Android Software Reverse Engineering & Decompilation

Mastering Frida: Hooking C/C++ Native Functions via JNI for Android App Reversing

By Antigravity Research Published May 29, 2026 ⏱️ 11 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Frida and Native Android Reversing

Android application reversing often requires delving into the native layer, where performance-critical, security-sensitive, or obfuscated logic resides. While Java/Kotlin code is relatively straightforward to decompile and analyze, C/C++ native libraries, accessed via the Java Native Interface (JNI), present a greater challenge. Frida, a dynamic instrumentation toolkit, empowers reverse engineers to overcome this by injecting scripts into running processes, allowing them to hook, modify, and observe native functions in real-time. This guide will walk you through mastering Frida to effectively hook C/C++ native functions in Android applications, covering both exported and dynamically registered methods, along with practical bypass techniques.

Understanding JNI in Android Applications

The Java Native Interface (JNI) is a framework that allows Java code running in the Java Virtual Machine (JVM) to call and be called by native applications and libraries written in other languages, such as C and C++. In Android, applications leverage JNI to interact with low-level system APIs, implement performance-intensive algorithms, or protect sensitive logic from easy analysis.

How Native Libraries are Loaded and Functions Registered

Native libraries (.so files) are typically loaded into an Android application using System.loadLibrary("mylib") or System.load("/path/to/mylib.so") in Java. Once loaded, the native code can register its functions in a few ways:

  1. Exported Functions: Functions explicitly exported in the native library. Java methods are linked to these using the native keyword, and the function name follows a specific JNI signature (e.g., Java_com_example_app_NativeClass_myNativeMethod).
  2. Dynamically Registered Functions: More commonly, native libraries register functions dynamically within a special JNI entry point, JNI_OnLoad. This function is called when the library is loaded, and it uses RegisterNatives to map Java native methods to specific C/C++ function pointers. This technique often makes reversing harder as the function names are not exported.

Setting Up Your Frida Environment

Before we dive into hooking, ensure your environment is ready:

  1. Rooted Android Device or Emulator: Frida requires root privileges to inject into applications.
  2. Frida Server: Download the correct Frida server for your device’s architecture (e.g., frida-server-*-android-arm64) from the Frida releases page. Push it to your device and run it as root: 
    adb push frida-server /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"
  3. Frida Tools on Host Machine: Install Frida Python tools: 
    pip install frida-tools

Basic Native Function Hooking: Exported Functions

Let’s start with a simple scenario: hooking an exported native function. Imagine an Android app with a native method public native String getSecretKey(); in com.example.app.NativeUtils. This might map to an exported C function like Java_com_example_app_NativeUtils_getSecretKey.

Identifying the Target Module and Export

First, identify the native library (e.g., libnative-lib.so) and the exact name of the exported function. You can use frida-trace for a quick overview or inspect the APK with tools like Ghidra/IDA to find the library and function names.

Frida Script for Exported Hooking

Here’s a basic Frida script to hook an exported function:

Java.perform(function() {    var targetLibrary = Module.find("libnative-lib.so");    if (targetLibrary) {        console.log("[*] Found libnative-lib.so at: " + targetLibrary.base);        var getSecretKeyPtr = Module.findExportByName("libnative-lib.so", "Java_com_example_app_NativeUtils_getSecretKey");        if (getSecretKeyPtr) {            console.log("[*] Hooking getSecretKey at: " + getSecretKeyPtr);            Interceptor.attach(getSecretKeyPtr, {                onEnter: function(args) {                    console.log("[+] getSecretKey() called");                },                onLeave: function(retval) {                    // retval is a JNI jstring. Convert it to a JavaScript string.                    var jniEnv = Java.vm.get === undefined ? Java.vm.getEnv() : Java.vm.getEnv().get;                    var secretKey = jniEnv.getStringUtfChars(retval, null).readCString();                    console.log("[+] getSecretKey() returned: " + secretKey);                    // Optional: Modify return value (e.g., return a different key)                    // var newSecretKey = "FAKE_SECRET_KEY_BY_FRIDA";                    // var jstringNewSecretKey = jniEnv.newStringUtf(newSecretKey);                    // retval.replace(jstringNewSecretKey);                    // console.log("[+] getSecretKey() modified return to: " + newSecretKey);                }            });        } else {            console.log("[-] Could not find Java_com_example_app_NativeUtils_getSecretKey");        }    } else {        console.log("[-] Could not find libnative-lib.so");    }});

To run this script:

frida -U -l your_script.js -f com.example.app --no-pause

Explanation:

  • Module.find("libnative-lib.so"): Locates the base address of the native library.
  • Module.findExportByName(...): Finds the memory address of the exported function.
  • Interceptor.attach(ptr, callbacks): The core of Frida hooking. It takes the function pointer and an object with onEnter and onLeave callbacks.
  • onEnter(args): Called before the native function executes. args contains an array of arguments passed to the function. For JNI functions, args[0] is JNIEnv* and args[1] is jobject (the this object for non-static methods or jclass for static methods).
  • onLeave(retval): Called after the native function executes. retval is a NativePointer containing the return value. You can inspect or modify it.
  • JNI Type Conversion: The example demonstrates converting a jstring (JNI string handle) to a readable JavaScript string using jniEnv.getStringUtfChars(retval, null).readCString(). The jniEnv object provides methods to interact with JNI types.

Hooking Dynamically Registered Native Functions

Many Android apps use RegisterNatives within JNI_OnLoad to hide native method names. To hook these, we must intercept RegisterNatives itself or JNI_OnLoad to retrieve the addresses of the dynamically registered functions.

Strategy: Intercepting JNI_OnLoad

JNI_OnLoad is an exported function called when any native library is loaded. By hooking it, we can gain control just before or after RegisterNatives is called.

Java.perform(function() {    var moduleName = "libnative-lib.so"; // Target library    var jniOnLoadPtr = Module.findExportByName(moduleName, "JNI_OnLoad");    if (jniOnLoadPtr) {        console.log("[*] Hooking JNI_OnLoad at: " + jniOnLoadPtr);        Interceptor.attach(jniOnLoadPtr, {            onEnter: function(args) {                // args[0] is JavaVM*, args[1] is void* reserved                console.log("[+] JNI_OnLoad called for " + moduleName);            },            onLeave: function(retval) {                console.log("[+] JNI_OnLoad finished for " + moduleName);                // After JNI_OnLoad, native functions might be registered.                // Now we can try to find and hook them based on their addresses.                // This requires knowing the function signature or pattern.                // Example: If a function `myDynamicNativeMethod` at offset 0x1234 from base                // var myDynamicFuncPtr = Module.findBase(moduleName).add(0x1234);                // Interceptor.attach(myDynamicFuncPtr, { ... });                // A more robust way is to hook env->RegisterNatives itself!            }        });    } else {        console.log("[-] JNI_OnLoad not found in " + moduleName);    }});

Strategy: Hooking RegisterNatives

The most effective way to hook dynamically registered functions is to intercept the RegisterNatives function itself. This function is part of the JNIEnv structure. We need to find the address of RegisterNatives within the JNIEnv pointer.

Java.perform(function() {    var moduleName = "libnative-lib.so";    var JNI_OnLoad = Module.findExportByName(moduleName, "JNI_OnLoad");    if (!JNI_OnLoad) {        console.log("[-] JNI_OnLoad not found in " + moduleName);        return;    }    console.log("[*] Found JNI_OnLoad at: " + JNI_OnLoad);    Interceptor.attach(JNI_OnLoad, {        onEnter: function(args) {            this.jniEnv = args[0]; // Save JNIEnv* pointer            // We need to find the RegisterNatives address within JNIEnv.            // This address is usually at a fixed offset for a given Android version/architecture.            // A common approach is to look up the JNIEnv table.            // For ARM64, RegisterNatives is often at offset 0x1A8 (or 0xD4 for 32-bit ARM) from JNIEnv** -> JNIEnv* table            // However, it's safer to find it by hooking any JNIEnv function and reading the table.            // For simplicity, let's assume a known offset for RegisterNatives for this example            // In reality, you'd calculate this by dumping the JNIEnv table or using a generic JNI hooking library.            var RegisterNatives_offset;            if (Process.arch === 'arm64') {                RegisterNatives_offset = 0x1A8; // Common for arm64 (Android 6+)            } else if (Process.arch === 'arm') {                RegisterNatives_offset = 0xD4; // Common for arm (Android 6+)            } else {                console.log("[-] Unsupported architecture: " + Process.arch);                return;            }            var JNIEnv_ptr = this.jniEnv.readPointer();            var RegisterNatives_ptr = JNIEnv_ptr.add(RegisterNatives_offset).readPointer();            console.log("[*] RegisterNatives detected at: " + RegisterNatives_ptr);            if (!this.RegisterNatives_hooked) { // Ensure it's hooked only once                Interceptor.attach(RegisterNatives_ptr, {                    onEnter: function(regArgs) {                        this.env = regArgs[0];                        this.klass = regArgs[1];                        this.methods = regArgs[2];                        this.numMethods = regArgs[3].toInt32();                        var className = this.env.getJniEnv().getClassName(this.klass);                        console.log("[!] RegisterNatives called for class: " + className + " with " + this.numMethods + " methods.");                        for (var i = 0; i < this.numMethods; i++) {                            var method = this.methods.add(i * Process.pointerSize * 3); // Each method entry is 3 pointers                            var name = method.readPointer().readCString();                            var signature = method.add(Process.pointerSize).readPointer().readCString();                            var fnPtr = method.add(Process.pointerSize * 2).readPointer();                            console.log("    - Method: " + name + ", Signature: " + signature + ", Address: " + fnPtr);                            // Now you can hook individual registered native methods!                            // Example: If 'checkPin' is registered, hook it.                            if (name === "checkPin" && !global.checkPinHooked) {                                global.checkPinHooked = true; // Prevent re-hooking                                console.log("        [+] Hooking dynamically registered checkPin at: " + fnPtr);                                Interceptor.attach(fnPtr, {                                    onEnter: function(pinArgs) {                                        var jniEnv = Java.vm.get === undefined ? Java.vm.getEnv() : Java.vm.getEnv().get;                                        var pin = jniEnv.getStringUtfChars(pinArgs[2], null).readCString(); // Assuming pin is jstring at arg[2]                                        console.log("            [+] checkPin called with PIN: " + pin);                                    },                                    onLeave: function(pinRetval) {                                        console.log("            [+] checkPin returned: " + pinRetval.toInt32());                                        // Bypass: Always return true (1)                                        pinRetval.replace(ptr(1));                                        console.log("            [+] checkPin return value bypassed to TRUE (1)!");                                    }                                });                            }                        }                    },                    onLeave: function(retval) {                        // console.log("[-] RegisterNatives finished.");                    }                });                this.RegisterNatives_hooked = true;            }        },        onLeave: function(retval) {            // console.log("[+] JNI_OnLoad returned.");        }    });});

Important Note on `RegisterNatives` Offset: The offset for RegisterNatives within the JNIEnv vtable can vary slightly across Android versions and architectures. The values 0x1A8 for ARM64 and 0xD4 for ARM are common for modern Android versions (Android 6+). For older versions or if these don’t work, you might need to dynamically derive the offset by dumping the JNIEnv vtable or using a more sophisticated approach like hooking dlsym or __system_property_get to find common JNI functions and deduce the table layout.

Bypassing Native Checks and Modifying Data

Once you’ve hooked a native function, you have immense power to manipulate its behavior. Common use cases include:

  • Modifying Arguments: Change input parameters to explore different code paths or bypass input validation.
  • Modifying Return Values: Force a function to return a specific value (e.g., always true for a license check, or a valid decrypted key).
  • Changing Code Flow: Skip original function execution (by calling this.onLeave() immediately in onEnter) or redirect execution to your own function.

Example: Bypassing a Native License Check

In the RegisterNatives example above, we showed how to hook a hypothetical checkPin function. Here’s a dedicated example for a checkLicense function:

// Assuming checkLicense is an exported function or its address is known// e.g., var checkLicensePtr = Module.findExportByName("libapp.so", "Java_com_example_app_LicenseChecker_checkLicense");var checkLicensePtr = ptr("0xDEADBEEF"); // Replace with actual address!if (checkLicensePtr) {    console.log("[*] Hooking checkLicense at: " + checkLicensePtr);    Interceptor.attach(checkLicensePtr, {        onEnter: function(args) {            console.log("[+] checkLicense() called");            // Optionally log arguments            // var jniEnv = Java.vm.get === undefined ? Java.vm.getEnv() : Java.vm.getEnv().get;            // var licenseString = jniEnv.getStringUtfChars(args[2], null).readCString();            // console.log("    License string: " + licenseString);        },        onLeave: function(retval) {            console.log("[+] checkLicense() original return: " + retval.toInt32());            // Force return value to 1 (true) to bypass license check            retval.replace(ptr(1));            console.log("[+] checkLicense() return value bypassed to TRUE (1)!");        }    });} else {    console.log("[-] checkLicense function not found.");}

Advanced Techniques and Considerations

  • Memory Manipulation: Frida’s Memory API allows reading/writing arbitrary memory regions (e.g., Memory.readByteArray(address, size), Memory.writeByteArray(address, byteArray)). This is crucial for inspecting or modifying data structures, encryption keys in memory, or bypassing anti-debugging techniques that store flags in memory.
  • Attaching to Child Processes: Some apps spawn child processes to perform sensitive operations. Frida can be configured to attach to newly spawned processes using Process.set={onSpawn: function(spawn) { ... }} and spawn.resume().
  • Dealing with Obfuscation: Obfuscated native libraries might rename functions, flatten control flow, or use anti-tampering checks. Frida can still be effective by targeting specific API calls (e.g., libc functions, Android NDK functions) that the obfuscated code must eventually use. Identifying these choke points through static analysis (Ghidra/IDA) is key.
  • Custom Native Hooks (CModule): For very complex hooking logic or performance-critical tasks, Frida allows writing hooks directly in C using CModule. This compiles a small C snippet that runs directly in the target process.

Conclusion

Mastering Frida for hooking C/C++ native functions via JNI is an indispensable skill for any serious Android reverse engineer. By understanding JNI mechanics, leveraging Frida’s powerful Interceptor API, and applying techniques to handle both exported and dynamically registered functions, you gain unparalleled insight and control over an application’s native behavior. From simply observing calls to actively bypassing security checks, Frida transforms the challenging world of native Android reversing into a tractable and highly rewarding endeavor.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reversing #C/C++ #Frida #JNI #Native Hooking

Related Technical Guides

Troubleshooting JNI Native Crashes: Debugging Obfuscated NDK Binaries with GDB/LLDB

May 29, 2026

Troubleshooting ClassNotFoundException in Custom Classloader Scenarios: A Debugging Playbook

May 30, 2026

Reverse Engineering a Real-World App’s AIDL: A Hands-On Case Study

May 30, 2026