Android App Penetration Testing & Frida Hooks

The Pentester’s Playbook: Exploiting Android Native Vulnerabilities with Frida ARM64 Hooking

By Antigravity Research Published May 29, 2026 ⏱️ 9 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Native Vulnerabilities and Frida

Android applications often leverage native code (C/C++) via the Java Native Interface (JNI) for performance-critical operations, low-level system interactions, or to protect intellectual property through obfuscation. While native code can offer performance benefits, it also introduces a new attack surface. Vulnerabilities like buffer overflows, format string bugs, and improper memory handling in native libraries can lead to serious security flaws, allowing for arbitrary code execution or data leakage. Identifying and exploiting these vulnerabilities requires specialized tools and techniques.

Frida, a dynamic instrumentation toolkit, stands out as an indispensable tool for Android penetration testers. It allows you to inject JavaScript snippets into running processes on Android, iOS, Windows, macOS, and Linux. This capability is incredibly powerful for reverse engineering, bypassing security controls, and, critically, for hooking native ARM/ARM64 functions. With Frida, we can inspect arguments, modify return values, and even call unexported functions, making it a cornerstone for exploiting native vulnerabilities.

Setting Up Your Android Native Hooking Environment

Before diving into the exploitation, ensure your environment is correctly configured. This setup provides the foundation for all your Frida-based native hooking endeavors.

Prerequisites

  • Rooted Android Device or Emulator: A rooted environment is crucial as Frida-server often requires elevated privileges to attach to arbitrary processes, especially if the target app has `debuggable=false` in its manifest.
  • ADB (Android Debug Bridge): Essential for interacting with your Android device/emulator from your host machine.
  • Frida-server: The server component that runs on the Android device. Its architecture must match your device’s CPU (e.g., `arm64` for most modern Android devices).
  • Frida-tools: The client-side utilities installed on your host machine (e.g., `frida-ps`, `frida`).
  • Disassembler/Decompiler (Optional but Recommended): Tools like Ghidra or IDA Pro are invaluable for static analysis of native `.so` libraries to identify function names, offsets, and calling conventions.

Installation Steps

  1. Install Frida-tools on Host: 
    pip install frida-tools
  2. Download Frida-server for Android:

    Visit Frida’s GitHub releases page and download the `frida-server-x.x.x-android-arm64` (or `android-arm` if your device is 32-bit ARM) corresponding to the latest Frida version.

  3. Push Frida-server to Device and Run: 
    adb push /path/to/frida-server-x.x.x-android-arm64 /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"
  4. Verify Frida Setup: 
    frida-ps -U

    You should see a list of running processes on your Android device.

Identifying and Analyzing Native Libraries

The first step in native exploitation is to locate and understand the target native library and the functions within it that might be vulnerable or useful for bypassing controls.

Locating Target Libraries

Native libraries usually reside within the application’s data directory. You can find them using ADB:

adb shell "find /data/app -name "*lib*.so""

More specifically, for a package like `com.example.app`, you’d look under `/data/app/com.example.app-*/lib/arm64/` (or `arm/`).

Reverse Engineering with Ghidra/IDA Pro

Once you have the `.so` file, load it into a disassembler like Ghidra or IDA Pro. Look for:

  • Exported Functions: Functions explicitly exposed by the library, often including JNI functions like `Java_com_example_app_NativeLib_someFunction`.
  • Internal Functions: Functions not exported but called internally. These often implement core logic.
  • Function Signatures: Determine the number and types of arguments, and the return type. This is crucial for correct hooking.

For example, you might find a function named `checkLicense` that takes a `char*` (or `jstring` via JNI) and returns an integer (0 for invalid, 1 for valid).

Deep Dive into Frida ARM64 Hooking

Now, let’s get into the core of using Frida to interact with native ARM64 functions. ARM64 (AArch64) calling conventions dictate how arguments are passed and return values are handled, which Frida helps us manage.

Attaching to the Target Process

You can attach to an app by its package name:

frida -U -f com.example.app -l hook.js --no-pause

The `–no-pause` flag is important, as it allows the app to start immediately, letting you hook functions during its initialization phase.

Finding Native Functions and Offsets

Frida provides several ways to pinpoint functions:

  • `Module.findExportByName(moduleName, exportName)`: Best for exported functions.
  • `Module.findBaseAddress(moduleName)`: Returns the base address of a loaded module. You can then add an offset obtained from static analysis.

Consider a `libnative-lib.so` that exports a `checkLicense` function and has an internal `verify_data` function at offset `0x1234` from its base.

Java.perform(function() {    var libNative = Module.findBaseAddress("libnative-lib.so");    if (libNative) {        console.log("[+] Found libnative-lib.so at: " + libNative);        // Hooking an exported function        var checkLicensePtr = Module.findExportByName("libnative-lib.so", "Java_com_example_app_NativeLib_checkLicense");        // Hooking an internal function by offset        var verifyDataPtr = libNative.add(0x1234);        if (checkLicensePtr) {            console.log("[+] checkLicense found at: " + checkLicensePtr);            // ... (hook it below)        } else {            console.log("[-] checkLicense not found.");        }        if (verifyDataPtr) {            console.log("[+] verify_data found at: " + verifyDataPtr);            // ... (hook it below)        } else {            console.log("[-] verify_data not found.");        }    } else {        console.log("[-] libnative-lib.so not loaded or found.");    }});

Intercepting ARM64 Functions with `Interceptor.attach`

`Interceptor.attach` is your primary tool for hooking. It takes a native pointer (the function address) and an object with `onEnter` and `onLeave` callbacks.

  • `onEnter(args)`: Called when the hooked function is invoked. `args` is an array of `NativePointer` objects representing the function arguments. For ARM64, the first 8 arguments are typically passed in registers `x0` through `x7`. Additional arguments are pushed onto the stack.
  • `onLeave(retval)`: Called just before the hooked function returns. `retval` is a `NativePointer` representing the return value. You can inspect `retval` or modify it using `retval.replace(newValue)`.

Let’s hook our `Java_com_example_app_NativeLib_checkLicense` function, assuming it takes `JNIEnv*`, `jobject`, and `jstring` (license key) as arguments and returns `jboolean` (0 or 1).

Interceptor.attach(checkLicensePtr, {    onEnter: function(args) {        console.log("[*] JNI_checkLicense called!");        // JNIEnv* is args[0], jobject is args[1]        // jstring licenseKey is args[2]        var jniEnv = args[0];        var jstringLicenseKey = args[2];        // Read the Java string content. JNIEnv->GetStringUTFChars        // To get the actual string value from jstring, we need to call JNIEnv methods.        // For simplicity here, we'll assume a direct string pointer for demonstration,        // but in reality, you'd use JNI functions. For basic char* arguments,        // you can simply use jstringLicenseKey.readCString().        try {            var licenseKey = jniEnv.get     // This is placeholder to illustrate JNIEnv calls.            // In a real scenario, you'd use JNIEnv functions like GetStringUTFChars            // console.log("    License Key (jstring): " + jstringLicenseKey.readCString()); // Only if it's a direct char*            console.log("    JNIEnv*: " + args[0]);            console.log("    jobject (this): " + args[1]);            // If args[2] points directly to a C-string (less common for jstring), you could read it:            // console.log("    Arg 2 (potential C-string): " + args[2].readCString());        } catch(e) {            console.log("    Error reading argument: " + e);        }        // Example: modify an argument (e.g., bypass a specific key check)        // Not directly modifying jstring here, but showing concept        // args[2] = new NativePointer(Memory.allocUtf8String("ALWAYS_VALID_KEY"));    },    onLeave: function(retval) {        console.log("[*] JNI_checkLicense returned: " + retval);        // Force the return value to 1 (true) to bypass the license check        retval.replace(ptr(1)); // For jboolean, 1 is true        console.log("[!] Return value modified to: " + retval);    }});

`NativeFunction` for Calling Native Code

While `Interceptor.attach` is for hooking, `NativeFunction` is used to create JavaScript proxies for native functions, allowing you to call them directly from your Frida script. This is useful for testing or triggering specific logic.

// Example for a function int multiply(int a, int b);var multiplyPtr = libNative.add(0xABCD); // Replace with actual offsetvar multiply = new NativeFunction(multiplyPtr, 'int', ['int', 'int']);var result = multiply(10, 20);console.log("[+] Result of multiply(10, 20): " + result);

Practical Exploitation Example: Bypassing License Checks

Let’s tie it together with a common scenario: an Android app using a native `checkLicense` function that returns `0` for an invalid license and `1` for a valid one. Our goal is to always return `1` to bypass this check.

Scenario Details

  • App: `com.example.secureapp`
  • Native Library: `libsecurelib.so`
  • Target Function: `Java_com_example_secureapp_Security_checkLicense(JNIEnv* env, jobject thiz, jstring licenseKey)`
  • Return Type: `jboolean` (0 or 1)

Step-by-Step Bypass

  1. Identify the Library and Function: Using Ghidra or `nm -D libsecurelib.so`, locate `Java_com_example_secureapp_Security_checkLicense`. Assume its address is identified.
  2. Create `bypass.js` Frida Script: 
    Java.perform(function() {    console.log("[+] Starting license bypass script...");    var libSecure = Module.findBaseAddress("libsecurelib.so");    if (libSecure) {        console.log("[+] libsecurelib.so loaded at: " + libSecure);        var checkLicensePtr = Module.findExportByName("libsecurelib.so", "Java_com_example_secureapp_Security_checkLicense");        if (checkLicensePtr) {            console.log("[+] Found checkLicense function at: " + checkLicensePtr);            Interceptor.attach(checkLicensePtr, {                onEnter: function(args) {                    // Optional: Log the license key being checked                    var jniEnv = Java.vm.get === null ? null : Java.vm.getEnv();                    if (jniEnv && args[2] !== null) {                        var licenseKey = jniEnv.getStringUtfChars(args[2], null).readCString();                        console.log("[*] Original License Key: " + licenseKey);                    }                },                onLeave: function(retval) {                    console.log("[*] Original Return Value: " + retval);                    // Force return value to true (1)                    retval.replace(ptr(1));                    console.log("[!] License check bypassed! Forced return to: " + retval);                }            });            console.log("[+] checkLicense hook installed successfully.");        } else {            console.log("[-] Error: checkLicense function not found in libsecurelib.so.");        }    } else {        console.log("[-] Error: libsecurelib.so not found or loaded.");    }});
  3. Execute the Frida Script: 
    frida -U -f com.example.secureapp -l bypass.js --no-pause

Now, whenever `checkLicense` is called, Frida will intercept it and modify its return value to `1`, effectively bypassing the license verification logic within the application.

Conclusion and Advanced Considerations

Frida’s power in dynamically instrumenting native Android code is unmatched for penetration testing and reverse engineering. By understanding ARM64 calling conventions and leveraging `Interceptor.attach`, you gain granular control over function execution, enabling you to inspect parameters, modify outcomes, and bypass security mechanisms embedded in native libraries. This deep dive into Frida ARM64 hooking equips you with the fundamental skills to identify and exploit native vulnerabilities effectively.

While this guide covers the basics, the world of native exploitation is vast. Advanced topics include: bypassing anti-Frida detection mechanisms (e.g., checking for Frida server, maps entries), in-line hooking for unexported or compiler-optimized functions, syscall hooking, and analyzing complex data structures passed between native functions. Always remember to use these powerful techniques responsibly and ethically, adhering to legal and ethical guidelines in your security assessments.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Penetration Testing #ARM64 #Frida #Native Hooking #Reverse Engineering

Related Technical Guides

From APK to Runtime: Complete Guide to Android Class & Method Enumeration with Frida

May 30, 2026

Automated APK RE Lab: Building a CI/CD Pipeline for Android Pen Testing

May 29, 2026

Building Your Own Android Runtime Analysis Toolkit: Integrating Frida with Custom Scripts and Tools

May 29, 2026