Android App Penetration Testing & Frida Hooks

Frida Tutorial: Overriding Android Java Methods to Bypass Security Checks

By Antigravity Research Published May 29, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Frida for Android Penetration Testing

Frida is a dynamic instrumentation toolkit that allows developers and security researchers to inject JavaScript or Python snippets into native apps on various platforms, including Android. Its power lies in its ability to hook into functions, inspect memory, and modify runtime behavior without altering the application’s source code. For Android penetration testing, Frida is invaluable for bypassing client-side security controls, understanding application logic, and discovering vulnerabilities that might otherwise be hidden.

This tutorial will guide you through using Frida to override Android Java methods, specifically focusing on modifying their return values to bypass common security checks like root detection or license verification. We’ll provide practical examples and step-by-step instructions to get you started.

Prerequisites

Before diving into method overriding, ensure you have the following:

  • Rooted Android Device or Emulator: Frida requires root privileges on the target device to inject its agent.
  • Frida Server: The Frida server binary must be running on your Android device. Download the correct architecture (e.g., frida-server-16.1.4-android-arm64) from Frida’s GitHub releases and push it to your device.
  • Frida-tools: Installed on your host machine (pip install frida-tools).
  • ADB (Android Debug Bridge): For interacting with your Android device.
  • Decompiler (Optional but Recommended): Tools like Jadx-GUI or Ghidra for static analysis and identifying target methods.

Setting up Frida Server on Android

  1. Download the appropriate frida-server for your device’s architecture (e.g., arm64).
  2. Push it to your device: 
    adb push frida-server-16.1.4-android-arm64 /data/local/tmp/frida-server
  3. Set executable permissions: 
    adb shell "chmod 755 /data/local/tmp/frida-server"
  4. Start the server in the background: 
    adb shell "/data/local/tmp/frida-server &"
  5. Verify Frida is running on your host: 
    frida-ps -U

    You should see a list of running processes on your device.

Identifying Target Java Methods

The first step in any Frida-based bypass is to identify the specific Java method(s) responsible for the security check you want to subvert. Static analysis with a decompiler like Jadx-GUI is highly effective here.

Let’s consider a hypothetical Android application (com.example.secureapp) that performs a root detection check using a method like isDeviceRooted() within a class called SecurityUtils.

package com.example.secureapp;import android.util.Log;import java.io.File;public class SecurityUtils {    private static final String TAG = "SecurityUtils";    public boolean isDeviceRooted() {        String[] paths = { "/system/app/Superuser.apk", "/sbin/su", "/system/bin/su", "/system/xbin/su",                           "/data/local/xbin/su", "/data/local/bin/su", "/system/sd/xbin/su",                           "/system/bin/failsafe/su", "/data/local/su", "/su/bin/su"};        for (String path : paths) {            if (new File(path).exists()) {                Log.w(TAG, "Root detected via: " + path);                return true;            }        }        Log.i(TAG, "Device not rooted (basic check).");        return false;    }    public boolean checkLicense(String licenseKey) {        // Hypothetical complex license validation        if (licenseKey == null || licenseKey.isEmpty()) {            return false;        }        if (licenseKey.equals("VALID_LICENSE_KEY_123")) {            Log.i(TAG, "License check passed.");            return true;        }        Log.w(TAG, "Invalid license key.");        return false;    }}

Our goal is to make isDeviceRooted() always return false, and checkLicense() always return true, regardless of the actual device state or provided key.

Frida Scripting: Overriding Java Methods

Basic Hooking and Logging

Before modifying return values, it’s good practice to ensure you can hook the method and log its invocation. This confirms your target identification is correct.

Java.perform(function () {    console.log("Frida script loaded!");    var SecurityUtils = Java.use("com.example.secureapp.SecurityUtils");    SecurityUtils.isDeviceRooted.implementation = function () {        console.log("Hooked isDeviceRooted() called!");        var result = this.isDeviceRooted(); // Call original method        console.log("Original isDeviceRooted() result: " + result);        return result; // Return original result    };    console.log("Hook for isDeviceRooted() installed.");});

Save this as `log_root_check.js`. To run it:

frida -U -f com.example.secureapp -l log_root_check.js --no-pause

This command attaches Frida to `com.example.secureapp`, loads the script, and then spawns the app. When the app calls `isDeviceRooted()`, you’ll see “Hooked isDeviceRooted() called!” and the original result in your console.

Modifying Return Values to Bypass Root Detection

Now, let’s modify the `isDeviceRooted()` method to always return `false`, effectively bypassing the root detection check.

Java.perform(function () {    console.log("Frida script loaded for Root Bypass!");    var SecurityUtils = Java.use("com.example.secureapp.SecurityUtils");    SecurityUtils.isDeviceRooted.implementation = function () {        console.log("isDeviceRooted() hooked. Forcing return value to FALSE.");        return false; // Always return false    };    console.log("Root bypass hook for isDeviceRooted() installed.");});

Save this as `bypass_root.js`. Execute it:

frida -U -f com.example.secureapp -l bypass_root.js --no-pause

Now, every time `isDeviceRooted()` is called within the application, Frida intercepts it and returns `false`, irrespective of whether the device is truly rooted. The application will perceive the device as non-rooted.

Overriding Return Values and Modifying Arguments (License Check Example)

For the `checkLicense()` method, we want it to always return `true`. We can also log or even modify the `licenseKey` argument if needed.

Java.perform(function () {    console.log("Frida script loaded for License Bypass!");    var SecurityUtils = Java.use("com.example.secureapp.SecurityUtils");    SecurityUtils.checkLicense.implementation = function (licenseKey) {        console.log("checkLicense() hooked. Original licenseKey: " + licenseKey);        // Optionally, modify the argument before calling the original method        // var modifiedLicenseKey = "VALID_LICENSE_KEY_123";        // console.log("Modified licenseKey to: " + modifiedLicenseKey);        // var originalResult = this.checkLicense(modifiedLicenseKey);                console.log("Forcing checkLicense() return value to TRUE.");        return true; // Always return true    };    console.log("License bypass hook for checkLicense() installed.");});

Save this as `bypass_license.js`. Execute it similarly:

frida -U -f com.example.secureapp -l bypass_license.js --no-pause

This script ensures that any license check performed by `checkLicense()` in `SecurityUtils` will always succeed, granting access to licensed features.

Handling Method Overloads

If a class has multiple methods with the same name but different argument types (method overloading), you need to specify the argument types explicitly to target the correct overload.

Java.perform(function () {    var TargetClass = Java.use("com.example.app.TargetClass");    // Example: Overloaded method 'doSomething'    // public void doSomething(String arg1)    // public void doSomething(String arg1, int arg2)    TargetClass.doSomething.overload('java.lang.String').implementation = function (arg1) {        console.log("Hooked doSomething(String): " + arg1);        this.doSomething(arg1); // Call original    };    TargetClass.doSomething.overload('java.lang.String', 'int').implementation = function (arg1, arg2) {        console.log("Hooked doSomething(String, int): " + arg1 + ", " + arg2);        this.doSomething(arg1, arg2); // Call original    };});

The `overload()` method takes a variable number of string arguments, each representing the fully qualified type name of a parameter (e.g., `java.lang.String`, `int`, `boolean`, `[Ljava.lang.String;` for String array, etc.).

Conclusion

Frida provides unparalleled capabilities for dynamically analyzing and modifying Android applications at runtime. By mastering Java method overriding, you can effectively bypass client-side security checks such as root detection, signature verification, license checks, and even SSL pinning, enabling deeper penetration testing and vulnerability discovery. Remember to use these powerful techniques responsibly and ethically, primarily for security research and legitimate penetration testing purposes.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Penetration Testing #Frida #Java Hooking #Mobile Security #Security Bypass

Related Technical Guides

Beyond the Basics: Frida Persistent Hooks & Instrumentation for Android App Security Audits

May 29, 2026

How To: Unmask & Disable Stealthy Root Detection in Android Apps Using ART Runtime Manipulation

May 29, 2026

The Pentester’s Playbook: Exploiting Android Native Vulnerabilities with Frida ARM64 Hooking

May 29, 2026