Introduction to Dynamic Analysis with Frida and Objection

Dynamic analysis is a critical phase in Android application penetration testing, allowing security researchers to interact with an application at runtime, observe its behavior, and manipulate its execution flow. While static analysis provides insights into the codebase without execution, dynamic analysis uncovers vulnerabilities that only manifest when the application is running, especially those related to runtime interactions, cryptographic operations, and secure storage mechanisms. This article delves into leveraging two powerful tools, Frida and Objection, to automate and streamline the dynamic analysis process, making your Android app pentesting more efficient and effective.

Frida is a dynamic instrumentation toolkit that lets you inject snippets of JavaScript or your own library into native apps on various platforms, including Android. It’s a versatile tool for hooking functions, exploring memory, and modifying runtime behavior. Objection, built on top of Frida, takes this a step further by providing a higher-level framework and a collection of pre-built commands to automate common mobile app penetration testing tasks, significantly reducing manual effort.

Setting Up Your Dynamic Analysis Environment

Before diving into automation, ensure your environment is correctly configured. You’ll need:

• Python 3 and pip
• Node.js and npm (optional but recommended for some Frida scripts)
• Android SDK Platform Tools (adb)
• A rooted Android device or emulator (Genymotion, Android Studio Emulator, etc.)

1. Installing Frida and Objection

Install the necessary Python packages globally:

pip3 install frida-tools objection

For some advanced Frida scripts, you might also need Node.js based tools, but for this guide, `frida-tools` and `objection` are sufficient.

2. Setting Up Frida-Server on the Android Device

Frida operates using a client-server model. A server component (`frida-server`) runs on the target Android device, and the client (`frida-tools` or `objection`) runs on your host machine.

1. Download the correct `frida-server` binary for your device’s architecture from the Frida releases page. Most modern devices are `arm64`.
2. Push `frida-server` to your device:

adb push /path/to/frida-server /data/local/tmp/

3. Make it executable and run it:

adb shellsu -c "chmod 777 /data/local/tmp/frida-server"su -c "/data/local/tmp/frida-server &"

4. Verify `frida-server` is running and accessible from your host machine:

frida-ps -U

You should see a list of processes running on your device. If not, ensure ADB is properly configured and `frida-server` is running.

Understanding Basic Frida Usage

Frida allows for fine-grained control over application execution. Here’s a quick look at a manual Frida session:

Hooking a Method

To demonstrate, let’s assume `com.example.myapp` is our target app, and we want to observe calls to `com.example.myapp.MainActivity.onCreate`. First, identify the package name. Then, attach Frida and inject a script:

frida -U -f com.example.myapp --no-pause -l script.js

Where `script.js` contains:

Java.perform(function () {    var MainActivity = Java.use('com.example.myapp.MainActivity');    MainActivity.onCreate.implementation = function (bundle) {        console.log('MainActivity.onCreate called!');        this.onCreate(bundle); // Call the original method    };    console.log('Frida script loaded for MainActivity!');});

This script logs a message every time `MainActivity.onCreate` is invoked.

Introduction to Objection for Higher-Level Automation

While Frida is powerful, writing custom JavaScript for every task can be time-consuming. Objection provides an interactive runtime exploration toolkit that automates many common tasks.

Starting Objection and Basic Commands

To start Objection and attach it to an app, use:

objection --gadget com.example.myapp explore

Once connected, you’ll get an Objection prompt. Some useful commands include:

• `android sslpinning disable`: Bypasses common SSL pinning implementations.
• `android root disable`: Bypasses common root detection checks.
• `android hooking search classes <keyword>`: Searches for classes matching a keyword.
• `android hooking watch class_method <class_name>.<method_name>`: Watches a specific method for invocation and arguments.
• `android api_monitor –dump-args –dump-backtrace`: Monitors various Android API calls.

For example, to disable SSL pinning and then list classes related to ‘Login’:

android sslpinning disableandroid hooking search classes Login

Automating with Frida Scripts for Specific Tasks

For more complex or very specific instrumentation, custom Frida scripts are indispensable. You can automate their execution directly via the `frida` CLI.

Example: Monitoring Sensitive API Calls and Data

Suppose an application uses a custom encryption method in `com.example.myapp.CryptoUtil.encrypt(String data, String key)`. We want to log the plaintext data and key before encryption.

Create a file named `monitor_crypto.js`:

Java.perform(function () {    var CryptoUtil = Java.use('com.example.myapp.CryptoUtil');    CryptoUtil.encrypt.implementation = function (data, key) {        console.log("[+] CryptoUtil.encrypt called!");        console.log("    Plaintext Data: " + data);        console.log("    Encryption Key: " + key);        var result = this.encrypt(data, key);        console.log("    Encrypted Result: " + result);        return result;    };    console.log("Frida Crypto Monitor script loaded!");});

Execute this script and launch the application:

frida -U -f com.example.myapp --no-pause -l monitor_crypto.js

Now, whenever `encrypt` is called, the console will display the arguments and return value, providing deep insights into the application’s data handling.

Scripting Objection for Automated Workflows

Objection excels at chaining multiple commands for automated workflows. This is particularly useful for setting up an initial bypass state and then performing specific monitoring without manual intervention.

Using `–startup-command`

For simple sequences, you can pass commands directly to Objection using the `–startup-command` flag:

objection --gadget com.example.myapp explore --startup-command "android sslpinning disable; android root disable; android hooking watch class_method com.example.myapp.LoginActivity.authenticateUser"

This command will launch the app, disable SSL pinning and root detection, and then immediately start watching the `authenticateUser` method in `LoginActivity`. All of this happens automatically upon Objection’s connection.

Using Command Files with `-s`

For more extensive and complex sequences, create a file containing a list of Objection commands, one per line. Let’s create `pentest_workflow.txt`:

android sslpinning disableandroid root disableandroid hooking search classes com.example.myapp.modelandroid hooking watch class_method com.example.myapp.network.APIClient.makeRequest--dump-args--dump-backtraceandroid sharedpreferences listandroid sqlite connect --dump-data --db-file /data/data/com.example.myapp/databases/app.db

Now, execute this workflow with Objection:

objection --gadget com.example.myapp explore -s pentest_workflow.txt

Objection will execute each command sequentially. This approach is highly effective for:

• Initial Setup: Automatically bypassing security controls like SSL pinning and root detection at startup.
• Information Gathering: Systematically listing shared preferences, dumping SQLite databases, and enumerating specific API clients.
• Targeted Monitoring: Setting up hooks on known sensitive methods or classes identified during static analysis.

The output of these commands will be displayed in your terminal, providing a comprehensive log of the application’s runtime state and interactions.

Advanced Automation Considerations

To further enhance automation, consider these aspects:

• Output Logging: Redirect Objection’s output to a file for later review. Most shell environments support output redirection (e.g., `objection … > output.log`).
• Error Handling: In custom Frida scripts, use `try-catch` blocks to handle exceptions gracefully, preventing crashes and providing clearer debugging information.
• Integration with Other Tools: Combine these automated scripts with static analysis results. For instance, a static analysis tool might flag potential insecure data storage. You can then use an automated Objection script to dump the relevant data at runtime.

Conclusion

Automating dynamic analysis with Frida and Objection transforms Android app penetration testing from a tedious manual process into an efficient, insightful workflow. By mastering Frida’s low-level instrumentation capabilities and leveraging Objection’s high-level automation features, security researchers can quickly bypass common defenses, monitor sensitive operations, and uncover critical vulnerabilities with unprecedented speed and precision. Integrating these techniques into your methodology will significantly elevate the quality and depth of your mobile application security assessments.