OnLoad function. This function serves as the entry point for a native library when it’s loaded into the JVM. Understanding and exploiting JNI_OnLoad with tools like Frida can unlock significant insights during Android application penetration testing and security analysis.

What is JNI_OnLoad?

JNI_OnLoad is an optional function within a native library that the Android runtime (ART/Dalvik VM) automatically invokes when the library is loaded via System.loadLibrary(). Its primary purpose is to perform initializations for the native library, such as:
- Registering native methods statically or dynamically.
- Performing anti-tampering or anti-root checks early in the application lifecycle.
- Decrypting or loading sensitive configuration data, encryption keys, or obfuscated strings.
- Initializing global variables or setting up internal data structures.
- Setting up custom signal handlers or other low-level system hooks.
The function signature typically looks like this:
```
jint JNI_OnLoad(JavaVM* vm, void* reserved) {    // Perform initializations    JNIEnv* env;    if ((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_6) != JNI_OK) {        return JNI_ERR;    }    // Register native methods or other setup    return JNI_VERSION_1_6;}
```
It takes two arguments: a pointer to the JavaVM instance and a reserved pointer, which is usually NULL. It returns the JNI version the library desires to use.

Why Hook JNI_OnLoad with Frida?

Hooking JNI_OnLoad with Frida provides several strategic advantages for security researchers:
1. Early Interception: It’s one of the earliest points of execution within a native library. Any checks or initializations performed here can be observed or bypassed before the main application logic takes over.
2. Uncovering Obfuscation: Many anti-reverse engineering techniques, such as string decryption or code integrity checks, are often initialized within JNI_OnLoad. Intercepting this can expose sensitive data or reveal the mechanisms of protection.
3. Dynamic Method Registration: If a library dynamically registers its native methods, JNI_OnLoad is the place where this registration occurs. Hooking it can help in mapping Java methods to their underlying native implementations.
4. Bypassing Anti-Tampering: Malicious applications or sophisticated protections might use JNI_OnLoad to detect debuggers, root environments, or modified code. Intercepting and manipulating the return value or internal logic can bypass these defenses.
Setting Up Your Environment for Frida Hooking

Before diving into specific examples, ensure your Frida environment is set up:
- Rooted Android Device or Emulator: Necessary for pushing and running frida-server.
- Frida Server: Download the appropriate frida-server binary for your device’s architecture (e.g., frida-server-*-android-arm64) from the Frida releases page. Push it to /data/local/tmp/ and make it executable:
```
adb push frida-server-*-android-arm64 /data/local/tmp/frida-serveradb shell 'chmod 755 /data/local/tmp/frida-server'adb shell '/data/local/tmp/frida-server &'
```
- Frida Client: Install the Python frida-tools on your host machine:
```
pip install frida-tools
```
Finding JNI_OnLoad in a Native Library

You can locate the JNI_OnLoad symbol within a native library using various tools. A common method is to use nm -D (display dynamic symbols) or readelf -s on the shared object file:
```
adb pull /data/app/<package_name>/lib/arm64/libnative-lib.so .nm -D libnative-lib.so | grep JNI_OnLoad
```
This will typically show an output similar to:
```
0000000000001234 T JNI_OnLoad
```
The address (0x1234 in this example) is crucial for Frida’s Module.findExportByName().

Frida Hooking JNI_OnLoad: Basic Interception

Let’s consider a simple native library named libexample.so which has a JNI_OnLoad function. Our goal is to intercept its execution.
```
Java.perform(function () {    var libraryName = "libexample.so";    var JNI_OnLoad_ptr = Module.findExportByName(libraryName, "JNI_OnLoad");    if (JNI_OnLoad_ptr) {        console.log("[*] JNI_OnLoad found at: " + JNI_OnLoad_ptr);        Interceptor.attach(JNI_OnLoad_ptr, {            onEnter: function (args) {                console.log("[+] JNI_OnLoad entered!");                // args[0] is JavaVM*, args[1] is void* reserved                // We can dereference JavaVM* to get JNIEnv*                var vm = new JavaVM(args[0]);                var env = vm.get  ('GetEnv')(args[0], Memory.alloc(Process.pointerSize), JNI_VERSION_1_6);                if (env.isNull()) {                    console.warn("[-] Could not get JNIEnv in JNI_OnLoad onEnter.");                } else {                    console.log("[+] JNIEnv address: " + env);                }            },            onLeave: function (retval) {                console.log("[*] JNI_OnLoad returned: " + retval);                // Optional: Modify the return value to change JNI version                // retval.replace(JNI_VERSION_1_2);            }        });    } else {        console.log("[-] JNI_OnLoad not found in " + libraryName);    }});
```
To run this script against an application:
```
frida -U -f com.your.package.name -l hook_jni_onload.js --no-pause
```
This script will print messages to the console when JNI_OnLoad is entered and when it returns, including its return value. Note the use of JavaVM class which might need to be defined for proper dereferencing or simplified to just logging the raw pointer.

Example: A Simplified JavaVM Definition (for advanced use)
```
// Simplified JavaVM structure for direct dereferencing,            // typically not needed for just logging raw pointers but useful for calling methods            var JavaVM = new NativeFunction(ptr("0x0"), 'void', ['pointer', 'pointer', 'pointer']);            try {                JavaVM = new NativeFunction(args[0].readPointer().add(Process.pointerSize * 3).readPointer(), 'jint', ['pointer', 'pointer', 'int']); // GetEnv offset varies            } catch(e) {                console.error("Error creating JavaVM native function: " + e);            }
```
This simplified version is illustrative. For practical purposes, directly accessing `GetEnv` like `(*vm)->GetEnv` isn’t straightforward in Frida directly without more complex type definitions or reliance on existing Frida libraries that abstract JNI. The primary use case here is logging the raw pointers and return values.

Exploiting JNI_OnLoad: Advanced Scenarios

Scenario 1: Bypassing Early Anti-Root Checks

Many applications perform root detection or debugger detection within JNI_OnLoad. If JNI_OnLoad calls a function like isDeviceRooted() or sets a global flag, we can intercept and modify its behavior.

Let’s assume libexample.so has a function native_security_check() called by JNI_OnLoad, which returns 1 for rooted and 0 for non-rooted, and JNI_OnLoad then returns JNI_ERR if rooted.
```
Java.perform(function () {    var libraryName = "libexample.so";    var JNI_OnLoad_ptr = Module.findExportByName(libraryName, "JNI_OnLoad");    var securityCheckPtr = Module.findExportByName(libraryName, "native_security_check"); // Hypothetical security check function    if (JNI_OnLoad_ptr) {        Interceptor.attach(JNI_OnLoad_ptr, {            onEnter: function (args) {                console.log("[+] JNI_OnLoad entered.");                if (securityCheckPtr) {                    console.log("[+] Hooking native_security_check()...");                    Interceptor.replace(securityCheckPtr, new NativeCallback(function() {                        console.log("[+] native_security_check() intercepted. Returning 0 (non-rooted).");                        return 0; // Force non-rooted result                    }, 'int', []));                }            },            onLeave: function (retval) {                console.log("[*] JNI_OnLoad returned: " + retval);                if (retval.toInt32() == -1) { // JNI_ERR is -1                    console.log("[*] JNI_OnLoad returned JNI_ERR. Forcing JNI_VERSION_1_6.");                    retval.replace(JNI_VERSION_1_6); // Bypass error condition                }            }        });    } else {        console.log("[-] JNI_OnLoad not found in " + libraryName);    }});
```
In this example, we proactively replace the native_security_check function to always return 0 (indicating a non-rooted device). Additionally, we ensure that JNI_OnLoad always returns a valid JNI version, even if an internal check would have caused it to return JNI_ERR.

Scenario 2: Dumping Initialized Data/Keys

If JNI_OnLoad decrypts or initializes sensitive data (e.g., an AES key, an API token) into a global variable or returns it, we can dump it.

Let’s assume JNI_OnLoad initializes a global variable g_secret_key after decryption.
```
Java.perform(function () {    var libraryName = "libexample.so";    var JNI_OnLoad_ptr = Module.findExportByName(libraryName, "JNI_OnLoad");    if (JNI_OnLoad_ptr) {        Interceptor.attach(JNI_OnLoad_ptr, {            onLeave: function (retval) {                console.log("[*] JNI_OnLoad returned: " + retval);                // Hypothetical global variable address for g_secret_key                // You'd find this via static analysis (IDA Pro, Ghidra) or dynamic debugging                var g_secret_key_addr = Module.findBaseAddress(libraryName).add(0x3000); // Example offset                try {                    var key_length = 32; // Assuming 32-byte key                    var secret_key = g_secret_key_addr.readByteArray(key_length);                    console.log("[+] Dumped g_secret_key: " + hexdump(secret_key));                } catch (e) {                    console.error("[-] Failed to dump secret key: " + e);                }            }        });    } else {        console.log("[-] JNI_OnLoad not found in " + libraryName);    }});
```
Finding the exact address of g_secret_key_addr would involve static analysis with tools like IDA Pro or Ghidra to locate the global variable after the library’s base address is known. The Module.findBaseAddress(libraryName) provides the base address of the loaded library.

Conclusion

JNI_OnLoad is a powerful entry point in Android native libraries, often leveraged by developers for critical initializations and security measures. For penetration testers and security researchers, mastering the art of hooking JNI_OnLoad with Frida is an essential skill. It provides a unique opportunity to intercept, observe, and manipulate the application’s behavior at a very early stage, enabling the bypass of anti-tampering mechanisms, extraction of sensitive data, and a deeper understanding of the native code’s functionality. By combining static analysis to locate symbols and dynamic analysis with Frida, you can unlock layers of protection and gain significant control over target applications.
May 30, 2026
From Zero to Hero: Master Frida Hooking for Android JNI_OnLoad and Native Calls
Introduction to Android Native Code and Frida

Android applications often leverage native code written in C/C++ for performance-critical tasks, platform-specific interactions, or to protect sensitive logic from easy reverse engineering. This native code interacts with the Java/Kotlin layer through the Java Native Interface (JNI). For penetration testers and security researchers, analyzing and manipulating this native layer is crucial, and Frida stands out as an indispensable dynamic instrumentation toolkit for this purpose.

Frida allows you to inject custom scripts into running processes, enabling you to inspect, modify, and even replace functions on the fly. This guide will walk you through mastering Frida to hook `JNI_OnLoad`, the critical initialization function for native libraries, and arbitrary native functions, taking you from a beginner to a proficient native code manipulator.

Understanding JNI_OnLoad: The Native Gateway

When an Android application loads a native library (e.g., System.loadLibrary("mylib")), the Android system looks for a special function within that library: JNI_OnLoad. This function, if present, is executed once when the library is loaded into the process’s memory space. It’s often used to:
- Cache JNIEnv and JavaVM pointers.
- Register native methods dynamically, mapping Java methods to their native C/C++ implementations.
- Perform critical initializations or anti-tampering checks.
Hooking JNI_OnLoad provides an excellent opportunity to intercept the library’s initial setup, potentially observe critical initialization routines, or even alter the registration of native methods before they are used.

Setting Up Your Frida Environment

Before we dive into hooking, ensure you have your environment ready:
1. Rooted Android Device or Emulator: Frida requires root access on the target device.
2. ADB (Android Debug Bridge): Installed and configured on your host machine.
3. Frida Server: Download the correct Frida server for your device’s architecture (e.g., frida-server-16.1.4-android-arm64) from the Frida releases page.
4. Frida Tools: Install on your host machine via pip:pip install frida-tools
Deployment of Frida Server:

Push the Frida server to your device and run it:

adb push frida-server /data/local/tmp/frida-serveradb shell
May 30, 2026
Troubleshooting Frida Hooks: Debugging JNI_OnLoad and Native Library Load Issues on Android Introduction to JNI_OnLoad and Native Library Loading The Java Native Interface (JNI) is a powerful framework that allows Java code running in a Java Virtual Machine (JVM) to call and be called by native applications and libraries written in languages such as C, C++, and assembly. In Android app development, JNI is extensively used for performance-critical operations, interacting with hardware, or integrating existing native codebases. A critical function in this ecosystem is JNI_OnLoad. JNI_OnLoad is a special C/C++ function that the Java Virtual Machine (JVM) looks for and executes when a native library is loaded into memory via System.loadLibrary() or System.load(). Its primary purpose is to perform initialization routines for the native library, such as registering native methods with the JVM (mapping Java methods to native C/C++ functions) and setting up global variables or structures. For security researchers and penetration testers, hooking JNI_OnLoad is paramount because it’s often the earliest point where a native library’s functionality can be intercepted and manipulated before other native functions are called or anti-tampering checks are established. The Challenge of Hooking JNI_OnLoad with Frida Timing is Everything One of the most frequent challenges when trying to hook JNI_OnLoad with Frida is a timing issue. Frida injects its agent into the target process, but there’s a race condition: the target application might load its native libraries and execute JNI_OnLoad before Frida’s agent has fully initialized and attached its hooks. If JNI_OnLoad has already run by the time your hook is set up, you will simply miss the event. Additionally, Android applications often load native libraries very early in their lifecycle, sometimes even within the Application.onCreate() method or static initializers of classes. This makes it challenging to reliably intercept these calls using typical Java.perform() blocks, which execute once the Java VM is ready for interaction, but might still be after initial native library loads. Library Resolution and Multiple JNI_OnLoad Functions Android’s linker manages native libraries in specific namespaces. A library named libnative.so will typically expose its JNI_OnLoad function as an export. However, an application might load multiple native libraries, each with its own JNI_OnLoad. Identifying which specific JNI_OnLoad you need to hook, or handling cases where multiple libraries expose this function, requires careful module enumeration and precise targeting. Frida Strategies for Reliable JNI_OnLoad Hooking Early Injection and Waiting for Module Load To mitigate the timing issue, you should aim for the earliest possible injection and then actively wait for your target module to appear in the process’s memory space. Use frida -l script.js -f package_name --no-pause to inject Frida into the application at launch and immediately execute your script without pausing the application’s startup. Java.perform(function () { var targetLib = 'libnative.so'; var module = null; // Keep trying to find the module until it's loaded var interval = setInterval(function() { module = Process.findModuleByName(targetLib); if (module) { clearInterval(interval); console.log('[+] Found module: ' + targetLib + ' at ' + module.base); var jniOnLoad = module.findExportByName('JNI_OnLoad'); if (jniOnLoad) { console.log('[+] JNI_OnLoad found at ' + jniOnLoad); Interceptor.attach(jniOnLoad, { onEnter: function(args) { console.log('JNI_OnLoad ENTERED!'); // You can inspect arguments, but JNI_OnLoad typically has (JavaVM*, void*) this.vm = args[0]; this.reserved = args[1]; }, onLeave: function(retval) { console.log('JNI_OnLoad EXITED! Return value: ' + retval); // Example: Force JNI_VERSION_1_6 if library tries to downgrade // retval.replace(0x00010006); // JNI_VERSION_1_6 } }); } else { console.log('[-] JNI_OnLoad not found in ' + targetLib); } } else { console.log('[-] Waiting for ' + targetLib + ' to load...'); } }, 100); // Check every 100ms}); Intercepting System.loadLibrary and dlopen A more robust approach is to intercept the functions responsible for loading native libraries. On the Java side, this is System.loadLibrary(). On the native side, this eventually boils down to dlopen(), which loads a shared object. By hooking these, you can ensure your JNI_OnLoad hook is placed as soon as the library load is initiated or completed. Java.perform(function () { var System = Java.use('java.lang.System'); System.loadLibrary.overload('java.lang.String').implementation = function (libname) { console.log('[Java] System.loadLibrary called for: ' + libname); this.loadLibrary(libname); // Call original method if (libname === 'native') { // Target our specific library console.log('[+] Now trying to hook JNI_OnLoad for ' + libname); var module = Process.findModuleByName('libnative.so'); if (module) { var jniOnLoad = module.findExportByName('JNI_OnLoad'); if (jniOnLoad) { console.log('[+] JNI_OnLoad for libnative.so found at ' + jniOnLoad); Interceptor.attach(jniOnLoad, { onEnter: function(args) { console.log('JNI_OnLoad ENTERED (via System.loadLibrary hook)!'); }, onLeave: function(retval) { console.log('JNI_OnLoad EXITED (via System.loadLibrary hook)!'); } }); } } } }; // Hooking dlopen for a more native-level approach var dlopen = Module.findExportByName(null, 'dlopen'); if (dlopen) { Interceptor.attach(dlopen, { onEnter: function(args) { this.library_path = args[0].readUtf8String(); console.log('[Native] dlopen called for: ' + this.library_path); }, onLeave: function(retval) { if (retval.toInt32() !== 0 && this.library_path && this.library_path.includes('libnative.so')) { console.log('[+] libnative.so loaded via dlopen! Module base: ' + retval); var module = Process.findModuleByAddress(retval); var jniOnLoad = module.findExportByName('JNI_OnLoad'); if (jniOnLoad) { console.log('[+] JNI_OnLoad for libnative.so found at ' + jniOnLoad); Interceptor.attach(jniOnLoad, { onEnter: function(args) { console.log('JNI_OnLoad ENTERED (via dlopen hook)!'); }, onLeave: function(retval) { console.log('JNI_OnLoad EXITED (via dlopen hook)!'); } }); } } } }); }}); Handling Multiple JNI_OnLoad Functions and Dynamic Loads If you suspect multiple JNI_OnLoad functions or are unsure which library provides it, you can enumerate all loaded modules and their exports: Java.perform(function () { Process.enumerateModules().forEach(function(module) { // Filter for relevant modules, e.g., only application-specific ones // if (!module.name.startsWith('lib') && !module.name.endsWith('.so')) return; var jniOnLoad = module.findExportByName('JNI_OnLoad'); if (jniOnLoad) { console.log('[*] Found JNI_OnLoad in module: ' + module.name + ' at ' + jniOnLoad); Interceptor.attach(jniOnLoad, { onEnter: function(args) { console.log('JNI_OnLoad ENTERED in ' + module.name); }, onLeave: function(retval) { console.log('JNI_OnLoad EXITED in ' + module.name); } }); } });}); Debugging Common Frida Hooking Issues No Output from console.log or send Frida Server/Agent Issue: Ensure frida-server is running on the device and is reachable. Verify Frida agent injected correctly by checking frida-ps -U or frida -D -l script.js -f package_name. Early Application Crash: The application might be crashing immediately after launch or injection, preventing your script from running. Use --no-pause and monitor logcat for crashes. Wrong Package Name/PID: Double-check the package name (-f) or PID (-p) you are targeting. Hook Not Triggering Module Not Loaded: Use Process.findModuleByName('libname.so') in a live Frida console (`frida -U -f package_name –no-pause`) to confirm if the library is loaded and at what address. Export Name Mismatch: Verify the exact export name. Sometimes it might be `JNI_OnLoad@XXX` due to mangling, or not exported at all. Use `Module.enumerateExports(module_name)` to list all exports. Timing Race Condition: As discussed, `JNI_OnLoad` might have already executed. Implement `System.loadLibrary` or `dlopen` hooks to guarantee interception. Function Signature Incorrect: If hooking other native functions, ensure the `Interceptor.attach` arguments match the function’s signature (number and type of arguments). Application Crashing on Hook Incorrect Argument Handling: When `onEnter` or `onLeave` modify arguments or return values, ensure you’re using correct types and not corrupting memory. For example, `args[0].writePointer(ptr)` or `retval.replace(new_value)`. Memory Access Violations: Reading from or writing to invalid memory addresses within your hook can cause crashes. Use `try-catch` blocks around risky operations and `console.log` extensively to pinpoint the exact line causing the crash. Stack Corruption: If you’re manually manipulating the stack or calling conventions, even slight errors can lead to crashes. Stick to `Interceptor.attach`’s default behavior unless you’re very confident. Concurrency Issues: Hooks can introduce concurrency issues if not handled carefully, especially in multi-threaded native code. Advanced Techniques and Best Practices When dealing with complex native environments, combining `Java.perform` with native hooks offers powerful context. For instance, you might want to call a Java method before or after a native function executes, or pass information between Java and native hook contexts. Remember to use `Interceptor.replace` with extreme caution, as it completely replaces the function and requires you to replicate the original function’s logic if you still want it to run. Always test your Frida scripts incrementally. Start with simple `console.log` statements to confirm hooks are attaching and triggering, then gradually add more complex logic. When debugging, leverage Frida’s interactive console (`frida -U -f package_name –no-pause`) to dynamically test snippets of code and inspect the process state without restarting the application every time. Finally, `frida-trace` can be an excellent tool for initial exploration. Use `frida-trace -i May 30, 2026
Advanced Frida Scripting: Dynamic Hooking of JNI_OnLoad and Unexported Native Symbols Introduction to Advanced Frida Hooking Frida has revolutionized mobile application penetration testing, offering unparalleled capabilities for dynamic instrumentation. While basic hooking of exported functions is straightforward, real-world Android applications often employ sophisticated obfuscation and anti-tampering techniques. This necessitates advanced methods to interact with critical native components, specifically targeting JNI_OnLoad and unexported native symbols. This guide will delve into these advanced Frida scripting techniques, providing practical examples and a deep understanding of their underlying mechanisms. Why Advanced Hooking is Essential Many security-sensitive operations in Android applications are performed in native libraries (C/C++), accessed via the Java Native Interface (JNI). Understanding and manipulating these native functions is crucial for bypasses, data exfiltration, and vulnerability discovery. However, directly hooking functions like JNI_OnLoad or symbols not listed in the library’s export table presents unique challenges that standard Frida approaches cannot solve. Hooking JNI_OnLoad: Catching Native Initialization The JNI_OnLoad function is a critical entry point for native libraries. It’s called by the Android runtime (ART) when a native library is loaded via System.loadLibrary() or System.load(). Its primary purpose is to perform initialization tasks, such as registering native methods with the Java Virtual Machine (JVM) using RegisterNatives and returning the JNI version. The challenge with JNI_OnLoad is that it often executes very early, sometimes before your Frida script has fully attached and instrumented the process. The Challenge and the Solution: Intercepting Library Loading If you simply try to attach to JNI_OnLoad using Module.findExportByName('libnative-lib.so', 'JNI_OnLoad') in a standard onEnter function of your Frida script, you might miss its execution if the library is loaded very early. A more robust approach involves intercepting the library loading mechanism itself. On Android, native libraries are loaded using functions like dlopen or android_dlopen_ext. By hooking these functions, we can gain control precisely at the moment a new library is loaded. Inside our dlopen hook, we can then scan the newly loaded module for JNI_OnLoad and attach to it. Frida Script for JNI_OnLoad Hooking Java.perform(function () { console.log('[*] Script loaded successfully'); // Hook dlopen or android_dlopen_ext to catch library loading const dlopen = Module.findExportByName(null, 'dlopen'); if (dlopen) { Interceptor.attach(dlopen, { onEnter: function (args) { this.library_path = args[0].readUtf8String(); }, onLeave: function (retval) { if (this.library_path && this.library_path.includes('libnative-lib.so')) { console.log('[*] libnative-lib.so loaded! Path: ' + this.library_path); const JNI_OnLoad_ptr = Module.findExportByName('libnative-lib.so', 'JNI_OnLoad'); if (JNI_OnLoad_ptr) { console.log('[*] Found JNI_OnLoad at: ' + JNI_OnLoad_ptr); Interceptor.attach(JNI_OnLoad_ptr, { onEnter: function (args) { console.log('[*] JNI_OnLoad called!'); console.log(' -> VM: ' + args[0]); console.log(' -> reserved: ' + args[1]); // You can inspect the JNIEnv* (args[0]) here if needed // For example, to enumerate registered native methods after JNI_OnLoad returns }, onLeave: function (retval) { console.log('[*] JNI_OnLoad returned: ' + retval); } }); } else { console.log('[-] JNI_OnLoad not found in libnative-lib.so'); } } } }); console.log('[*] Hooked dlopen'); } else { console.log('[-] dlopen not found, trying android_dlopen_ext'); const android_dlopen_ext = Module.findExportByName(null, 'android_dlopen_ext'); if (android_dlopen_ext) { Interceptor.attach(android_dlopen_ext, { onEnter: function (args) { this.library_path = args[0].readUtf8String(); }, onLeave: function (retval) { if (this.library_path && this.library_path.includes('libnative-lib.so')) { console.log('[*] libnative-lib.so loaded! Path: ' + this.library_path); const JNI_OnLoad_ptr = Module.findExportByName('libnative-lib.so', 'JNI_OnLoad'); if (JNI_OnLoad_ptr) { console.log('[*] Found JNI_OnLoad at: ' + JNI_OnLoad_ptr); Interceptor.attach(JNI_OnLoad_ptr, { onEnter: function (args) { console.log('[*] JNI_OnLoad called!'); console.log(' -> VM: ' + args[0]); console.log(' -> reserved: ' + args[1]); }, onLeave: function (retval) { console.log('[*] JNI_OnLoad returned: ' + retval); } }); } else { console.log('[-] JNI_OnLoad not found in libnative-lib.so'); } } } }); console.log('[*] Hooked android_dlopen_ext'); } else { console.log('[-] Neither dlopen nor android_dlopen_ext found.'); } }}); Hooking Unexported Native Symbols: Beyond the Export Table Many critical native functions are not explicitly exported by a library. This means they won’t appear in the dynamic symbol table (readily accessible via Module.findExportByName or tools like nm). These ‘unexported’ or ‘private’ symbols are often internal helper functions, static functions, or part of obfuscation strategies. To hook them, we need more advanced techniques. Techniques for Unexported Symbols Offset-Based Hooking (Requires Static Analysis): This is the most common and reliable method. It involves using a disassembler (like IDA Pro or Ghidra) to locate the function’s address relative to the base address of its containing module. Signature Scanning: More dynamic but complex, this involves searching for specific byte patterns (signatures) in memory that uniquely identify the function. Trampoline/Proxy Hooking: If an exported function calls the unexported target, you can hook the exported function and manipulate its control flow to reach your target. Detailed Walkthrough: Offset-Based Hooking Let’s focus on offset-based hooking, as it provides a robust and precise way to target unexported functions. Step 1: Identify the Target Function via Static Analysis First, you need to open the native library (e.g., libnative-lib.so) in a disassembler (IDA Pro or Ghidra). Locate the unexported function you wish to hook. Let’s assume you’ve found a function named my_secret_function that is not exported. Step 2: Calculate the Offset In your disassembler, note the absolute address of my_secret_function. Also, identify the base address of the module (libnative-lib.so). The offset is simply Absolute_Address - Base_Address. For example, if libnative-lib.so loads at base address 0x7000000000 and my_secret_function is at 0x7000001234, then the offset is 0x1234. Step 3: Craft Your Frida Script Once you have the offset, you can calculate the function’s runtime address by adding the offset to the actual base address of the module as loaded in memory by the target process. Frida’s Module.getBaseAddress() provides this. Frida Script for Offset-Based Hooking Java.perform(function () { console.log('[*] Script loaded for unexported symbol hooking'); const moduleName = 'libnative-lib.so'; const targetModule = Process.findModuleByName(moduleName); if (targetModule) { console.log('[*] Found module: ' + moduleName + ' at base: ' + targetModule.base); // Assume 0x1234 is the offset found via static analysis const unexportedFunctionOffset = new NativePointer(0x1234); // Calculate the runtime address of the unexported function const unexportedFunctionAddress = targetModule.base.add(unexportedFunctionOffset); console.log('[*] Attempting to hook unexported function at: ' + unexportedFunctionAddress); // Example: Hooking a function that takes two ints and returns an int Interceptor.attach(unexportedFunctionAddress, { onEnter: function (args) { console.log('[*] unexportedFunction called!'); console.log(' -> Arg 1: ' + args[0].toInt32()); console.log(' -> Arg 2: ' + args[1].toInt32()); // Modify arguments if needed // args[0] = new NativePointer(100); }, onLeave: function (retval) { console.log('[*] unexportedFunction returned: ' + retval.toInt32()); // Modify return value if needed // retval.replace(200); } }); console.log('[*] Successfully attached to unexported function.'); } else { console.log('[-] Module ' + moduleName + ' not found.'); }}); In this example, new NativePointer(0x1234) represents the offset you discovered. The targetModule.base.add(unexportedFunctionOffset) operation dynamically calculates the correct memory address at runtime. Considerations for Offset Hooking Architecture Specificity: Offsets are architecture-dependent (ARM, ARM64, x86). Ensure your static analysis matches the target device’s architecture. Relocation: While offsets are generally stable for a given library version and architecture, some highly dynamic libraries might have variations. Always verify. Function Signature: You need to know the calling convention and argument types of the unexported function to correctly interpret onEnter arguments and onLeave return values. This also comes from static analysis. Conclusion Mastering the techniques for hooking JNI_OnLoad and unexported native symbols significantly elevates your capabilities in Android app penetration testing. By understanding how to intercept library loading and leverage static analysis for offset-based hooking, you gain access to critical code paths that are often protected from simpler instrumentation. These advanced methods are indispensable for reversing complex anti-tampering measures, analyzing proprietary algorithms, and uncovering deep-seated vulnerabilities within native Android applications. May 30, 2026


		
		
			
			Frida Deep Dive: Hooking JNI_OnLoad to Uncover Hidden Android Native Secrets
			Introduction: The Native Underbelly of Android Apps
Modern Android applications frequently leverage native libraries (written in C/C++ and compiled into .so files) to achieve performance gains, implement complex algorithms, or, more commonly, hide critical logic and secrets from casual reverse engineering attempts. The Java Native Interface (JNI) serves as the bridge between Java/Kotlin code and these native libraries. Among the most pivotal functions in JNI is JNI_OnLoad, a special entry point that executes early in a native library’s lifecycle. Understanding and hooking JNI_OnLoad with Frida is a powerful technique for Android penetration testers and reverse engineers to uncover hidden native functionality, bypass anti-tampering mechanisms, and gain deep insights into an application’s core logic.
This deep dive will guide you through the intricacies of JNI_OnLoad, explain its significance, and provide practical, expert-level Frida scripts to intercept its execution and even unravel the functions registered via RegisterNatives.
Prerequisites

Basic understanding of Android application structure and JNI.
Familiarity with C/C++ programming.
Working knowledge of Frida (installation, basic usage).
A rooted Android device or emulator with Frida-server running.
ADB (Android Debug Bridge) installed and configured.

Understanding JNI_OnLoad: The Native Initializer
What is JNI_OnLoad?
JNI_OnLoad is an optional, but widely used, function that resides within a native shared library (.so file). It’s the first function called by the Java Virtual Machine (JVM) when a native library is loaded into memory via System.loadLibrary(). Its primary purpose is to perform any necessary initialization tasks for the native library, such as:

Setting up global data structures.
Registering native methods with the JVM using env->RegisterNatives().
Performing anti-tampering checks or obfuscation routines.
Storing references to the JavaVM* and JNIEnv* pointers for later use.

The function prototype for JNI_OnLoad is:
JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved) {  // Initialization code  return JNI_VERSION_1_X;}
Why is JNI_OnLoad a Prime Target?
Because it’s executed very early and implicitly by the JVM, JNI_OnLoad is a critical control point. Attackers and reverse engineers can leverage its early execution to:

Discover native methods: By hooking RegisterNatives calls within JNI_OnLoad, you can programmatically extract the names, signatures, and addresses of all native functions the library exposes to Java.
Bypass anti-tampering: Many anti-tampering or anti-debugging checks are performed during native library initialization. Intercepting JNI_OnLoad allows you to observe or even alter these checks.
Uncover hidden logic: Often, sensitive decryption keys or critical algorithmic steps are initialized or set up in JNI_OnLoad.

Frida Fundamentals for Native Hooking
Frida provides powerful APIs for interacting with native code. Key components include:

Module.findExportByName(moduleName, exportName): Locates the address of an exported function.
Interceptor.attach(address, callbacks): Hooks a function at a specific memory address, allowing you to execute code before (onEnter) and after (onLeave) the original function.
NativePointer: Represents a pointer to a memory address, allowing arithmetic operations.
Memory.readCString(address) / Memory.readByteArray(address, size): Read data from memory.

Step-by-Step: Hooking JNI_OnLoad
1. Identify the Target Library
First, you need to know which native library contains the JNI_OnLoad you want to hook. You can often infer this from the application’s Java code (e.g., System.loadLibrary("my_native_lib")) or by examining the lib/ directory within the APK. For this example, let’s assume our target library is libnative-lib.so.
2. Frida Script for JNI_OnLoad
Here’s a basic Frida script to hook JNI_OnLoad. We’ll find the module, then locate and attach to the JNI_OnLoad export.
Java.perform(function() {  var libraryName = "libnative-lib.so";  var JNI_OnLoad_ptr = Module.findExportByName(libraryName, "JNI_OnLoad");  if (JNI_OnLoad_ptr) {    console.log("[+] Found JNI_OnLoad at: " + JNI_OnLoad_ptr);    Interceptor.attach(JNI_OnLoad_ptr, {      onEnter: function(args) {        console.log("[*] JNI_OnLoad called for " + libraryName);        this.javaVm = args[0]; // JavaVM*        this.reserved = args[1]; // void*        console.log("    JavaVM*: " + this.javaVm);        console.log("    Reserved*: " + this.reserved);      },      onLeave: function(retval) {        console.log("[*] JNI_OnLoad returned: " + retval);      }    });  } else {    console.log("[-] JNI_OnLoad not found in " + libraryName);  }});
3. Running the Script
Attach Frida to your target application’s process:
frida -U -f com.your.package.name -l hook_jni_onload.js --no-pause
Replace com.your.package.name with the actual package name and hook_jni_onload.js with your script’s filename. The --no-pause flag ensures the app starts immediately.
Advanced Techniques: Intercepting RegisterNatives
Many important native functions are not exported but are instead registered dynamically using JNIEnv->RegisterNatives() within JNI_OnLoad. To uncover these, we need to hook RegisterNatives itself. This is more complex as JNIEnv is a pointer to a struct of function pointers.
Hooking RegisterNatives
Java.perform(function() {  var libraryName = "libnative-lib.so";  var JNI_OnLoad_ptr = Module.findExportByName(libraryName, "JNI_OnLoad");  if (JNI_OnLoad_ptr) {    console.log("[+] Found JNI_OnLoad at: " + JNI_OnLoad_ptr);    Interceptor.attach(JNI_OnLoad_ptr, {      onEnter: function(args) {        console.log("[*] JNI_OnLoad called for " + libraryName);        this.env = Memory.readPointer(this.context.x0.add(0)); // Get JNIEnv* from JavaVM* for 64-bit ARM, often args[0] for JNIEnv directly.        // For JNI_OnLoad, args[0] is JavaVM*, args[1] is void* reserved.        // To get JNIEnv* from JavaVM*, you'd typically call GetEnv.        // However, in the context of `JNI_OnLoad`, a JNIEnv* is provided via `*env` in `JNI_OnLoad`'s return context, or derived from `JavaVM*` if needed.        // Let's assume for simplicity we can get JNIEnv* from somewhere or hook `GetEnv` later.        // For direct `RegisterNatives` hooking, we need the `JNIEnv*` from `onEnter` of a function that receives it.        // This example focuses on 'how to hook' RegisterNatives, not 'how to get JNIEnv* reliably in JNI_OnLoad'.        // More reliably, if you hook a native function that directly takes JNIEnv*, you can get it there.      },      onLeave: function(retval) {        // console.log("[*] JNI_OnLoad returned: " + retval);      }    });  } else {    console.log("[-] JNI_OnLoad not found in " + libraryName);  }  // Hook RegisterNatives  // The JNIEnv structure varies by architecture and JNI version.  // On ARM64 (AArch64), the JNIEnv* is typically passed in x0.  // JNIEnv is a pointer to a pointer to a table of function pointers.  // The offset for RegisterNatives typically needs to be determined by looking at the JNI header files or reversing.  // For Android JNI, it's often 216 bytes (0xD8) for 64-bit and 84 bytes (0x54) for 32-bit.  var RegisterNatives_offset;  if (Process.arch === 'arm64') {    RegisterNatives_offset = 0xD8; // Offset for RegisterNatives on 64-bit ARM  } else if (Process.arch === 'arm') {    RegisterNatives_offset = 0x54; // Offset for RegisterNatives on 32-bit ARM  } else {    console.log("[-] Unsupported architecture: " + Process.arch);    return;  }  var libart = Process.findModuleByName("libart.so");  if (libart) {    var env_ptr = Memory.alloc(Process.pointerSize);    var fn_getEnv = libart.findExportByName("_ZN3art9JavaVMExt6GetEnvEPPvj") || libart.findExportByName("_ZN3art9JavaVMExt6GetEnvEPPj"); // Adjust based on your Android version & symbols.    // If we have a JavaVM* from JNI_OnLoad, we could call GetEnv to get a valid JNIEnv* for hooking.    // For simplicity, let's just find the global JNIEnv functions.    // A more robust way is to hook a function that takes JNIEnv* and then retrieve the address.    // Let's assume we can get a JNIEnv* to extract function table base for demonstration.    // A simpler approach for RegisterNatives is to hook from a function that actually passes JNIEnv* as first arg.    // For now, let's hook it directly from its expected offset in the JNIEnv* table.    // We can't directly use 'JNI_OnLoad' arguments to hook RegisterNatives reliably without `GetEnv`    // Let's use `Java.vm.getEnv().handle` which gives us a `JNIEnv*` to inspect the table.    // This is for inspecting, not for live hooking `RegisterNatives` as it's called.    // A better way is to attach to a native method which receives JNIEnv as argument 1 (x0/r0)    // And then hook RegisterNatives in its onEnter.    var current_jni_env = Java.vm.getEnv().handle;    var RegisterNatives_ptr = Memory.readPointer(current_jni_env.add(RegisterNatives_offset));    console.log("[+] RegisterNatives function pointer: " + RegisterNatives_ptr);    if (RegisterNatives_ptr.isNull()) {      console.log("[-] RegisterNatives pointer is null, unable to hook.");      return;    }    Interceptor.attach(RegisterNatives_ptr, {      onEnter: function(args) {        this.env = args[0];        this.javaClass = args[1];        this.methods = args[2]; // JNINativeMethod*        this.numMethods = args[3].toInt32();        console.log("n[!] RegisterNatives called!");        console.log("    Java Class: " + Java.vm.tryGetEnv().getClassName(this.javaClass));        console.log("    Number of methods: " + this.numMethods);        for (var i = 0; i < this.numMethods; i++) {          var methodPtr = this.methods.add(i * Process.pointerSize * 3);          var namePtr = Memory.readPointer(methodPtr);          var signaturePtr = Memory.readPointer(methodPtr.add(Process.pointerSize));          var fnPtr = Memory.readPointer(methodPtr.add(Process.pointerSize * 2));          var methodName = Memory.readCString(namePtr);          var methodSignature = Memory.readCString(signaturePtr);          console.log("      Method " + (i + 1) + ":");          console.log("        Name: " + methodName);          console.log("        Signature: " + methodSignature);          console.log("        Native function pointer: " + fnPtr);          // Optionally, you can hook each native function here!          // Interceptor.attach(fnPtr, { ... });        }      },      onLeave: function(retval) {        // console.log("[!] RegisterNatives returned: " + retval);      }    });  } else {    console.log("[-] libart.so not found, cannot reliably hook RegisterNatives.");  }});
Important Note on `RegisterNatives` Hooking: The most reliable way to hook RegisterNatives dynamically is to attach to a specific native method that you *know* will be called, and within its onEnter callback, use the JNIEnv* passed as args[0] to calculate and hook the RegisterNatives offset from that specific JNIEnv* instance. The example above demonstrates finding the offset and attaching, but the JNIEnv* from Java.vm.getEnv().handle is a global instance, not necessarily the one used during JNI_OnLoad calls, though the function table pointers should be the same across valid JNIEnv* instances for a given VM.
Case Study: Simple Native Library
Let’s imagine a simple native library:
#include <jni.h>#include <string.h>#include <stdio.h>JNIEXPORT jstring JNICALL Java_com_example_app_NativeLib_stringFromJNI(JNIEnv* env, jobject thiz) {    return (*env)->NewStringUTF(env, "Hello from C++!");}JNIEXPORT jint JNICALL native_add(JNIEnv* env, jobject thiz, jint a, jint b) {    return a + b;}static JNINativeMethod methods[] = {    {"add", "(II)I", (void*)native_add}};JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {    JNIEnv* env;    if ((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_6) != JNI_OK) {        return -1;    }    jclass clazz = (*env)->FindClass(env, "com/example/app/NativeLib");    if (clazz == NULL) {        return -1;    }    (*env)->RegisterNatives(env, clazz, methods, sizeof(methods) / sizeof(methods[0]));    return JNI_VERSION_1_6;}
When you run the Frida script to hook JNI_OnLoad and RegisterNatives against an app using this library, your console output will reveal:

`JNI_OnLoad` being called.
The `RegisterNatives` hook firing.
The `Java Class: com/example/app/NativeLib`.
The method `Name: add`, `Signature: (II)I`, and its `Native function pointer`.

This allows you to then precisely hook `native_add` if you wish, gaining full control over its inputs and outputs.
Benefits and Use Cases

Dynamic Method Discovery: Uncover all native methods dynamically registered, regardless of obfuscation or export visibility.
Anti-Tampering Bypass: Observe and potentially subvert integrity checks or root detection mechanisms initialized within JNI_OnLoad.
Key Extraction: Identify where cryptographic keys or sensitive data are initialized or transformed in native code.
Behavioral Analysis: Understand the flow and dependencies of native components.

Conclusion
Hooking JNI_OnLoad and subsequently RegisterNatives with Frida is an indispensable technique for Android app penetration testers. It provides a crucial window into the native realm of an application, revealing hidden entry points and critical logic that might otherwise be invisible to static analysis. By mastering these advanced Frida capabilities, you can significantly enhance your ability to reverse engineer, analyze, and secure Android applications.

			May 30, 2026

Frida Lab: Hands-On Custom Certificate Pinning Bypass on Modern Android Applications Introduction: The Evolving Challenge of Certificate Pinning Certificate pinning is a crucial security mechanism employed by modern Android applications to prevent Man-in-the-Middle (MITM) attacks. By hardcoding or ‘pinning’ specific certificates or public keys within the application, it ensures that the app only communicates with known, legitimate servers, even if a compromised Certificate Authority (CA) issues a fraudulent certificate. While standard pinning implementations (e.g., using `TrustManager` or `OkHttpClient`’s built-in features) can often be bypassed with generic Frida scripts, custom certificate pinning presents a significantly tougher challenge. This article delves into the art of identifying and bypassing these bespoke pinning mechanisms using Frida, providing a hands-on guide for penetration testers and security researchers. Why Custom Pinning is Different Unlike standard implementations, custom pinning often involves developers implementing their own certificate validation logic, perhaps by: Performing byte-by-byte comparisons of certificate hashes. Using a custom `X509TrustManager` that includes additional, non-standard checks. Integrating native libraries (JNI) to handle cryptographic operations and pinning validation. Obfuscating the pinning logic to deter analysis. These custom approaches render generic bypass scripts ineffective, necessitating a more targeted and analytical approach. Prerequisites for the Lab Before we begin, ensure you have the following tools and setup: Rooted Android Device or Emulator: With ADB access and Frida server running. Frida: Python client and Frida server (matching device architecture). ADB (Android Debug Bridge): For interacting with the device. Burp Suite (or any HTTP Proxy): Configured to intercept traffic, with its CA certificate installed on the Android device. JADX-GUI or Ghidra: For static analysis of the Android application. Target Android Application: An application known or suspected to use custom certificate pinning. For demonstration, we’ll imagine one with a custom `com.example.app.CustomPinningChecker` class. Setting up Frida Server on Android 1. Download the correct Frida server for your device’s architecture from Frida releases. adb push /path/to/frida-server /data/local/tmp/frida-server 2. Make it executable and run it: adb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &" Identifying Custom Pinning Logic: Static and Dynamic Analysis The first step in bypassing custom pinning is understanding *how* it’s implemented. This involves a combination of static and dynamic analysis. Static Analysis with JADX-GUI 1. Obtain the target application’s APK file (e.g., from an emulator or device via `adb pull`). adb shell pm path com.example.app # Get APK pathadb pull /data/app/com.example.app-.../base.apk 2. Open the APK with JADX-GUI. Look for keywords related to certificate validation, cryptography, or networking: `checkServerTrusted` `verify` `X509TrustManager` `CertificatePinner` `KeyStore` `PublicKey` `SHA256` or other hashing algorithms Custom class names that sound like security checks (e.g., `PinningChecker`, `SecurityUtils`, `TLSManager`). Pay close attention to calls made within networking libraries (OkHttp, Volley, HttpClient) or custom network wrappers. If you see a custom `X509TrustManager` implementation that doesn’t simply delegate to system defaults or if there’s an explicit hash comparison, you’ve likely found custom pinning. Dynamic Analysis with Frida Frida allows us to enumerate loaded classes and hook methods at runtime, helping to pinpoint where validation occurs. A good starting point is to list all loaded classes that might be related to SSL/TLS. Java.perform(function() { Java.enumerateLoadedClasses({ onMatch: function(className) { if (className.includes('ssl') || className.includes('tls') || className.includes('cert') || className.includes('pinning')) { console.log(className); } }, onComplete: function() { console.log("Class enumeration complete!"); } });}); This script, when attached to the target app, will flood your console with potential classes. Look for anything that seems application-specific rather than standard Android framework classes. Crafting a Targeted Frida Script for Custom Pinning Bypass Once static and dynamic analysis points to a custom pinning class or method, the next step is to write a targeted Frida script. Let’s assume through analysis we’ve found a class `com.example.app.CustomPinningChecker` with a method `isCertificateValid(java.security.cert.X509Certificate[] chain)` that performs the custom validation. Example: Bypassing a Custom `isCertificateValid` Method We need to hook this specific method and force it to return `true`, effectively telling the application that any certificate is valid. Java.perform(function() { console.log("Starting custom pinning bypass script..."); try { var CustomPinningChecker = Java.use('com.example.app.CustomPinningChecker'); if (CustomPinningChecker) { console.log("Found custom pinning checker: com.example.app.CustomPinningChecker"); CustomPinningChecker.isCertificateValid.implementation = function(chain) { console.log("Hooked CustomPinningChecker.isCertificateValid! Returning true."); // Call original for debugging or specific conditions if needed, // but for bypass, we just return true. // var result = this.isCertificateValid(chain); // console.log("Original result was: " + result); return true; }; console.log("CustomPinningChecker.isCertificateValid hook installed."); } else { console.error("CustomPinningChecker class not found."); } } catch (e) { console.error("Error hooking CustomPinningChecker: " + e.message); } // Additionally, consider common TrustManager bypasses if the custom checker delegates to it try { var TrustManager = Java.use('javax.net.ssl.X509TrustManager'); TrustManager.$init.implementation = function(args) { console.log("Hooked TrustManager constructor, attempting to bypass standard checks."); return this.$init(args); }; TrustManager.checkClientTrusted.implementation = function(chain, authType) { console.log("Hooked checkClientTrusted. Allowing all client certs."); }; TrustManager.checkServerTrusted.implementation = function(chain, authType) { console.log("Hooked checkServerTrusted. Allowing all server certs."); }; TrustManager.getAcceptedIssuers.implementation = function() { console.log("Hooked getAcceptedIssuers. Returning empty array."); return []; }; console.log("Standard X509TrustManager methods hooked."); } catch (e) { console.error("Error hooking X509TrustManager: " + e.message); } console.log("Custom pinning bypass script loaded.");}); Executing the Script 1. Start the target application on your device. 2. Run Frida with your custom script: frida -U -l custom_pinning_bypass.js -f com.example.app --no-pause This command attaches Frida to your device (`-U`), loads your script (`-l custom_pinning_bypass.js`), spawns the application (`-f com.example.app`), and starts it immediately (`–no-pause`). 3. Observe the Frida output for your `console.log` messages, indicating that the hooks were successfully applied. Attempt to make network requests within the application and check your Burp Suite proxy for intercepted traffic. Advanced Considerations and Challenges Native Pinning Bypass If static analysis reveals JNI calls related to cryptography or certificate validation, the pinning logic might reside in a native library (e.g., `.so` files). Bypassing this requires: Reverse Engineering Native Code: Using Ghidra or IDA Pro to analyze the native library. Frida’s Interceptor: Hooking native functions (e.g., `SSL_CTX_set_cert_verify_callback`, custom native verification functions). // Example for native bypass (conceptual)var module = Module.findExportByName("libssl.so", "SSL_CTX_set_cert_verify_callback");if (module) { Interceptor.attach(module, { onEnter: function(args) { console.log("SSL_CTX_set_cert_verify_callback called!"); // You might need to change arguments or force return value // depending on the exact native function and desired bypass. }, onLeave: function(retval) { console.log("SSL_CTX_set_cert_verify_callback returned."); } });} Obfuscation and RASP Modern applications often employ obfuscation (e.g., ProGuard, DexGuard) to make static analysis harder. This means class and method names might be mangled (e.g., `a.b.c.d`). In such cases, dynamic enumeration and runtime inspection become even more critical. Runtime Class Enumeration: Use `Java.enumerateLoadedClasses` and filter aggressively based on method signatures or observed behavior. Method Tracing: Use Frida’s `Java.use(‘ClassName’).*` to log all method calls in a suspicious class. RASP (Runtime Application Self-Protection): Some apps detect Frida and terminate. Techniques like Frida-Stealth or custom anti-Frida bypasses might be necessary. Conclusion Bypassing custom certificate pinning on Android applications is a complex task that demands a deep understanding of both Android security mechanisms and dynamic instrumentation with Frida. It’s an iterative process involving meticulous static analysis to identify potential custom logic, followed by targeted dynamic analysis and script development. While generic Frida scripts are a good starting point, the real power of Frida lies in its ability to be tailored to specific, custom implementations, making it an indispensable tool in the Android penetration tester’s arsenal. By mastering these techniques, you can effectively audit applications that employ advanced pinning strategies and ensure comprehensive security assessments. May 30, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
3
4
5
6
7
…
705
			Next Page→

Author: admin

Introduction: Unlocking Android App Internals

The Power of Runtime Enumeration

Setting Up Your Android RE Lab

Method 1: Deep Dive with Frida Scripts

1. Enumerating All Loaded Classes

2. Filtering Classes by Package Name

3. Enumerating Methods for a Specific Class

Method 2: Streamlining with Objection

1. Connecting to the Application

2. Listing All Classes

3. Searching for Specific Classes

Introduction

Why Dynamic Enumeration?

Prerequisites

Setting Up Frida

Install Frida Tools (Host)

Install Frida Server (Device)

Core Concepts: Java.use() and Java.enumerateLoadedClasses()

Enumerating Loaded Classes

Frida Script: Listing All Loaded Classes

Running the Script

Filtering Classes

Enumerating Methods of a Specific Class

Frida Script: Enumerating Class Members

Understanding Method Signatures

Advanced Use Cases and Tips

Identifying Hooking Targets

Exploring Libraries

Automating with Python

Conclusion

Introduction to Android Native Hooking and Frida

Understanding JNI_OnLoad: The Native Entry Point

What is JNI_OnLoad?

Why Hook JNI_OnLoad?

Setting Up Your Frida Environment

Scenario 1: Hooking JNI_OnLoad

Identifying JNI_OnLoad

Frida Script to Hook JNI_OnLoad

Running the Script

Scenario 2: Hooking Other Native Functions

Identifying Native Functions

Frida Script for Exported Functions

Frida Script for Unexported Functions (Offset-Based Hooking)

Advanced Considerations and Techniques

Handling JNIEnv* and JavaVM*

Argument Type Casting and Reading

Bypassing Anti-Frida/Anti-Tampering

Conclusion

Introduction: The Power of Runtime Analysis with Frida

Setting Up Your Frida Environment

Unveiling All Loaded Classes at Runtime

Frida Script to Enumerate All Classes

Filtering Classes by Package Name

Diving Deeper: Enumerating Methods within a Class

Frida Script to Enumerate Methods of a Specific Class

Handling Constructors and Overloaded Methods

Advanced Techniques and Considerations

Performance and Output Size

Dynamic Class Loading

Deobfuscation

Method Visibility

Practical Applications in Penetration Testing

Conclusion

Introduction to JNI_OnLoad and Native Libraries in Android

What is JNI_OnLoad?

Why Hook JNI_OnLoad with Frida?

Setting Up Your Environment for Frida Hooking

Finding JNI_OnLoad in a Native Library

Frida Hooking JNI_OnLoad: Basic Interception

Example: A Simplified JavaVM Definition (for advanced use)

Exploiting JNI_OnLoad: Advanced Scenarios

Scenario 1: Bypassing Early Anti-Root Checks

Scenario 2: Dumping Initialized Data/Keys

Conclusion

Introduction to Android Native Code and Frida

Understanding JNI_OnLoad: The Native Gateway

Setting Up Your Frida Environment

Deployment of Frida Server:

Introduction to JNI_OnLoad and Native Library Loading