Android App Penetration Testing & Frida Hooks

Frida for JNI: Practical Guide to Hooking Android Native Functions & Analyzing Arguments

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android JNI and Its Security Implications

The Java Native Interface (JNI) is a powerful framework that allows Java code running in the Android Dalvik/ART runtime to interact with native code (C/C++). This capability is crucial for performance-critical operations, leveraging existing native libraries, or implementing security-sensitive functionalities that developers might want to obscure from easy decompilation. However, JNI also presents a significant attack surface for reverse engineers and penetration testers. By understanding and hooking JNI interfaces, we can intercept calls to native methods, analyze their arguments, and potentially uncover vulnerabilities like hardcoded keys, insecure data handling, or bypass client-side security checks.

This guide will walk you through the practical steps of using Frida, a dynamic instrumentation toolkit, to identify, hook, and analyze arguments of native functions called via JNI on Android applications.

Identifying Native Methods

Before hooking, we need to know what native methods an application uses. This can be done through static analysis.

1. Decompilation and `javap`

Use a decompiler like Jadx or Ghidra to examine the application’s Java bytecode. Look for methods declared with the native keyword. For example:

public native String decryptData(byte[] data, String key);

To get the JNI signature of this method, you can use javap -s -p <ClassName> on the compiled .class file (or extract from the DEX):

$ javap -s -p com.example.app.NativeHelperClass  Classfile /com/example/app/NativeHelperClass.class  public class com.example.app.NativeHelperClass {    public com.example.app.NativeHelperClass();    descriptor: ()V    public native java.lang.String decryptData(byte[], java.lang.String);    descriptor: ([BLjava/lang/String;)Ljava/lang/String;  }

The descriptor ([BLjava/lang/String;)Ljava/lang/String; tells us the native function expects a byte array and a String, and returns a String.

2. Locating the Native Library

Native methods are implemented in shared libraries (.so files) usually found in the lib/ directory of the APK. Common names are libnative-lib.so, libapp.so, etc. The Java code typically loads these libraries using System.loadLibrary("mylib");.

Frida for JNI Hooking: Targeting Native Implementations

Native functions can be registered in two primary ways:

  1. Dynamic Registration (RegisterNatives): The native library explicitly registers Java native methods with their corresponding native function pointers using the JNIEnv->RegisterNatives function, often within JNI_OnLoad. This is the most common and robust way.
  2. Static Registration: The native function follows a specific naming convention (e.g., Java_com_example_app_NativeHelperClass_decryptData) and is exported by the shared library.

Method 1: Intercepting RegisterNatives (Recommended for Robustness)

Intercepting RegisterNatives allows us to discover the exact memory addresses of the native functions even if they are not explicitly exported or follow a different naming scheme. This is typically done by hooking JNI_OnLoad and then RegisterNatives.

Java.perform(function() {    var JNI_OnLoad = Module.findExportByName("libart.so", "JNI_OnLoad"); // JNI_OnLoad might be in libapp.so or libart.so    if (JNI_OnLoad) {        console.log("Found JNI_OnLoad at " + JNI_OnLoad);        Interceptor.attach(JNI_OnLoad, {            onEnter: function(args) {                // Hook RegisterNatives inside JNI_OnLoad context                var RegisterNatives = Module.findExportByName(null, "JNI_GetCreatedJavaVMs"); // Placeholder to get env                var jniEnv = args[0];                // Find RegisterNatives function pointer in the JNIEnv structure                var RegisterNativesPtr = jniEnv.readPointer().add(230 * Process.pointerSize).readPointer(); // Offset for Android 7+ (may vary)                                console.log("RegisterNatives found at " + RegisterNativesPtr);                Interceptor.attach(RegisterNativesPtr, {                    onEnter: function(args) {                        // args[0]: JNIEnv*                        // args[1]: jclass                        // args[2]: JNINativeMethod* methods                        // args[3]: jint numMethods                        var env = args[0];                        var javaClass = new Java.Wrapper(args[1]);                        var methods = args[2];                        var numMethods = args[3].toInt3();                        console.log("RegisterNatives called for class: " + javaClass.getName() + " with " + numMethods + " methods.");                        for (var i = 0; i < numMethods; i++) {                            var methodName = methods.add(i * Process.pointerSize * 3).readPointer().readCString();                            var methodSignature = methods.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer().readCString();                            var fnPtr = methods.add(i * Process.pointerSize * 3 + 2 * Process.pointerSize).readPointer();                            console.log("  Method: " + methodName + " Signature: " + methodSignature + " Ptr: " + fnPtr);                            // Now you have the function pointer (fnPtr), you can hook it directly                            // Example: Hooking 'decryptData'                            if (methodName === "decryptData") {                                console.log("HOOKING decryptData at " + fnPtr);                                Interceptor.attach(fnPtr, {                                    onEnter: function(args) {                                        console.log("[decryptData] ENTER");                                        // JNIEnv* env                                        // jobject obj (this)                                        // jbyteArray data                                        // jstring key                                        this.env = args[0];                                        this.jByteArrayData = args[2];                                        this.jStringKey = args[3];                                        console.log("  Data: " + this.env.getByteArrayRegion(this.jByteArrayData, 0, this.env.getArrayLength(this.jByteArrayData))); // Example of reading byte array                                        console.log("  Key: " + this.env.getStringUtfChars(this.jStringKey, null).readCString());                                    },                                    onLeave: function(retval) {                                        console.log("[decryptData] LEAVE, returned: " + this.env.getStringUtfChars(retval, null).readCString());                                        // Optionally modify return value:                                        // var newRet = this.env.newStringUtf("modified_return_value");                                        // retval.replace(newRet);                                    }                                });                            }                        }                    },                    onLeave: function(retval) {                        //console.log("RegisterNatives returned.");                    }                });            },            onLeave: function(retval) {                //console.log("JNI_OnLoad returned.");            }        });    } else {        console.log("JNI_OnLoad not found. Try hooking JNI_OnLoad in target lib.so.");    }    // Alternative if you know the target library and JNI_OnLoad is in it    // var targetModule = Module.findByName("libmylib.so");    // if (targetModule) {    //     var JNI_OnLoad_target = targetModule.findExportByName("JNI_OnLoad");    //     // ... hook logic similar to above ...    // }});

Note on RegisterNativesPtr offset: The offset for RegisterNatives within the JNIEnv structure can vary slightly between Android versions or even specific ROMs. You might need to adjust 230 * Process.pointerSize. A common way to find the correct offset is to dump the JNIEnv structure using Frida and find the pointer to RegisterNatives.

Method 2: Direct Hooking of Exported Native Functions (Less Common for JNI)

If the native method is statically registered and exported with the full JNI naming convention, you can hook it directly. However, this is less common for security-critical functions to avoid easy discovery.

Java.perform(function() {    var targetLib = Module.findByName("libmylib.so");    if (targetLib) {        // Example: Java_com_example_app_NativeHelperClass_decryptData        var decryptFunc = targetLib.findExportByName("Java_com_example_app_NativeHelperClass_decryptData");        if (decryptFunc) {            console.log("Found decryptData at " + decryptFunc);            Interceptor.attach(decryptFunc, {                onEnter: function(args) {                    console.log("[decryptData] ENTER (direct hook)");                    // Similar argument parsing as above                    this.env = args[0];                    this.jByteArrayData = args[2]; // JNIEnv*, jobject, jbyteArray, jstring                    this.jStringKey = args[3];                    console.log("  Data: " + this.env.getByteArrayRegion(this.jByteArrayData, 0, this.env.getArrayLength(this.jByteArrayData)));                    console.log("  Key: " + this.env.getStringUtfChars(this.jStringKey, null).readCString());                },                onLeave: function(retval) {                    console.log("[decryptData] LEAVE (direct hook), returned: " + this.env.getStringUtfChars(retval, null).readCString());                }            });        } else {            console.log("decryptData not found as an exported symbol.");        }    }});

Analyzing JNI Arguments and Return Values

When you hook a native function, the args array in onEnter contains the arguments passed to the native C/C++ function. The first argument is always JNIEnv*, followed by jobject (the this object if it’s a non-static method) or jclass (if it’s a static method), and then the actual method arguments.

Common JNI Argument Types and How to Read Them with Frida:

  • JNIEnv* env: The JNI environment pointer. You’ll use this to call JNI functions to manipulate Java objects. Access via this.env or args[0].
  • jobject obj / jclass clazz: The Java object or class instance.
  • jstring str: A Java String object. To read its content:this.env.getStringUtfChars(str, null).readCString(). Remember to release if you use `GetStringCritical` or `GetStringUTFChars` without null for `isCopy` in native code.
  • jbyteArray arr: A Java byte array. To read its content:var len = this.env.getArrayLength(arr); this.env.getByteArrayRegion(arr, 0, len). This returns a `NativePointer` to the data.
  • jint, jboolean, jlong, etc.: Primitive types are passed directly and can be read using `args[X].toInt32()`, `args[X].toBoolean()`, `args[X].toInt64()`, etc.
  • Custom Java Objects: For complex Java objects, you’ll need to use Java.cast() and interact with their methods or fields, similar to how you would with Java.use().

Vulnerability Analysis

By intercepting these calls and inspecting arguments, you can detect:

  • Hardcoded Secrets: Is a decryption key or API token passed directly as a jstring or part of a jbyteArray?
  • Insecure Data Handling: Are sensitive data structures being passed around in plain text before encryption?
  • Bypassable Checks: Is a native function performing a critical security check (e.g., integrity verification, root detection) where modifying the return value or arguments could lead to a bypass?
  • Unintended Information Disclosure: Is the application leaking sensitive internal state or user data in native calls?

Practical Steps to Execute the Frida Script

  1. Setup Frida: Ensure Frida server is running on your Android device (rooted or frida-gadget).
  2. Save the script: Save your Frida JavaScript code (e.g., jni_hook.js).
  3. Attach Frida: Run Frida to inject your script into the target application:frida -U -f com.example.app --no-pause -l jni_hook.js
  4. Interact with the app: Use the application to trigger the native calls you’re trying to hook. Observe the Frida output in your terminal.

Conclusion

Hooking JNI functions with Frida is an indispensable technique for Android application penetration testing and reverse engineering. It allows you to peer into the native layer’s execution, revealing how Java interacts with C/C++ code, and critically, what data is being exchanged. By carefully analyzing arguments and return values, you can uncover hidden logic, bypass security controls, and identify vulnerabilities that are not apparent from static Java code analysis alone. Mastering JNI hooking empowers you to perform a more thorough and effective security assessment of Android applications.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android #Frida #JNI #Penetration Testing #Reverse Engineering

Related Technical Guides

Frida Scripting Toolkit: Essential Hooks for Android App Protection Bypass

May 29, 2026

Deep Dive: Reverse Engineering Android Apps Dynamically Using Frida Scripts

May 29, 2026

Unpacking Root Logic: Reverse Engineering Custom Root Detection with Frida & Ghidra

May 30, 2026