Frida Android Hooking Guide for Pentesters!

Frida is a powerful dynamic instrumentation toolkit used heavily in Android security testing, reverse engineering, and ethical hacking. It allows you to hook into running apps, intercept function calls, modify behavior on the fly, and analyze how apps really work under the hood ⚙️.
Frida mainly uses JavaScript for hooking, which makes it flexible and fast. Since Android runtime and JavaScript both rely on JIT compilation, Frida can easily intercept IPC, change function logic, and even override return values 🔥.

Common real-world use cases include:

• 🔍 Spy on Crypto APIs
• 🧩 Modify function outputs
• 🔐 Bypass AES encryption
• 🚫 Bypass SSL Pinning & Root Detection
• 🧠 Trace private app logic
• 🔓 Bypass app locks (AppLock, license checks, etc.)

This article focuses on Frida basics with hands-on examples. Once you understand these concepts, you can build advanced scripts for almost any Android app 🚀.

---

​

Root Detection Bypass 🧱➡️🔓​

Many Android apps block rooted devices by checking for SU binaries or specific system flags. When detected, the app usually shows a warning and exits immediately ❌.
Using Frida, we can bypass this logic without modifying the APK.

Setup Frida Server on Android​

First, push and run frida-server on the device:

adb connect 192.168.27.105
adb shell "/tmp/frida-server &"

Then install Frida on your machine:

pip install frida
pip install frida-tools

List running processes on the device: frida-ps -U

Using a Ready-Made Anti-Root Script​

Instead of reversing everything manually, you can use community scripts from Frida CodeShare 👇
https://codeshare.frida.re/browse
Run the popular anti-root script:

frida -U --codeshare dzonerzy/fridantiroot -f in.package.name

Press y to trust the script, then type: %resume
✅ Root detection is now bypassed successfully.

---

​

Hooking Java Methods in Android 🪝☕​

Android apps contain many methods like onCreate(), onStart(), and custom user-defined functions. With Frida, you can hook any of them.

Extract and Analyze the APK​

First, pull the APK:

adb shell pm path jakhar.aseem.diva
adb pull /data/app/jakhar.aseem.diva/base.apk

Decompile it using apktool, convert with dex2jar, and inspect with JD-GUI to understand the app logic 👀.

---

​

Hooking onCreate() Method 🚀​

Example Frida script:

console.log("Script loaded!");

Java.perform(function () {
    var mainapp = Java.use("jakhar.aseem.diva.MainActivity");

    mainapp.onCreate.implementation = function () {
        console.log("My script called!");
        return this.onCreate.overload("android.os.Bundle").call(this);
    };

    send("Hooks installed");
});

Run it:

frida -U -l mainactivityhook.js -f jakhar.aseem.diva

🎯 Your hook now executes every time the activity is launched.

---

​

Hooking Custom Methods 🧠​

Apps often use custom methods like startChallenge(). You can hook them too:

Java.perform(function () {
    var app = Java.use("jakhar.aseem.diva.MainActivity");

    app.startChallenge.overload("android.view.View").implementation = function (v) {
        send("startChallenge() intercepted!");
        return this.startChallenge(v);
    };
});

Run without pausing:

frida -U -l hook.js -f jakhar.aseem.diva --no-pause

Every button click is now under your control 😎.

---

​

Hooking exit() Method ❌➡️🛑​

You can even stop an app from exiting by hooking System.exit():

Java.perform(function () {
    var sys = Java.use("java.lang.System");

    sys.exit.overload("int").implementation = function () {
        send("System.exit() blocked!");
    };
});

Now the app refuses to close 🚫.

---

​

Modifying Return Values 🔄​

Want to change function results? Easy.

Java.perform(function () {
    var cls = Java.use("com.example.MainActivity");

    cls.returnValue.implementation = function () {
        return 100;
    };
});

Original output was 60, now it returns 100 💥.

---

​

SSL Pinning Bypass 🔐➡️📡​

Apps use SSL Pinning to block traffic interception. Frida can bypass it so you can analyze traffic with Burp Suite.
Use this popular script:

frida -U --codeshare akabe1/frida-multiple-unpinning -f com.osfg.certificatepinning

Type: %resume
✅ HTTPS traffic is now visible in Burp.

---

​

Frida Hooking with Python 🐍​

You can embed Frida scripts inside Python for automation:

import frida, sys

jscode = """
Java.perform(function(){
    var app = Java.use("jakhar.aseem.diva.MainActivity");
    app.startChallenge.implementation = function(v){
        send("Button clicked!");
        return this.startChallenge(v);
    };
});
"""

process = frida.get_usb_device().attach("jakhar.aseem.diva")
script = process.create_script(jscode)
script.load()
sys.stdin.read()

Run it:

python3 hook.py

Perfect for advanced automation and large-scale testing ⚙️.

---

​

Frida Challenge Example 🎮​

Advanced challenges involve:

• Inspecting hidden activities
• Watching runtime behavior
• Hooking logic dynamically
• Modifying execution flow

Using tools like Drozer, Objection, and Logcat, you can fully understand what the app does in the background and change it in real time 🔬.

---

​

Final Thoughts 🧩​

Frida is a pentester’s best friend ❤️
From bypassing root checks to intercepting encrypted traffic, it opens endless possibilities.
To master Frida, you should also learn:

• JavaScript deeply
• Android internals
• APK reverse engineering
• Java method overloading

Once combined, Frida becomes unstoppable 🚀.