Introduction to Dynamic Android App Analysis

In the realm of Android application penetration testing, a comprehensive understanding of an application’s attack surface is paramount. Static analysis provides initial insights, but it often falls short in revealing runtime behaviors, obscured logic, and dynamically loaded components. This is where dynamic analysis, particularly with tools like Frida and Objection, becomes indispensable. Dynamic analysis allows security researchers to interact with an application as it executes, observing its true behavior, manipulating its state, and uncovering vulnerabilities that might be hidden deep within its runtime processes.

This article delves into leveraging Frida and Objection for thorough dynamic reconnaissance of Android applications. We will explore how these powerful tools enable us to enumerate critical components, hook sensitive APIs, bypass security controls, and ultimately map the application’s attack surface more effectively than static methods alone.

Setting Up Your Dynamic Analysis Environment

Before diving into the techniques, ensure you have a proper environment configured:

• Rooted Android Device or Emulator: Necessary for running Frida server.
• Frida: Install Frida client on your host machine (pip install frida-tools) and Frida server on the Android device.
• Objection: Install Objection on your host machine (pip install objection).
• ADB: Android Debug Bridge for device communication.

Starting Frida Server

After pushing the appropriate Frida server binary to your device and making it executable, start it:

adb push frida-server /data/local/tmp/
chmod 755 /data/local/tmp/frida-server
adb shell "/data/local/tmp/frida-server &"

Then, set up port forwarding to communicate with the server:

adb forward tcp:27042 tcp:27042

Enumerating Application Components with Objection

Objection, built on top of Frida, simplifies many common dynamic analysis tasks. Its interactive shell provides a high-level interface to Frida’s capabilities.

Connecting to the Application

First, identify the package name of the target application. Then, spawn or attach to it using Objection:

# To spawn the application (recommended for full control)
objection --gadget  explore

# To attach to an already running application
objection -g  explore

Exploring Classes and Methods

One of the initial steps in attack surface mapping is understanding the application’s code structure. Objection allows you to enumerate loaded classes and search for specific methods.

Listing All Loaded Classes

(agent) > android hooking list classes

This command can generate a large output. To refine it, use filtering:

(agent) > android hooking list classes | grep 'com.example.app'

Listing Methods of a Specific Class

Once an interesting class is identified, list its methods:

(agent) > android hooking list class_methods com.example.app.AuthManager

Identifying Sensitive API Calls

Attack surfaces often involve points where the application interacts with external resources or handles sensitive data. Objection and Frida excel at intercepting these interactions.

Monitoring SharedPreferences

SharedPreferences is a common storage mechanism for application data. Monitoring its usage can reveal sensitive information being stored locally.

(agent) > android hooking set_preference_monitor

Any read or write operations to SharedPreferences will now be logged in the console.

Inspecting SQLite Databases

Many Android apps use SQLite for local data storage. Objection can help identify and even dump these databases.

(agent) > android sqlite connect /data/data/com.example.app/databases/app.db
(sqlite) > .tables
(sqlite) > SELECT * FROM users;

Bypassing SSL Pinning

SSL Pinning is a common security control. Objection provides built-in functionality to bypass it, allowing you to intercept network traffic with tools like Burp Suite.

(agent) > android sslpinning disable

After disabling, ensure your proxy (e.g., Burp Suite) is correctly configured on the device.

Advanced Dynamic Analysis with Custom Frida Scripts

While Objection covers many common scenarios, custom Frida scripts provide unparalleled flexibility for highly specific or complex hooking requirements.

Hooking Specific Methods for Argument Inspection

Consider an application that uses a custom encryption routine. You might want to inspect the arguments passed to the encryption function.

Java.perform(function() {
  var EncryptionUtil = Java.use('com.example.app.EncryptionUtil');
  EncryptionUtil.encrypt.overload('[B').implementation = function(data) {
    console.log('[*] Called EncryptionUtil.encrypt with data:',
      Java.array('byte', data).join(', '));
    var result = this.encrypt(data);
    console.log('[*] EncryptionUtil.encrypt result:',
      Java.array('byte', result).join(', '));
    return result;
  };
});

To load this script:

frida -U -f  -l script.js --no-pause

Tracing Class Instantiations

Identifying where certain sensitive objects (e.g., `SecretKeySpec`, `Cipher`) are instantiated can reveal critical attack vectors. Frida can trace object constructors.

Java.perform(function() {
  var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
  SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(keyBytes, algorithm) {
    console.log('[*] SecretKeySpec instantiated with algorithm:', algorithm);
    console.log('[*] Key Bytes:', Java.array('byte', keyBytes).join(', '));
    this.$init(keyBytes, algorithm);
  };
});

Runtime Manipulation and Bypassing Client-Side Checks

Frida allows you to modify an application’s behavior at runtime. This is powerful for bypassing client-side validation, license checks, or altering control flow.

For example, to bypass a `isProVersion` check:

Java.perform(function() {
  var LicenseManager = Java.use('com.example.app.LicenseManager');
  LicenseManager.isProVersion.implementation = function() {
    console.log('[*] Bypassing isProVersion check, returning true.');
    return true;
  };
});

Mapping the Attack Surface: A Methodical Approach

Combining these techniques, a systematic approach to attack surface mapping includes:

1. Initial Reconnaissance: Use Objection to list classes, methods, and exported components (Content Providers, Broadcast Receivers, Services) to understand the application’s overall structure.
2. Data Storage Analysis: Monitor SharedPreferences and inspect SQLite databases for sensitive information. Check for improper storage of API keys, tokens, or personal data.
3. Network Communication Review: Bypass SSL Pinning and intercept all network traffic. Look for insecure data transmission, weak API endpoints, or exposed backend functionality.
4. API Hooking and Argument Inspection: Use Frida to hook critical APIs (cryptography, authentication, IPC, file I/O) to observe data in transit, identify hardcoded secrets, or understand business logic.
5. Bypassing Client-Side Controls: Actively look for client-side checks (e.g., root detection, anti-tampering, license checks, input validation) and use Frida to bypass or modify their behavior.
6. Memory Analysis: Explore application memory for sensitive data, such as decrypted keys, passwords, or PII that might reside temporarily.

Conclusion

Dynamic analysis with Frida and Objection significantly enhances the depth and efficacy of Android application penetration testing. By enabling real-time interaction with the application’s execution, security researchers can uncover vulnerabilities that are simply undetectable through static means. From enumerating hidden components and intercepting sensitive API calls to bypassing robust security controls, these tools provide a comprehensive toolkit for mapping the true attack surface of any Android application, leading to more robust security assessments and stronger app defenses.