Frida#

Frida is a dynamic code instrumentation toolkit. The operator injects JavaScript or their own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX.

Devices#

$ frida-ls-devices                # listing frida devices

Getting frida server running on device.

# download latest binary from frida releases
$ adb shell "su -c 'chmod 755 /data/local/tmp/frida-server'"
$ adb shell "su -c '/data/local/tmp/frida-server' &"

Trace open calls in Chrome.

$ frida-trace -U -i open com.android.chrome

Frida CLI#

$ frida -U <APP NAME>                                       # attach and debug

$ frida Calculator -l calc.js                               # load a script
# add --debug for more debugging symbols

$ frida-ps -U                                               # running processes
$ frida-ps -Ua                                              # running applications
$ frida-ps -Uai                                             # installed applications
$ frida-ps -D 0216027d1d6d3a03                              # specific device

# brida-frida bridge troubleshooting
$ frida -U -f com.htbridge.pivaa -l ~/bin/proxies/scriptBrida.js --no-pause
# NOTE: turn off magisk hiding in settings; it breaks brida / frida link

iOS#

For non-jailbroken iPhones, the frida-gadget technique is the way. Recompile the app with the embedded frida gadget.

# on the device
$ ipainstaller -l > applist.txt

# active window
w = ObjC.classes.UIWindow.keyWindow()
# returns an address such as 0xd43321
# drill into the window
desc = w.recursiveDescription().toString()

# one-liner
$ frida -q -U evilapp -e "ObjC.classes.UIWindow.keyWindow().recursiveDescription().toString();" \
    | grep "UILabel.*hidden*"

Frida scripts#

# SSL pinning bypass (android, via frida codeshare)
$ frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY
$ frida --codeshare segura2010/android-certificate-pinning-bypass -f YOUR_BINARY
$ frida --codeshare sowdust/universal-android-ssl-pinning-bypass-2 -f YOUR_BINARY

# Anti-root bypass (android)
$ frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY

# Obj-C method observer
$ frida --codeshare mrmacete/objc-method-observer -f YOUR_BINARY

# Get stack trace in your hook (android)
$ frida --codeshare razaina/get-a-stack-trace-in-your-hook -f YOUR_BINARY

# Bypass network security config (android)
$ frida --codeshare tiiime/android-network-security-config-bypass -f YOUR_BINARY

# Extract android keystore
$ frida --codeshare ceres-c/extract-keystore -f YOUR_BINARY

# iOS backtrace HTTP requests
$ frida --codeshare SYM01/ios-backtrace-http-req -f YOUR_BINARY

# iOS Trustkit SSL unpinning
$ frida --codeshare platix/ios-trustkit-ssl-unpinning -f YOUR_BINARY

# iOS SSL bypass
$ frida --codeshare lichao890427/ios-ssl-bypass -f YOUR_BINARY

# iOS 12 SSL bypass
$ frida --codeshare machoreverser/ios12-ssl-bypass -f YOUR_BINARY

# iOS SSL pinning disable
$ frida --codeshare snooze6/ios-pinning-disable -f YOUR_BINARY

# iOS and Android enumeration script
$ frida --codeshare snooze6/everything -f YOUR_BINARY

References#