Frida#
Frida is a dynamic code instrumentation toolkit. The operator injects JavaScript or their own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX.
Devices#
$ frida-ls-devices # listing frida devices
Getting frida server running on device.
# download latest binary from frida releases
$ adb shell "su -c 'chmod 755 /data/local/tmp/frida-server'"
$ adb shell "su -c '/data/local/tmp/frida-server' &"
Trace open calls in Chrome.
$ frida-trace -U -i open com.android.chrome
Frida CLI#
$ frida -U <APP NAME> # attach and debug
$ frida Calculator -l calc.js # load a script
# add --debug for more debugging symbols
$ frida-ps -U # running processes
$ frida-ps -Ua # running applications
$ frida-ps -Uai # installed applications
$ frida-ps -D 0216027d1d6d3a03 # specific device
# brida-frida bridge troubleshooting
$ frida -U -f com.htbridge.pivaa -l ~/bin/proxies/scriptBrida.js --no-pause
# NOTE: turn off magisk hiding in settings; it breaks brida / frida link
iOS#
For non-jailbroken iPhones, the frida-gadget technique is the way. Recompile the app with the embedded frida gadget.
# on the device
$ ipainstaller -l > applist.txt
# active window
w = ObjC.classes.UIWindow.keyWindow()
# returns an address such as 0xd43321
# drill into the window
desc = w.recursiveDescription().toString()
# one-liner
$ frida -q -U evilapp -e "ObjC.classes.UIWindow.keyWindow().recursiveDescription().toString();" \
| grep "UILabel.*hidden*"
Frida scripts#
# SSL pinning bypass (android, via frida codeshare)
$ frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY
$ frida --codeshare segura2010/android-certificate-pinning-bypass -f YOUR_BINARY
$ frida --codeshare sowdust/universal-android-ssl-pinning-bypass-2 -f YOUR_BINARY
# Anti-root bypass (android)
$ frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY
# Obj-C method observer
$ frida --codeshare mrmacete/objc-method-observer -f YOUR_BINARY
# Get stack trace in your hook (android)
$ frida --codeshare razaina/get-a-stack-trace-in-your-hook -f YOUR_BINARY
# Bypass network security config (android)
$ frida --codeshare tiiime/android-network-security-config-bypass -f YOUR_BINARY
# Extract android keystore
$ frida --codeshare ceres-c/extract-keystore -f YOUR_BINARY
# iOS backtrace HTTP requests
$ frida --codeshare SYM01/ios-backtrace-http-req -f YOUR_BINARY
# iOS Trustkit SSL unpinning
$ frida --codeshare platix/ios-trustkit-ssl-unpinning -f YOUR_BINARY
# iOS SSL bypass
$ frida --codeshare lichao890427/ios-ssl-bypass -f YOUR_BINARY
# iOS 12 SSL bypass
$ frida --codeshare machoreverser/ios12-ssl-bypass -f YOUR_BINARY
# iOS SSL pinning disable
$ frida --codeshare snooze6/ios-pinning-disable -f YOUR_BINARY
# iOS and Android enumeration script
$ frida --codeshare snooze6/everything -f YOUR_BINARY