Using Frida on Android without root
source : https://koz.io/using-frida-on-android-without-root/
Frida is a great toolkit by @oleavr, used to build tools for dynamic instrumentation of apps in userspace. It is often used, like Substrate, Xposed and similar frameworks, during security reviews of mobile applications.
Typically rooted Android devices are used during such reviews. There are several reasons for this, but the most important is that the frida-server
binary, which executes on the device, requires root privileges to attach to (ptrace
) the target application, in order to inject the Frida gadget library into the memory space of the process.
However, testing on a rooted device is not the only way! I am not sure why this technique is not more widely publicized, but Frida can also be used on non-rooted Android devices and non-jailbroken iPhones, without running frida-server
at all. In this post I will focus on Android, however things are pretty similar on iOS - frida can also be used on jailed Apple devices.
A few advantages of using Frida on a non-rooted device:
Enables testing on devices you cannot or do not want to root (obviously).
Avoids some sideeffects due to application checks for ptracing/debugging or checks for tampered environment.
However:
This technique will trigger checks against repackaging (unless those are separately bypassed).
Adding frida-gadget
to an Android application
frida-gadget
to an Android applicationThe technique is simple, it can be described in short as “adding a shared library & repackaging the Android application”. Here it is, step by step:
Get the the APK binary of te application you want to test, e.g.
myapp.apk
.Use
apktool
to decode the APK into it’s contents. Preferably its latest version.Add the frida native libraries (
frida-gadget
) into the APK’s /lib folder. The gadget libraries for each architecture can be found in Frida’s release page. Make sure to add the libraries for the correct architecture in a suitable folder under/lib
, e.g./lib/armeabi
for 32bit ARM devices.Inject a
System.loadLibrary("frida-gadget")
call into the bytecode of the app, ideally before any other bytecode executes or any native code is loaded. A suitable place is typically the static initializer of the entry point classes of the app, e.g. the main application Activity, found via the manifest.An easy way to do this is to add the following smali code in a suitable function:
Alternatively someone could create a script that injects the library into the process via ptrace; but this script would need to be packaged with the application (just like
gdbserver
).Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.
Repackage the application:
Sign the updated APK using your own keys and zipalign.
Install the updated APK to a device.
If this process seems complicated, the good news is that it can be automated. As part of the appmon hooking framework (based on Frida) @dpnishant released apk_builder, a script automating most of the above steps!
Using frida gadget
When you next start the application you are going to see an empty screen: The injected libfrida-gadget.so
library has opened a tcp socket and waits for a connection from frida.
You should see a message similar to the following in logcat:
Running nestat
on the device confirms the listening socket:
As you might expect, the next step is connecting to the listening socket: Most frida tools work as expected although there are a few issues that can be handled better, e.g. connecting to the library after initialization, not just during loading.
There is just one thing to keep in mind: The process name you are going to use in Frida tooling should be “Gadget” instead of the normal package name.
Examples!
Enjoy!
Last updated