Android App Penetration Testing & Frida Hooks

Frida Hooks Without Root: Advanced Techniques for Non-Rooted Custom Gadget Deployment

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction

Frida is an indispensable toolkit for dynamic instrumentation, allowing security researchers and developers to inject custom scripts into running processes. While powerful, its full capabilities are often associated with rooted Android devices, where Frida-server can be deployed directly. However, the vast majority of real-world applications run on non-rooted devices, posing a significant challenge for penetration testers. This article delves into advanced techniques for deploying custom Frida Gadgets on non-rooted Android devices, enabling comprehensive runtime analysis even in challenging environments.

The core concept involves repackaging the target application with the Frida Gadget shared library directly embedded, effectively making the application self-instrumenting. This bypasses the need for root privileges by leveraging the application’s own loader to initialize Frida’s hooking engine.

Prerequisites

Before embarking on this journey, ensure you have the following tools set up:

  • Android SDK (with platform-tools): For adb and other Android utilities.
  • Java Development Kit (JDK): Required for jarsigner and keytool.
  • Apktool: A crucial tool for decompiling and recompiling APKs. Download from Apktool’s official site.
  • Frida Tools: Specifically frida-tools (pip install frida-tools) and the appropriate frida-gadget.so for your target architecture (available on Frida’s GitHub releases).
  • A Target APK: For demonstration purposes, choose a simple, non-protected application.

Understanding Frida Gadget

Frida Gadget is a shared library (.so file) that can be embedded into an application. Unlike frida-server, which runs as a standalone daemon and injects scripts into other processes, the Gadget runs *within* the target process itself. When the Gadget is loaded by the application, it initializes Frida’s instrumentation engine, making the process available for connection from a remote Frida client (frida or frida-trace).

For non-rooted devices, the primary challenge is getting this .so file loaded by the target application. This typically involves modifying the application’s bytecode (Smali) to explicitly load the Gadget library during its startup sequence.

Step-by-Step Deployment Guide

1. Decompile the Target APK

The first step is to decompile the target APK using Apktool. This extracts the application’s resources, AndroidManifest.xml, and Smali bytecode into a directory structure.

apktool d target_app.apk -o target_app_modified

This command creates a new directory named target_app_modified containing all the decompiled components.

2. Obtain and Prepare the Frida Gadget Library

Download the correct frida-gadget.so for the target application’s architecture from the Frida GitHub releases page. Common architectures include arm64-v8a, armeabi-v7a, and x86.

Inside your decompiled application’s directory (target_app_modified), navigate to the lib/ folder. You’ll see subdirectories for different ABIs (e.g., arm64-v8a, armeabi-v7a). Create a new directory for the architecture you intend to use if it doesn’t exist, and place the downloaded frida-gadget.so file there. For example:

# For ARM64-v8a devices (most modern Android phones)cd target_app_modified/libmkdir arm64-v8acp /path/to/frida-gadget-*.so arm64-v8a/frida-gadget.so

Rename the file to simply frida-gadget.so for consistency.

3. Inject the Gadget into the Application

This is the most critical step: modifying the application’s Smali code to load the frida-gadget.so library.

Identifying the Injection Point

We need to find an early execution point in the application’s lifecycle. Good candidates include:

  • The onCreate method of the main Application class (if custom).
  • The onCreate method of the main Activity.
  • Any other method that is guaranteed to execute early during app startup.

First, identify the main activity or application class from AndroidManifest.xml. Look for the <application> tag’s android:name attribute or the <activity> tag with <intent-filter> containing android.intent.action.MAIN and android.intent.category.LAUNCHER.

Let’s assume the main activity is com.example.targetapp.MainActivity. You would find its Smali file at target_app_modified/smali/com/example/targetapp/MainActivity.smali.

Modifying Smali Code

Open the identified Smali file (e.g., MainActivity.smali) and locate its .method public onCreate(Landroid/os/Bundle;)V method. Insert the following Smali instructions at the very beginning of the method, right after .locals and any other initial setup (but before any other meaningful logic):

    .method public onCreate(Landroid/os/Bundle;)V    .locals 1    # Added by Frida injectionSTART    const-string v0, "frida-gadget"    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V    # Added by Frida injectionEND    .line 13    invoke-super {p0, p1}, Landroidx/appcompat/app/AppCompatActivity;->onCreate(Landroid/os/Bundle;)V

This code snippet first loads the string

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android #Frida #Frida Gadget #Penetration Testing #Reverse Engineering

Related Technical Guides

The Universal Frida Toolkit: Essential Scripts for Android SSL Pinning Bypass

May 29, 2026

The Pentester’s Playbook: Exploiting Android Native Vulnerabilities with Frida ARM64 Hooking

May 29, 2026

Android RE Lab: From APK to Source – Decompiling & Analyzing Apps with Jadx & Ghidra

May 29, 2026