Introduction

Android application penetration testing often involves reverse engineering and understanding the application’s runtime behavior. While static analysis (decompilation) provides a wealth of information, many crucial details, such as dynamically loaded classes, obfuscated method names resolved at runtime, or methods called based on user interaction, are only visible during execution. This is where Frida, a dynamic instrumentation toolkit, becomes indispensable. This guide will focus on leveraging Frida for dynamic enumeration of Android classes and methods at runtime, a fundamental technique for uncovering an application’s hidden logic and identifying potential hooking targets.

Why Dynamic Enumeration?

Static analysis tools like Jadx or Ghidra provide a comprehensive view of an APK’s bytecode. However, modern Android applications frequently employ techniques such as:

• Dynamic class loading
• Reflection
• Code obfuscation (ProGuard, DexGuard)
• Anti-tampering and anti-debugging checks that modify runtime behavior

These techniques make it challenging to fully comprehend an application’s execution flow purely from static analysis. Dynamic enumeration with Frida allows testers to:

• Discover all classes currently loaded into the Dalvik/ART runtime.
• Identify all methods (including constructors) within a specific class, regardless of obfuscation.
• Pinpoint classes or methods that are only initialized or called under specific conditions.
• Formulate precise hooking strategies for runtime manipulation.

Prerequisites

Before diving in, ensure you have the following:

• An Android device or emulator (rooted is preferred for easier setup, but not strictly necessary for basic Frida usage if you can inject into a debuggable app).
• ADB (Android Debug Bridge) installed and configured on your host machine.
• Frida-tools installed on your host machine.
• Frida-server running on your Android device.

Setting Up Frida

Install Frida Tools (Host)

On your host machine (Linux, macOS, or Windows), install Frida-tools via pip:

pip install frida-tools

Install Frida Server (Device)

1. Download the correct Frida-server binary for your Android device’s architecture (e.g., frida-server-*-android-arm64) from the Frida releases page.
2. Push the binary to your device:

adb push frida-server /data/local/tmp/

3. Make it executable and run it:

adb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"

You should see a message confirming Frida-server is listening.

Core Concepts: Java.use() and Java.enumerateLoadedClasses()

Frida’s JavaScript API provides powerful tools for interacting with the Android runtime. Two fundamental functions for enumeration are:

• Java.enumerateLoadedClasses(callbacks): This function iterates over all classes currently loaded in the Java VM, executing a callback for each. It’s excellent for broad discovery.
• Java.use(className): This function provides a JavaScript wrapper around a specific Java class, allowing you to interact with its static and instance methods, fields, and even create new instances. It’s crucial for targeted enumeration and hooking.

Enumerating Loaded Classes

Let’s start by listing all classes loaded by an Android application. This can give you an immediate overview of the app’s components, libraries, and custom code.

Frida Script: Listing All Loaded Classes

Create a file named enumerate_classes.js with the following content:

Java.perform(function () {    console.log("[*] Enumerating loaded classes...");    Java.enumerateLoadedClasses({        onMatch: function (className) {            if (className.startsWith("com.example.your_app_package")) { // Optional: Filter by package                console.log("[+] Found class: " + className);            } else {                // console.log("[.] Found other class: " + className); // Uncomment to see all classes            }        },        onComplete: function () {            console.log("[*] Class enumeration complete.");        }    });});

Replace com.example.your_app_package with the actual package name of the target application you’re testing. You can find this using adb shell pm list packages or by inspecting the APK.

Running the Script

Attach Frida to your target application. We’ll use the -f flag to spawn the application (if not already running) and --no-pause to let it run immediately:

frida -U -f com.example.your_app_package -l enumerate_classes.js --no-pause

You will see a stream of class names printed to your console. This list can be extensive, often including Android system classes, third-party libraries, and the application’s own classes.

Filtering Classes

As shown in the example script, using className.startsWith() is an effective way to focus on the application’s specific code, filtering out common Android framework and standard library classes that might not be relevant to your immediate goal.

Enumerating Methods of a Specific Class

Once you’ve identified an interesting class, the next step is to enumerate its methods and constructors to understand its functionality and potential attack surface.

Frida Script: Enumerating Class Members

Create a file named enumerate_methods.js:

Java.perform(function () {    var targetClassName = "com.example.your_app_package.TargetClass"; // Replace with your target class name    try {        var targetClass = Java.use(targetClassName);        console.log("[*] Enumerating methods for class: " + targetClassName);        // Enumerate constructors        var constructors = targetClass.$init.overloads;        if (constructors.length > 0) {            console.log("  [+] Constructors:");            constructors.forEach(function (constructor) {                console.log("    - " + targetClassName + constructor.argumentTypes.map(function(t){return t.className;}).join(', ') + ")");            });        } else {            console.log("  [-] No constructors found.");        }        // Enumerate methods        var methods = targetClass.class.getMethods();        console.log("  [+] Methods:");        methods.forEach(function (method) {            console.log("    - " + method.getName() + "(" + method.getParameterTypes().map(function(t){return t.getName();}).join(', ') + ")");        });        console.log("[*] Method enumeration complete for " + targetClassName + ".");    } catch (e) {        console.error("[*] Error enumerating class or methods: " + e.message);    }});

This script first obtains a reference to TargetClass using Java.use(). Then, it enumerates constructors via targetClass.$init.overloads and methods using targetClass.class.getMethods(). The getParameterTypes() and argumentTypes are used to display the full method signature, which is crucial for handling overloaded methods.

Run it similarly:

frida -U -f com.example.your_app_package -l enumerate_methods.js --no-pause

Understanding Method Signatures

When enumerating methods, pay close attention to their signatures. Java allows method overloading, meaning multiple methods can share the same name but have different parameter lists. Frida’s API exposes these overloads. For instance, you might see:

- myMethod(java.lang.String)- myMethod(int, java.lang.String)

These are two distinct methods. Knowing the exact signature is vital when you later want to hook a specific overload of a method.

Advanced Use Cases and Tips

Identifying Hooking Targets

The primary goal of enumeration is often to identify interesting classes and methods for hooking. Look for:

• Methods related to authentication, encryption, network communication, or data storage.
• Constructors ($init) to observe object creation.
• Methods that accept or return sensitive data types.
• Methods that might implement anti-tampering or root detection logic.

Exploring Libraries

Many Android apps rely on third-party libraries. By enumerating classes and methods within these libraries (e.g., specific SDKs like Firebase, payment gateways, analytics tools), you can uncover how the app integrates with them and potentially find vulnerabilities in the interaction.

Automating with Python

While the JavaScript snippets are great for quick exploration, for more complex scenarios, consider embedding Frida scripts within a Python script. This allows for programmatic interaction, data parsing, and more sophisticated analysis workflows. You can dynamically generate and inject scripts, or process the output from enumeration more efficiently.

# Example Python snippet to list processesimport fridafor device in frida.get_usb_device().enumerate_applications():    print(device)

Conclusion

Dynamic class and method enumeration with Frida is a cornerstone technique in modern Android application penetration testing. It provides unparalleled visibility into the runtime behavior of applications, allowing testers to overcome the challenges posed by obfuscation and dynamic code loading. By mastering Java.enumerateLoadedClasses() and Java.use(), you gain the power to uncover hidden functionalities, understand complex execution flows, and precisely identify targets for further instrumentation and manipulation. Integrate these techniques into your workflow, and you’ll significantly enhance your ability to discover vulnerabilities in Android applications.