Frida Deep Dive: Intercepting Android Shared Preferences Access at Runtime

Introduction: The Importance of Shared Preferences in Android Security Analysis

Android applications frequently use Shared Preferences to store small amounts of primitive data, such as user settings, session tokens, feature flags, or even sensitive information like API keys or authentication tokens. While not designed for robust security, developers often inadvertently or intentionally store data here that becomes a prime target for reverse engineers and penetration testers. Understanding how and when an application reads from or writes to Shared Preferences at runtime can reveal critical insights into its logic, potential vulnerabilities, and sensitive data handling.

Frida, a dynamic instrumentation toolkit, provides unparalleled capabilities for runtime analysis of Android applications. By injecting a JavaScript engine into the target process, Frida allows us to hook into native functions, Java methods, and even modify application logic on the fly. This deep dive focuses on using Frida to effectively intercept and monitor all Shared Preferences interactions, offering a powerful technique for Android app penetration testing.

Setting Up Your Environment for Frida Hooking

Prerequisites

Rooted Android Device or Emulator: Frida requires root privileges to inject into system processes.
ADB (Android Debug Bridge): Essential for connecting to your device and transferring files.
Frida-server: The Frida component that runs on the Android device.
Frida-tools: Python tools for controlling Frida from your host machine. Install via pip install frida-tools.

Frida Server Installation

First, download the appropriate frida-server binary for your device’s architecture (e.g., arm64 for most modern Android devices) from Frida’s GitHub releases page. Then, push it to your device and run it:

adb push frida-server-/data/local/tmp/

adb shell "chmod 755 /data/local/tmp/frida-server-"

adb shell "/data/local/tmp/frida-server- &"

Verify Frida-server is running and detectable:

frida-ps -U

This command should list processes running on your USB-connected device.

Understanding Android Shared Preferences Architecture

In Android, Shared Preferences are managed through the android.content.SharedPreferences interface. Applications obtain an instance of this interface typically via Context.getSharedPreferences(String name, int mode). The name parameter specifies the XML file name where the preferences are stored, and mode defines access permissions (e.g., MODE_PRIVATE). Once an instance is obtained, data is read using methods like getString(), getInt(), getBoolean(), etc., and written using an Editor obtained via edit(), followed by putString(), putInt(), and finally commit() or apply() to save changes.

Frida Script: Intercepting All Shared Preferences Access

We will craft a comprehensive Frida script that hooks into the key methods involved in Shared Preferences management. This single script will allow us to observe when Shared Preferences files are opened, what data is being read, what data is being written, and when those changes are committed or applied.

Java.perform(function() {
    console.log("[*] Frida script loaded: Monitoring Shared Preferences.");

    // --- Hooking Context.getSharedPreferences() to identify files ---
    const Context = Java.use("android.content.Context");
    Context.getSharedPreferences.overload('java.lang.String', 'int').implementation = function(name, mode) {
        console.log("[SP Discovery] getSharedPreferences called: File='" + name + "', Mode='" + mode + "'");
        return this.getSharedPreferences(name, mode);
    };

    // --- Hooking SharedPreferences for read operations ---
    const SharedPreferences = Java.use("android.content.SharedPreferences");

    SharedPreferences.getString.overload('java.lang.String', 'java.lang.String').implementation = function(key, defValue) {
        let actualValue = this.getString(key, defValue);
        console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'");
        // Example: Modify return value on the fly
        // if (key === "isPremiumUser") { return "true"; }
        return actualValue;
    };

    SharedPreferences.getInt.overload('java.lang.String', 'int').implementation = function(key, defValue) {
        let actualValue = this.getInt(key, defValue);
        console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'");
        return actualValue;
    };

    SharedPreferences.getBoolean.overload('java.lang.String', 'boolean').implementation = function(key, defValue) {
        let actualValue = this.getBoolean(key, defValue);
        console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'");
        return actualValue;
    };

    SharedPreferences.getFloat.overload('java.lang.String', 'float').implementation = function(key, defValue) {
        let actualValue = this.getFloat(key, defValue);
        console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'");
        return actualValue;
    };

    SharedPreferences.getLong.overload('java.lang.String', 'long').implementation = function(key, defValue) {
        let actualValue = this.getLong(key, defValue);
        console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'");
        return actualValue;
    };

    // Note: getStringSet is less common but can be hooked similarly
    // SharedPreferences.getStringSet.overload('java.lang.String', 'java.util.Set').implementation = function(key, defValue) {
    //     let actualValue = this.getStringSet(key, defValue);
    //     console.log("[SP Read] File='" + this.toString() + "' Key='" + key + "', Value='" + actualValue + "', Default='" + defValue + "'");
    //     return actualValue;
    // };

    // --- Hooking SharedPreferences.Editor for write operations and commit/apply ---
    const Editor = Java.use("android.content.SharedPreferences$Editor");

    Editor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(key, value) {
        console.log("[SP Write] Key='" + key + "', Value='" + value + "'");
        // Example: Modify value before it's written
        // if (key === "sessionToken") { value = "HOOKED_TOKEN_12345"; }
        return this.putString(key, value);
    };

    Editor.putInt.overload('java.lang.String', 'int').implementation = function(key, value) {
        console.log("[SP Write] Key='" + key + "', Value='" + value + "'");
        return this.putInt(key, value);
    };

    Editor.putBoolean.overload('java.lang.String', 'boolean').implementation = function(key, value) {
        console.log("[SP Write] Key='" + key + "', Value='" + value + "'");
        return this.putBoolean(key, value);
    };

    Editor.putFloat.overload('java.lang.String', 'float').implementation = function(key, value) {
        console.log("[SP Write] Key='" + key + "', Value='" + value + "'");
        return this.putFloat(key, value);
    };

    Editor.putLong.overload('java.lang.String', 'long').implementation = function(key, value) {
        console.log("[SP Write] Key='" + key + "', Value='" + value + "'");
        return this.putLong(key, value);
    };

    // Hook commit for synchronous saves
    Editor.commit.implementation = function() {
        console.log("[SP Commit] Changes committed synchronously.");
        return this.commit();
    };

    // Hook apply for asynchronous saves
    Editor.apply.implementation = function() {
        console.log("[SP Apply] Changes applied asynchronously.");
        this.apply();
    };

    // Hook clear to detect data removal
    Editor.clear.implementation = function() {
        console.log("[SP Clear] All preferences cleared.");
        return this.clear();
    };

    // Hook remove to detect specific key removal
    Editor.remove.overload('java.lang.String').implementation = function(key) {
        console.log("[SP Remove] Key='" + key + "' removed.");
        return this.remove(key);
    };
});

Executing the Frida Script

Save the above JavaScript code as sp_monitor.js. Then, launch your target application with Frida, injecting the script:

frida -U -f com.your.package.name -l sp_monitor.js --no-pause

Replace com.your.package.name with the actual package name of the Android application you are testing. The -f flag spawns the application and --no-pause ensures it runs immediately. As you interact with the app, you will see detailed logs in your terminal showing every Shared Preferences interaction.

Understanding the Script’s Output

[SP Discovery]: Indicates when getSharedPreferences is called, revealing the names of preference files (e.g., my_app_prefs.xml) and their access modes.
[SP Read]: Logs every attempt to read a value from Shared Preferences, including the key, the actual value retrieved, and the default value provided. The this.toString() call attempts to provide context about which SharedPreferences object is being accessed, which often includes the file name.
[SP Write]: Captures calls to putString, putInt, etc., showing the key and the value being prepared for storage.
[SP Commit] / [SP Apply]: Notifies you when changes made through the Editor are saved to disk (commit synchronously, apply asynchronously).
[SP Clear] / [SP Remove]: Alerts when all preferences are cleared or a specific key is removed.

Advanced Considerations and Use Cases

Filtering Output: For verbose applications, you might want to filter the output based on specific preference file names or keys to focus on sensitive data. This can be done by adding conditional checks within your Frida hooks (e.g., if (name === "sensitive_config") { ... }).
Modifying Values On-the-Fly: The true power of Frida lies in its ability to alter application behavior. Within the implementation block of read hooks (e.g., getString), you can return a modified value instead of the original one. Similarly, in write hooks (e.g., putString), you can change the value argument before passing it to this.putString(key, value), effectively injecting data into the app’s preferences. This is crucial for bypassing license checks, feature flags, or injecting test data.
Revealing Hidden Logic: By observing the exact sequence of reads and writes, you can reconstruct the application’s internal state management. This is invaluable when static analysis falls short, especially with obfuscated code.
Detecting Sensitive Data: Look for keys like token, apiKey, password, jwt, sessionId, or custom key names that might indicate sensitive data. Intercepting their values at runtime confirms their presence and allows for extraction.

Conclusion

Intercepting Shared Preferences access at runtime with Frida is an indispensable technique for Android application penetration testing and reverse engineering. It provides dynamic visibility into an app’s configuration, sensitive data storage, and behavioral logic that static analysis alone cannot offer. By mastering these hooking techniques, you can effectively monitor, analyze, and even manipulate an application’s internal state, uncovering vulnerabilities and understanding its inner workings with expert precision.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →