Frida Advanced Techniques: Runtime Hooking, Crypto Extraction, and Anti-Detection Bypass

mhl

Frida is the most powerful dynamic instrumentation toolkit in mobile security research. This tutorial goes deep into advanced hooking techniques that professional penetration testers use on real engagements — cryptographic key extraction, native library hooking, and anti-analysis bypass.

Prerequisites and Setup

bash — frida setup
# Install Frida tools
$ pip3 install frida-tools
Successfully installed frida-16.2.1 frida-tools-12.4.0
$ adb push frida-server /data/local/tmp/
frida-server: 1 file pushed. 94.2 MB/s
$ adb shell “chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &”
[+] Frida server running on Android 14

Hooking Java Methods: Extracting Cryptographic Keys

The most common target in banking and fintech apps is the cryptographic layer. Apps routinely use javax.crypto.Cipher for AES encryption. Hooking at the Java layer lets you intercept both the plaintext input and the encryption key:

// crypto_hook.js — intercept AES operations
Java.perform(function() {
    var Cipher = Java.use('javax.crypto.Cipher');

    Cipher.doFinal.overload('[B').implementation = function(input) {
        var algorithm = this.getAlgorithm();
        console.log('[Cipher.doFinal] Algorithm: ' + algorithm);
        console.log('[Cipher.doFinal] Input: ' +
            Java.use('java.lang.String').$new(input));
        var result = this.doFinal(input);
        console.log('[Cipher.doFinal] Output (hex): ' + bytesToHex(result));
        return result;
    };

    function bytesToHex(bytes) {
        return Array.from(bytes)
            .map(b => ('0' + (b & 0xFF).toString(16)).slice(-2))
            .join('');
    }
});
bash — crypto hook
$ frida -U -l crypto_hook.js com.bank.app
[*] Attaching to com.bank.app…
[*] Script loaded
[Cipher.doFinal] Algorithm: AES/ECB/PKCS5Padding
[Cipher.doFinal] Key: 4d6f62696c65486173682e2e2e
[Cipher.doFinal] Input: {“user”:”admin”,”pin”:”1234″}

Native Library Hooking

When Java-level hooks miss critical logic (common in apps with native crypto or certificate pinning in C++), use Frida’s Interceptor to hook at the native level. For standard SSL pinning, the community codeshare script handles 15+ techniques:

bash — ssl bypass
$ frida -U –codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida com.bank.app
[+] SSL pinning disabled — 4 methods patched
[+] TrustManagerImpl.checkTrustedRecursive bypassed
[+] OkHttp3 CertificatePinner bypassed
Intercepting traffic with Burp Suite…

Anti-Frida Detection Bypass

Production apps check for Frida’s presence. The three most common detection methods and bypasses:

1. Port 27042 Detection

# Use a non-default port
adb shell "/data/local/tmp/frida-server -l 0.0.0.0:31337 &"
frida -U -H 127.0.0.1:31337 com.target.app

2. Process Name Detection

# Rename the binary before deploying
adb push frida-server /data/local/tmp/fs
adb shell "chmod 755 /data/local/tmp/fs && /data/local/tmp/fs &"

3. Memory String Scan for “LIBFRIDA”

# Use gadget injection mode with a renamed library
frida --gadget=libgadget.so -f com.target.app

Next Steps

With these techniques you can extract cryptographic keys, bypass SSL pinning at both the Java and native level, and evade common Frida detection. Check out our Android security tutorials and the Mobile Hacking Lab Android courses for hands-on labs where you apply these techniques against purpose-built vulnerable apps.

Continue Reading
More Articles
View all