This brief post is about reverse engineering Android applications using Frida. Frida can be used on anything really; it’s an extremely versatile toolkit.
It’s a very valuable tool for reverse engineering how applications work and in my example how to gain knowledge on an undocumented API that is used by an Android application.
I won’t get into the specific API but instead brifly show how to use Frida, from my experience, and related tools. I’m not an expert at all.
First you will have to install Frida. Depending on your OS you can install it with Python
pip or on Arch Linux as me you can install the AUR package python-frida-tools.
In this case we’re trying to do some API tracing of an Android app. There is a little tool called objection which can actually automatically inject/patch an Android application that makes you possible to bypass SSL pinning, dump memory and other stuff. With this you can sort of debug almost any Android application. objection is built on top of Frida with some extras as I mentioned. To install objection you can use
$ pip install objection
If you have a rooted device the next step is not needed. To patch an Android application you’ll need its APK. Either pull the APK from your device with
adb or find the APK on APKMirror.
After that you patch said APK like this;
$ objection patchapk --source app-release.apk
This will inject what is called the a Frida Gadget. If you run into errors regarding the apktool in this process you can add the
-2 argument to objection. This will use the aapt2 binary instead of aapt; aapt is the Android Asset Packaging Tool. This Frida Gadget is a shared library meant to be loaded by programs to be instrumented when the regular injected mode of operation isn’t suitable. You can read about the ‘Modes of Operation’ on the Frida website. The Frida Gadget is in the ‘Embedded’ ‘Mode of Operation’ classification. Basically it is preloaded and injected within the main activity of the application. This means as soon as the application is launched a socket is opened which listens on a specific port and waiting for being attached by the Frida CLI.
Then install the APK on your device again. The application will startup showing a black screen. This will stay black until your actually attach to the Frida Gadget.
You can see which Frida Gadget’s are listening by running (we’re using
-U to show a Frida server (a Gadget essentially) listening on an USB device);
$ frida-ps -U $ frida-ps -U gadget # to attach
You’ll see the application we just patched showing up as a process. Now instead of using only Frida we’ll switch to use objection. As I said previously there are some neat stuff that comes with objection. What we are going to use is the feature to disable SSL Pinning. This is done while the app is in runtime. It supports different libraries used for SSL Pinning; OKHttp etc..
Now we use objection to attach to the Frida Gadget like so;
$ objection explore
This will spawn a new shell in which we can use different commands objection supports. We’ll do;
$ android sslpinning disable
And voila SSL Pinning is now disabled. We can now use any MITM HTTP Proxy for example HttpCanary on Android to intercept and inspect all HTTP calls made by the application. This way we can understand and reverse engineer an HTTP API. This is extremely useful and much easier than for example decompiling binaries. It’s much more concise. Depends on the API of course.
You can also use frida directly instead objection. objection is merely wrapping frida to work easier with Android an iOS devices; ie. automatic patching of binaries needed on systems without root access.
Launch YouTube on your Android device and trace Java methods with “certificate” in their signature (s), ignoring case (i) and only searching in user-defined classes (u);
frida-trace -U -f com.google.android.youtube --runtime=v8 -j '*!*certificate*/isu'
The possibilities are endless really. Especially when you have root access on the system or device you’re investigating. You can also write your own scripts with which you can basically hook into any system-call or other function. Either modifying arguments, methods, or do custom calls to functions. All using the frida Python libraries.
Links and references;