Android App Penetration Testing & Frida Hooks

Mastering Android NDK Reverse Engineering: A Complete Ghidra & Frida Setup Guide

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Diving Deep into Android Native Code

Android applications frequently leverage the Native Development Kit (NDK) to execute performance-critical or security-sensitive operations in native code (C/C++). This practice makes reverse engineering and security analysis more challenging, as traditional Java decompilation tools fall short. Mastering the art of Android NDK reverse engineering is crucial for security researchers, penetration testers, and malware analysts.

This comprehensive guide will walk you through setting up and utilizing two powerful tools – Ghidra for static analysis and Frida for dynamic instrumentation – to effectively reverse engineer Android native libraries (.so files). By combining their strengths, you’ll gain unparalleled insight into the inner workings of NDK-powered applications.

Why NDK Reverse Engineering Matters

  • Performance Optimization: NDK allows developers to write code that interacts directly with the system, bypassing the Java Virtual Machine (JVM) overhead.
  • Obfuscation and Security: Sensitive logic, such as cryptographic algorithms or anti-tampering checks, is often implemented in native code to hinder analysis.
  • Code Reuse: Libraries developed in C/C++ can be easily shared across multiple platforms.

Prerequisites: Your Reverse Engineering Toolkit

Before we begin, ensure you have the following tools set up:

  • Rooted Android Device or Emulator: Necessary for deploying and running Frida server.
  • Android SDK & Platform Tools (ADB): For interacting with your Android device.
  • Ghidra: The open-source reverse engineering framework from NSA. Download and install it on your workstation.
  • Frida-tools: Python library for interacting with the Frida server. Install via pip: pip install frida-tools.
  • Python 3: For running Frida scripts.

Ghidra: The Static Analysis Powerhouse

Ghidra excels at disassembling and decompiling native binaries, providing a high-level view of C/C++ code, even without debug symbols. It’s your primary tool for understanding the structure and logic of .so files.

Loading a Native Library into Ghidra

First, obtain the native library you wish to analyze (e.g., from an APK’s lib/armeabi-v7a/ or lib/arm64-v8a/ directory). Then, follow these steps:

  1. Launch Ghidra and create a new project.
  2. Go to File > Import File... and select your .so file.
  3. Ghidra will prompt you to analyze the file. Click ‘Yes’ and ensure ‘Android JNI’ is selected as a language specific option if available, and that default analysis options like ‘PCode’ and ‘Stack’ are enabled. Click ‘Analyze’.

Navigating the Ghidra Interface

Once analysis is complete, you’ll typically see three main windows:

  • Symbol Tree: Lists functions, data, and imports/exports. JNI functions are usually prefixed with Java_.
  • Listing Window: Displays the disassembled assembly code.
  • Decompiler Window: Ghidra’s powerful decompiler attempts to convert assembly back into human-readable C-like pseudocode. This is your most valuable window.

Identifying JNI Functions

JNI (Java Native Interface) functions are the bridge between Java and native code. They follow a specific naming convention: Java_<package_name>_<class_name>_<method_name>. In the Decompiler window, these functions will often have JNIEnv* and jobject as their first two arguments.

JNIEXPORT jstring JNICALL Java_com_example_myapp_NativeLib_stringFromJNI(JNIEnv* env, jobject thiz) { // ... native logic ... return (*env)->NewStringUTF(env, "Hello from C++");}

Frida: The Dynamic Instrumentation Toolkit

Frida allows you to inject scripts into running processes, hook functions (both Java and native), read/write memory, and even spawn new processes. It’s essential for observing real-time execution and manipulating application behavior.

Setting Up Frida on Your Android Device

  1. Download Frida Server: Go to Frida’s releases page on GitHub and download the appropriate frida-server binary for your device’s architecture (e.g., frida-server-*-android-arm64).
  2. Push to Device: Use ADB to push the server to a writable directory on your device, usually /data/local/tmp/.
    3. adb push frida-server /data/local/tmp/frida-server
  3. Set Permissions and Run: Make the server executable and run it. You’ll need root privileges for this.
    4. adb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"

Basic Frida Client Usage

On your workstation, you can now interact with the Frida server:

  • List Processes:
    • frida-ps -U
  • Attach to an Application:
    • frida -U -f com.example.myapp --no-pause -l my_frida_script.js

    The -U flag connects to a USB device, -f spawns and attaches to the specified package, --no-pause starts the app immediately, and -l loads your Frida script.

The Ghidra-Frida Synergy: A Practical Walkthrough

Let’s combine Ghidra and Frida to reverse engineer a hypothetical native function.

Step 1: Extracting the Native Library (.so)

If you only have an APK, you need to extract the .so file. APKs are essentially zip files. You can rename .apk to .zip and extract, or use unzip directly:

unzip myapp.apk -d extracted_apk

Navigate to the extracted_apk/lib/<arch>/ directory to find your native libraries. If the app is already installed, you can pull the library directly:

adb shell pm path com.example.myappadb pull /data/app/com.example.myapp-1/lib/arm64/libmynative.so .

Step 2: Static Analysis in Ghidra – Unveiling Native Logic

Load libmynative.so into Ghidra as described earlier. Let’s assume we’ve identified a JNI function named Java_com_example_myapp_NativeLib_addNumbers that looks something like this in Ghidra’s decompiler:

JNIEXPORT jint JNICALL Java_com_example_myapp_NativeLib_addNumbers(JNIEnv *env, jobject thiz, jint a, jint b){  return a + b;}

In a real scenario, this function might perform more complex operations like decryption or validation. Note down the function’s address (offset from the base address of the module) shown in the Ghidra listing, or its export name if it’s directly exported.

Step 3: Dynamic Instrumentation with Frida – Observing and Manipulating

Now, let’s hook this function with Frida to observe its arguments and potentially modify its return value. Create a file named hook_native.js:

Java.perform(function() {  var moduleName = "libmynative.so";  var targetModule = Module.findBaseAddress(moduleName);  if (targetModule) {    // Find the function by its exported name (preferred) or offset    // Replace "Java_com_example_myapp_NativeLib_addNumbers" with the actual symbol if available    // Or use targetModule.add(0x1234) if only an offset is known from Ghidra    var targetFunctionPtr = Module.findExportByName(moduleName, "Java_com_example_myapp_NativeLib_addNumbers");    if (targetFunctionPtr) {      console.log("Hooking function at: " + targetFunctionPtr);      Interceptor.attach(targetFunctionPtr, {        onEnter: function(args) {          console.log("--------------------------------------------------");          console.log("Entering Java_com_example_myapp_NativeLib_addNumbers");          console.log("  Arg 1 (JNIEnv*): " + args[0]);          console.log("  Arg 2 (jobject this): " + args[1]);          console.log("  Arg 3 (jint a): " + args[2].toInt32());          console.log("  Arg 4 (jint b): " + args[3].toInt32());          // Example: Modify an argument to influence native logic          // args[2] = ptr(100); // Changes 'a' to 100        },        onLeave: function(retval) {          console.log("Leaving Java_com_example_myapp_NativeLib_addNumbers");          console.log("  Original Return Value: " + retval.toInt32());          // Example: Tamper with the return value          // retval.replace(ptr(500)); // Forces return to 500          console.log("  Modified Return Value: " + retval.toInt32());          console.log("--------------------------------------------------");        }      });      console.log("Successfully hooked Java_com_example_myapp_NativeLib_addNumbers");    } else {      console.log("Error: Could not find function 'Java_com_example_myapp_NativeLib_addNumbers' in " + moduleName);    }  } else {    console.log("Error: Module " + moduleName + " not found.");  }});

Now, run your app with Frida:

frida -U -f com.example.myapp --no-pause -l hook_native.js

As your application calls addNumbers, you’ll see the arguments and return values logged in your console, and you can even observe or modify them in real-time. This combination of static insight from Ghidra and dynamic interaction from Frida provides an incredibly powerful toolkit for understanding and manipulating native Android applications.

Conclusion: Unlocking Deeper Insights

By integrating Ghidra for in-depth static analysis and Frida for precise dynamic instrumentation, you gain an unparalleled advantage in Android NDK reverse engineering. This methodology allows you to dissect complex native logic, understand its interactions with the Java layer, and effectively bypass security mechanisms or discover vulnerabilities that would otherwise remain hidden. Continue exploring advanced features of both tools, such as Ghidra scripting and Frida Stalker, to further enhance your capabilities.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android NDK #AppSec #Frida #Ghidra #Reverse Engineering

Related Technical Guides

Hacking Android IPC: A Frida Scripting Lab for AIDL Interface Analysis & Vulnerability Discovery

May 30, 2026

Troubleshooting Frida OkHttp3 SSL Pinning Bypass: Common Errors & Solutions

May 30, 2026

Reverse Engineering Android Apps: Identifying & Bypassing Custom SSL Pinning with Frida

May 30, 2026