Educational Content: This article is written for educational purposes to help developers and cybersecurity students understand software concepts. Always follow ethical guidelines and applicable laws.
Yesterday we talked about how Android APKs get decompiled and what you can do to make static analysis harder. ProGuard, NDK code, signature checks — all solid layers of defense. Today I want to talk about the tool that laughs at most of those defenses and keeps going.
That tool is Frida.
If you've spent any time in mobile security circles, you've seen the name. If you haven't — and you build apps that handle anything sensitive — this is genuinely important to understand. Not so you can use it to attack things, but because understanding how it works is the only way to make meaningful decisions about what your app's security can and can't actually guarantee.
What Frida Actually Is
Frida is a dynamic instrumentation toolkit. Free, open source, actively maintained, and used by security researchers, reverse engineers, mobile pentesters, and yes — people with less legitimate intentions — every single day.
The core idea is this: instead of decompiling your app and reading the code statically, Frida injects a JavaScript engine directly into your running process. From there, you can write JavaScript that intercepts function calls, reads and writes memory, modifies return values, and traces execution — all while the app is running normally on a real or virtual device.
This is what makes it so powerful compared to static analysis. Static analysis reads dead code. Frida operates on a live, running process — which means all the obfuscation, all the string encoding, all the ProGuard renaming is already undone by the time Frida sees it. The app decoded everything to run. Frida just reads it after that point.
A Simple Example of What Frida Can Do
Let's say you have an Android app with a method that checks whether a user has a premium subscription:
public boolean isPremiumUser() {
return this.userStatus.equals("PREMIUM");
}Even if ProGuard renamed this to a.b() and encoded the string, a Frida script can hook that method at runtime and force it to always return true:
// Frida script running on the device
Java.perform(function() {
var UserManager = Java.use('com.yourapp.UserManager');
UserManager.isPremiumUser.implementation = function() {
console.log('[*] isPremiumUser called — returning true');
return true;
};
});That's it. Three lines of JavaScript. The method now always returns true regardless of what the actual user status is. No APK modification. No repacking. No re-signing. The original APK runs untouched — Frida just intercepts the function call and swaps the return value.
This works on any method in any class. Java methods, Kotlin methods, native JNI functions, system APIs — Frida can hook all of them.
How Frida Gets Into the Process
There are two main modes depending on the setup:
Injected mode — Frida runs as a server process on a rooted Android device (frida-server). From your PC, you connect to it over ADB and specify which app to attach to. Frida injects its agent into the running process. This requires root on the device.
Embedded mode (frida-gadget) — For non-rooted devices or for testing your own app, you can embed frida-gadget.so directly into the APK. The app loads it as a native library on startup. This lets Frida work without root, which is significant — a lot of real-world attack scenarios involve non-rooted devices.
The embedded approach is also how pentesters often test apps that have root detection: repack the APK with the gadget already inside, bypassing the need for root entirely.
What Attackers Actually Use Frida For
Understanding the real use cases helps clarify what you're actually defending against:
License and paywall bypass — Hook the license check method, make it return true. This is the most common use against commercial apps and paid tools. Takes about ten minutes for a basic implementation.
SSL pinning bypass — Many apps implement certificate pinning to prevent traffic from being intercepted by a proxy like Burp Suite. Frida scripts like ssl-kill-switch hook the SSL verification methods and disable them, letting attackers read all HTTPS traffic the app sends and receives. This is huge — it exposes every API endpoint, every request format, every authentication token.
Extracting encryption keys — If your app decrypts something at runtime, Frida can hook the decryption function and log the key before it's used. The app does all the hard work, Frida just reads the result.
Game cheating — Hook score functions, health values, currency checks. Read memory addresses that hold game state. This is an entire subculture on its own.
API reverse engineering — Hook HttpURLConnection or OkHttp methods to log every network request the app makes — URL, headers, body, response. No SSL bypass needed for apps that don't pin certificates.
// Hooking OkHttp to log all requests
Java.perform(function() {
var OkHttpClient = Java.use('okhttp3.OkHttpClient');
var Request = Java.use('okhttp3.Request');
var RealCall = Java.use('okhttp3.RealCall');
RealCall.execute.implementation = function() {
var request = this.request();
console.log('[*] URL: ' + request.url().toString());
console.log('[*] Method: ' + request.method());
return this.execute();
};
});Why Your Static Defenses Don't Stop This
This is the uncomfortable part for developers who've put effort into static protections:
ProGuard obfuscation — Frida can enumerate all loaded classes and methods at runtime. Even with obfuscated names, you can find what you're looking for by tracing method calls or searching for patterns in behavior. Obfuscated names are an inconvenience, not a barrier.
Root detection — If Frida is injected via gadget in an embedded mode on a non-rooted device, your root detection returns false correctly — but Frida is still inside the process, running happily.
Emulator detection — Frida works on real physical devices. Emulator detection doesn't apply.
Signature checks — If the attacker embeds the gadget in your APK, they've re-signed it, which breaks signature checks. But they can also hook the signature check method itself with Frida to make it return the expected hash.
NDK native code — Frida can hook native functions too. It's harder and requires knowing the function address or symbol name, but it's absolutely doable with tools like Module.findExportByName() or by scanning memory for known byte patterns.
// Hooking a native function by export name
Interceptor.attach(Module.findExportByName("libyourlib.so", "validateKey"), {
onEnter: function(args) {
console.log('[*] validateKey called with: ' + args[0].readUtf8String());
},
onLeave: function(retval) {
console.log('[*] validateKey returned: ' + retval);
retval.replace(1); // force return value to 1 (true)
}
});
What You Can Actually Do About Frida
Complete Frida prevention is not realistic for client-side apps. But meaningful friction is absolutely achievable.
Detect frida-server on the device — Check for the frida-server process or its default port (27042):
public boolean isFridaRunning() {
try {
// Check for frida-server default port
Socket socket = new Socket();
socket.connect(new InetSocketAddress("127.0.0.1", 27042), 100);
socket.close();
return true; // port is open, frida-server likely running
} catch (Exception e) {
return false;
}
}
Scan loaded libraries for frida-gadget — Check the maps file for known Frida library names:
public boolean isFridaGadgetLoaded() {
try {
BufferedReader reader = new BufferedReader(new FileReader("/proc/self/maps"));
String line;
while ((line = reader.readLine()) != null) {
if (line.contains("frida") || line.contains("gadget")) {
reader.close();
return true;
}
}
reader.close();
} catch (Exception e) {
// ignore
}
return false;
}
Move critical validation server-side — This is the only defense that Frida cannot touch. If your server decides whether a user is premium based on their authenticated session — and the app just displays what the server returns — there's nothing in the app for Frida to hook. The app receives "not premium" from the server, and no amount of hooking client-side methods changes what the server sends.
Implement anti-tampering checks in native code — Put your Frida detection logic in C++ and call it via JNI. Make sure the detection runs from multiple places in the app, not just at startup — so it can't be easily bypassed by hooking a single method.
Use runtime integrity checks — Periodically verify checksums of critical methods in memory. If a method's bytecode has been modified by Frida's inline hooking, the checksum will differ. This is advanced but effective against naive Frida usage.
The Right Mindset for Mobile Security
Here's the realistic takeaway: if someone has physical access to a device with your app on it and is willing to put in the effort, they can eventually get through your defenses. Frida makes that "eventually" much shorter than it used to be.
The goal of everything covered here — and in the last post — isn't to make your app impossible to reverse engineer. It's to make it not worth the effort compared to the reward. An attacker who needs to spend four hours bypassing your layered defenses to unlock a feature that costs a few dollars will find something easier to target.
Design your architecture so that the most valuable things — data, business logic, authorization decisions — live on your server. Use client-side protections to raise the bar and filter out opportunistic attacks. Accept that determined attackers exist and make sure there's nothing on the client side valuable enough to justify their time.
That's not pessimism. That's just accurate threat modeling — and it's what separates apps that hold up from apps that get cracked the week they launch.
— JSHook Team
