Reverse engineering (Android) applications with Frida

August 2020 · 3 minute read

This brief post is about reverse engineering Android applications using Frida. Frida can be used on anything really; it’s an extremely versatile toolkit.

It’s a very valuable tool for reverse engineering how applications work and in my example how to gain knowledge on an undocumented API that is used by an Android application.

I won’t get into the specific API but instead brifly show how to use Frida, from my experience, and related tools. I’m not an expert at all.

First you will have to install Frida. Depending on your OS you can install it with Python pip or on Arch Linux as me you can install the AUR package python-frida-tools.

In this case we’re trying to do some API tracing of an Android app. There is a little tool called objection which can actually automatically inject/patch an Android application that makes you possible to bypass SSL pinning, dump memory and other stuff. With this you can sort of debug almost any Android application. objection is built on top of Frida with some extras as I mentioned. To install objection you can use pip;

$ pip install objection

To patch an Android application you’ll need its APK. Either pull the APK from your device with adb or find the APK on APKMirror.

After that you patch said APK like this;

$ objection patchapk --source app-release.apk

This will inject what is called the a Frida Gadget. This Frida Gadget is a shared library meant to be loaded by programs to be instrumented when the regular injected mode of operation isn’t suitable. You can read about the ‘Modes of Operation’ on the Frida website. The Frida Gadget is in the ‘Preloaded’ ‘Mode of Operation’ classification. Basically it is preloaded and injected within the main activity of the application. This means as soon as the application is launched a socket is opened which listens on a specific port and waiting for being attached by the Frida CLI.

Then install the APK on your device again. The application will startup showing a black screen. This will stay black until your actually attach to the Frida Gadget.

You can see which Frida Gadget’s are listening by running (we’re using -U to show a Frida server (a Gadget essentially) listening on an USB device);

$ frida-ps -U
$ frida-ps -U gadget # to attach

You’ll see the application we just patched showing up as a process. Now instead of using only Frida we’ll switch to use objection. As I said previously there are some neat stuff that comes with objection. What we are going to use is the feature to disable SSL Pinning. This is done while the app is in runtime. It supports different libraries used for SSL Pinning; OKHttp etc..

Now we use objection to attach to the Frida Gadget like so;

$ objection explore

This will spawn a new shell in which we can use different commands objection supports. We’ll do;

$ Android sslpinning disable

And voila SSL Pinning is now disabled. We can now use any MITM HTTP Proxy for example HttpCanary on Android to intercept and inspect all HTTP calls made by the application. This way we can understand and reverse engineer an HTTP API. This is extremely useful and much easier than for example decompiling binaries. It’s much more concise. Depends on the API of course.

Links and references;