Frida is one of the most powerful tools in a mobile security researcher’s arsenal. It’s a dynamic instrumentation framework that lets you inject JavaScript snippets into running processes on Android, iOS, Windows, macOS, and Linux. In the mobile pentesting world, Frida is indispensable for bypassing certificate pinning, hooking API calls, dumping memory, and understanding how apps behave at runtime — without needing the source code.
What Frida Can Do
Frida works by injecting a JavaScript engine into a target process, giving you access to every function, class, and method the app uses at runtime. Practically speaking, this lets you:
- Bypass SSL certificate pinning — intercept HTTPS traffic from apps that normally reject custom CA certificates
- Hook Java/Kotlin methods on Android to log arguments and return values
- Hook Objective-C/Swift methods on iOS to inspect behavior
- Trace cryptographic operations — see what’s being encrypted before it happens
- Bypass root/jailbreak detection — make apps believe they’re running on a clean device
- Dump app memory — extract keys, credentials, or decrypted payloads
Installing Frida
Install the Frida tools on your host machine using pip:
pip3 install frida-tools
frida --version
On Android, you need to push the frida-server binary to your device. Download the correct version from the Frida releases page matching your device’s architecture (arm64 is most common for modern devices):
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &
Verify the connection from your host:
frida-ps -U
This lists all running processes on the USB-connected device.
Basic Hooking with Frida
The core concept is writing a JavaScript script that Frida injects into the target app. Let’s say you want to log every call to a method called checkPassword in the class com.example.app.AuthManager:
Java.perform(function () {
var AuthManager = Java.use('com.example.app.AuthManager');
AuthManager.checkPassword.overload('java.lang.String').implementation = function (password) {
console.log('[*] checkPassword called with: ' + password);
var result = this.checkPassword(password);
console.log('[*] checkPassword returned: ' + result);
return result;
};
});
Run this script against the app:
frida -U -f com.example.app -l hook_auth.js --no-pause
The -f flag spawns the app from scratch with the script injected from the start. Use -n to attach to an already-running process by name.
Bypassing Certificate Pinning
Many apps implement SSL certificate pinning to prevent traffic interception with tools like Burp Suite. Frida makes bypassing this straightforward using the popular frida-ios-dump approach or the universal ssl-pinning-bypass script:
frida -U -f com.target.app -l ssl-pinning-bypass.js --no-pause
The community-maintained script at github.com/httptoolkit/frida-android-unpinning handles most common pinning implementations including OkHttp3, Conscrypt, and the native SSL_CTX_set_custom_verify function. Once the bypass is active, configure your device’s Wi-Fi proxy to point to Burp Suite (usually 192.168.1.x:8080) and you’ll see decrypted HTTPS traffic flowing through.
Bypassing Root Detection
Apps with root detection often check for files like /su, the presence of Magisk, or abnormal process lists. A simple bypass looks like:
Java.perform(function () {
var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
RootBeer.isRooted.overload().implementation = function () {
console.log('[*] isRooted() called — returning false');
return false;
};
});
For apps using native checks, you’ll need to hook at the native level using Interceptor.attach:
var libc = Module.findExportByName(null, 'fopen');
Interceptor.attach(libc, {
onEnter: function (args) {
var path = args[0].readUtf8String();
if (path && path.indexOf('su') !== -1) {
args[0].writeUtf8String('/nonexistent');
}
}
});
Using Frida with objection
objection is a runtime mobile exploration toolkit built on top of Frida that gives you a command-line interface for common tasks:
pip3 install objection
objection -g com.target.app explore
Inside the objection shell, you can:
android sslpinning disable
android root disable
android hooking list classes
android hooking watch class com.example.AuthManager
memory dump all /tmp/mem_dump.bin
This is far faster than writing custom Frida scripts for common tasks.
Tracing with frida-trace
frida-trace is a built-in tool for automatically hooking and logging function calls matching a pattern:
# Trace all Java methods in a class
frida-trace -U -f com.target.app -j 'com.example.*!*'
# Trace native functions containing "crypt"
frida-trace -U -f com.target.app -i '*crypt*'
The tool generates JavaScript handler files in __handlers__/ that you can edit to add custom logging. This is excellent for quickly understanding what an app does during specific operations like login or payment.
iOS Considerations
On iOS, Frida works on jailbroken devices. Install the Frida package from Cydia or Sileo. The JavaScript API uses ObjC.classes instead of Java.use:
var NSURLSession = ObjC.classes.NSURLSession;
Interceptor.attach(NSURLSession['- dataTaskWithRequest:completionHandler:'].implementation, {
onEnter: function (args) {
var request = new ObjC.Object(args[2]);
console.log('[*] NSURLSession request: ' + request.URL().absoluteString());
}
});
Practical Workflow
A typical mobile pentest workflow with Frida looks like this:
- Install and start
frida-server on the device
- Use
objection to quickly disable SSL pinning and root detection
- Route traffic through Burp Suite and capture API calls
- Use
frida-trace to identify interesting native or Java methods
- Write targeted hook scripts to extract credentials, tokens, or cryptographic material
- Document findings with argument/return value logs
Staying Legal
Only use Frida on apps you own, have written permission to test, or are analyzing in a dedicated security research context such as bug bounty programs with mobile scope. Many major bug bounty programs — including those run by HackerOne — explicitly include mobile apps in scope.
Frida is a legitimate security research tool. The Android Security Research community actively uses it to find vulnerabilities in third-party apps and report them responsibly through coordinated disclosure.