OpenSkillIndex← back to search

Hacktricks-skills android-frida-pentest

Android app pentesting with Frida - use this skill whenever you need to hook Java methods, bypass root checks, debugger detection, or decrypt data in Android apps. Trigger this for any Android security testing, APK analysis, OWASP MSTG challenges, or when you want to intercept cryptographic operations, root detection, or debugger checks in Android applications.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1/SKILL.MD
source content

Android Frida Pentesting Skill

A skill for performing Android application security testing using Frida dynamic instrumentation. This skill helps you hook Java methods, bypass security checks, and extract sensitive data from Android apps.

When to Use This Skill

Use this skill when you need to:

  • Hook and intercept Java method calls in Android apps
  • Bypass root detection checks
  • Bypass debugger detection
  • Decrypt data using hooked cryptographic functions
  • Test OWASP MSTG crackme challenges
  • Perform dynamic analysis on Android APKs
  • Use Frida, Objection, or frida-trace for Android pentesting

Prerequisites

Before using this skill, ensure you have:

  • A rooted Android device or emulator
  • Frida installed (
    pip install frida-tools
    )
  • ADB connected to your device
  • The target APK installed on the device
  • For Android 14+: Use spawn mode (
    -f
    ) due to seccomp-bpf restrictions

Quick Start

1. Install Frida on Device

# Download frida-server for your device architecture
adb push frida-server-16.1.0-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

2. Verify Connection

frida-ps -U  # List running processes

3. Use Pre-built Scripts

This skill includes ready-to-use scripts in 

scripts/
:

  • frida-uncrackable-l1.js
    - OWASP UnCrackable Level 1 solution
  • frida-trace-setup.sh
    - Auto-generate hooks with frida-trace
  • objection-one-liner.sh
    - Objection wrapper for quick testing

OWASP UnCrackable Level 1

This is a common training app for learning Android pentesting. The app contains:

  • AES-encrypted flag
  • Root detection checks
  • Debugger detection
  • Exit prevention

Solution 1: Basic Hook (Decrypt Flag)

Use 

scripts/frida-uncrackable-l1.js
to:

  1. Hook the AES decryption function
  2. Print the decrypted flag to Frida console
  3. Prevent app from exiting
frida -U -f owasp.mstg.uncrackable1 -l scripts/frida-uncrackable-l1.js --no-pause

Solution 2: Full Bypass (Root + Debugger Checks)

The script also bypasses:

  • sg.vantagepoint.a.c.a()
    - Checks for 
    /system/bin/su
  • sg.vantagepoint.a.c.b()
    - Checks for test-keys build
  • sg.vantagepoint.a.c.c()
    - Checks for root packages
  • sg.vantagepoint.a.b.a()
    - Debugger detection

Solution 3: Auto-Generate with frida-trace

For Frida 16+, use 

frida-trace
to auto-generate hooks:

adb shell "am force-stop owasp.mstg.uncrackable1"
frida-trace -U -f owasp.mstg.uncrackable1 \
            -j 'sg.vantagepoint.a.a.a("[B","[B")[B]' \
            -j 'sg.vantagepoint.a.c!*' \
            --output ./trace

Then edit the generated script in 

./trace/scripts/
and run:

frida -U -f owasp.mstg.uncrackable1 -l ./trace/_loader.js --no-pause

Solution 4: Objection One-Liner

If you have Objection >1.12:

objection -g owasp.mstg.uncrackable1 explore \
  --startup-command "android hooking watch class sg.vantagepoint.a.a method a \
  && android hooking set return_value false sg.vantagepoint.a.c * \
  && android hooking invoke sg.vantagepoint.a.a a '[B' '[B'"

Common Hooking Patterns

Hook Java Method

Java.perform(function () {
  var MyClass = Java.use("com.example.MyClass")
  MyClass.myMethod.overload().implementation = function () {
    console.log("Method called!")
    return this.myMethod.overload().call(this)
  }
})

Bypass Boolean Check

var CheckClass = Java.use("com.example.CheckClass")
CheckClass.isRooted.overload().implementation = function () {
  return false  // Always return false
}

Intercept String Data

function bytesToString(data) {
  var result = ""
  for (var i = 0; i < data.length; i++) {
    result += String.fromCharCode(data[i])
  }
  return result
}

Prevent App Exit

var System = Java.use("java.lang.System")
System.exit.overload("int").implementation = function (code) {
  console.log("Exit prevented!")
  // Don't call original - app stays running
}

Modern Android Notes (2023-2025)

Android 14 (API 34)

  • Use spawn mode (
    -f
    ) - attach mode is blocked by seccomp-bpf
  • Frida 16.1+ required for reliability

Android 12/13

  • Frida 16.1+ fixes Scudo allocator crash
  • If you see 
    missing SHADOW_OFFSET
    , upgrade Frida

Root Detection Evasion

  • libsu 5.x and Zygisk hide su well
  • Java checks still fail if 
    /system/bin/su
    exists
  • Hook 
    java.io.File.exists()
    to bypass file checks

Play Integrity

  • Replaced SafetyNet in 2023
  • Hook 
    com.google.android.gms.safetynet.SafetyNetClient
  • Return forged 
    EvaluationType

Troubleshooting

"No such process"

# Make sure app is installed
adb shell pm list packages | grep <package-name>

"Permission denied"

# Ensure device is rooted and frida-server is running
adb shell ps | grep frida

"Abort message: missing SHADOW_OFFSET"

# Upgrade Frida to 16.1+ or use nightly 17.0

App crashes immediately

# Use --no-pause to start app in paused state
frida -U -f <package> -l script.js --no-pause

References

Next Steps

  1. Run the included scripts against OWASP UnCrackable Level 1
  2. Explore the app's package structure with 
    frida-trace
  3. Customize hooks for your target application
  4. Use the patterns here as templates for other apps