Hello All!

In this post, we will explain how to setup Frida with Android through USB on MacOS. Let’s first prepare your environment.

Environment

You need:

Rooted Android device or emulator, we like the Pixel 4a.

Note: This guide targets Android 9.0 and later.

Developer mode

Enable developer mode by locating the Build Number item in our system settings and tapping it 7 times.

This is found at: Settings > About Phone > Build Number.

Once completed, you will see a You are now a developer! message.

USB debugging

Enable USB debugging at: Settings > System > Advanced > Developer Options > USB debugging

Setup Tools

Install Android SDK Platform-Tools This is easy, thanks to brew: 

$ brew install android-platform-tools
After installation, we will test adb along with USB debugging on our Android device. If using a physical device, be sure that it’s connected to your computer over USB. Run the following command (we will use this output to select the right Frida server binary below):

$ adb shell uname -m
aarch64
Success, we have adb and USB debugging functioning. Also, we confirmed this device is running AArch64/ARM64.

Using adb shell <cmd>, enables us to run a single command on our Android device and get output back. If we wanted to drop into a shell on our device, we would just run adb shell.

Common issues with adb can be resolved by stopping and starting the server:

$ adb kill-server
$ adb start-server

Setup Frida Server

Download the latest Frida server binary matching your devices architecture. In this example for the Pixel 4a, we use Arm64. 

$ wget https://github.com/frida/frida/releases/download/15.1.1/frida-server-15.1.1-android-arm64.xz
Extract and rename the binary to frida-server:

$ unxz frida-server-14.2.3-android-arm64.xz$ mv frida-server-14.2.3-android-arm64 frida-server

Upload frida-server to your Android device and mark it as executable: 

$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"

Get a shell, elevate to root, execute and background frida-server: 

$ adb shell
sunfish:/ $ su
sunfish:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
sunfish:/ # /data/local/tmp/frida-server &
[1] 23244

Verify frida-server is running as root: 

$ adb shell
2|sunfish:/ $ ps -e | grep  frida-server
root          23244      1 10852136 56048 0                   0 S frida-server

Confirmed to be running as the root user, let’s move on.

Setup Frida Tools

This can be accomplished with pip, the Python package installer. Frida prefers Python3 and I have pip3 configured as the package installer for my Python3 environment.

$ pip3 install frida-tools

Frida Basics

Get list of running applications: 

$ frida-ps -Ua

Should return something like: 

  PID  Name                      Identifier
-----  ------------------------  ------------------------------------------
22319   Firefox               org.mozilla.firefox
26648   Google                com.google.android.googlequicksearchbox
15871   Google Play Store     com.android.vending

Attach to a process: 

$ frida -U org.mozilla.firefox

Attach to a process and load Frida script: 

$ frida -U org.mozilla.firefox -l script.js

That is all for now.

Thank you for reading and hope you enjoyed as an initial walkthrough or reference next time you need Frida up in a hurry. Have an issue or want to comment, tweet me.

All the best,

–Cale