Dec 16, 2020
Frida is a dynamic binary instrumentation toolkit that allows us to execute scripts in previously locked down software. Sound complicated? Our introduction to Frida will simplify it for you. In a nutshell, Frida lets you inject snippets of JavaScript into native apps on Windows, Mac, Linux, iOS and Android.
Why should you care about Frida?
To date, most of the hacking attempts on the Android platform focus on decompiling the APK into something resembling the original source code. This is a static form of attack where the attacker is looking for hard coded passwords, API or crytopgraphic keys. They do this to gain access to personal information stored on the device or to find clues about how to attack backend servers.
Frida, on the other hand, allows you to interact with the Android APK so you can inject code to bypass many of the techniques developers use to secure the apps. Some examples include bypassing the login screen to authenticate without a password, or disabling SSL pinning to allow the hacker to see all the network traffic between your app and any backend servers.
Many of the method calls you make in your Android app can be hijacked or overridden by Frida for purposes that were never intended. By injecting JavaScript code, Frida can disable or enable a switch or pass fake parameters to gain access to information that would not otherwise be available.
How does Frida work?
To install Frida, you need to have a rooted Android phone or jailbroken iOS phone.
On an Android execute the following steps:
$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"
Now, see if it's working by typing the following which will give you a list of running processes:
$ frida-ps -U
Find a list of all classes running on your target app by typing:
$ frida -U -l class-structure.js com.riis.example > classes.txt
Assuming there's a login screen to bypass we can run the following command:
$ frida -U -l bypass.js com.riis.example
The code in Listing 1 will override the login activity and close it immediately, we can then fire the next intent allowing us to skip the login completely.
Java.perform(function () {
var LoginActivity = Java.use("com.riis.example.LoginActivity");
LoginActivity.onResume.implementation = function () {
console.log("[*] onResume() got called!");
this.onResume();
this.finish();
};
LoginActivity.onCreate.implementation = function (instance) {
console.log("[*] onCreate() got called!");
this.onCreate(instance);
this.finish();
};
});
Listing 1: byspass.js
Even more about Frida.
There are a number of other applications that use Frida as their underlying engine. Frida uses a command line interface so other applications such as PassionFruit use Frida to disassemble the code and make it very simple to find any keys or passwords or view SQLite databases, see figure 1.
Frida also works on iOS, allowing the same sort of code injections and disassembly as shown on the Android platform.