Setting up Frida on Android

Hello All!

In this post, we will explain how to setup Frida with Android through USB on MacOS. Let’s first prepare your environment.

Environment

You need:

This guide targets Android 9.0 and later.

Developer mode

Enable developer mode by locating the Build Number item in our system settings and tapping it 7 times.

This is found at:  Settings > About Phone > Build Number. Once completed, you will see a You are now a developer! message.

USB debugging

Enable USB debugging at: Settings > System > Advanced > Developer Options > USB debugging

Setup Tools

Install Android SDK Platform-Tools This is easy, thank you to brew:

$ brew install android-platform-tools

After installation, we will test the adb utility along with USB debugging on our Android device. If using a physical device, be sure that it’s connected to your computer over USB. Run the following command (we will use this output to select the right Frida server binary below):

$ adb shell uname -m
aarch64

Success, we have adb and USB debugging functioning. Also, we confirmed this device is running AArch64/ARM64.

Using adb shell <cmd>, enables us to run a single command on our Android device and get output back. If we wanted to drop into a shell on our device, we would run adb shell.

Common issues with adb can be resolved by stopping and starting the server:

$ adb kill-server
$ adb start-server

Setup Frida Server

Download the latest Frida server binary matching your devices architecture. In this example for the Pixel 4a, we use Arm64.

$ wget https://github.com/frida/frida/releases/download/14.2.3/frida-server-14.2.3-android-arm64.xz

Extract and rename the binary to frida-server:

$ unxz frida-server-14.2.3-android-arm64.xz
$ mv frida-server-14.2.3-android-arm64 frida-server

Upload frida-server to your Android device and mark it as executable:

$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"

Get a shell, elevate to root, execute and background frida-server:

$ adb shell
sunfish:/ $ su
sunfish:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
sunfish:/ # /data/local/tmp/frida-server &
[1] 9555

Verify frida-server is running as root:

$ adb shell
sunfish:/ $ ps -e | grep frida-server
root  9555 1 10851964  3636 do_sys_poll 0 S frida-server

Confirmed to be running as the root user, let’s move on.

Setup Frida Tools

This can be accomplished with pip, the Python package installer. Frida prefers Python3 and I have pip3 configured as the package installer for my Python3 environment.

$ pip3 install frida-tools

Frida Basics

Get list of running applications:

$ frida-ps -Ua

Should return something like:

  PID  Name                        Identifier
-----  --------------------------  -----------------------------------------
 1601  Android System              android
 2151  Bluetooth                   com.android.bluetooth
 1601  Call Management             com.android.server.telecom
 5900  Carrier Services            com.google.android.ims
 2529  CneApp                      com.qualcomm.qti.cne
...

Attach to a process:

$ frida -U org.mozilla.firefox

Attach to a process and load Frida script:

$ frida -U org.mozilla.firefox -l script.js

That is all for now.

Thank you for reading and hope you enjoyed as an initial walkthrough or reference next time you need Frida up in a hurry. Have an issue or want to comment, tweet me.

All the best,

–Cale