Android
In this tutorial we show how to do function tracing on your Android device.
Setting up your Android device
Before you start, you will need to root your device in case you haven’t done so
already. You will also need the Android SDK so you can use the adb tool. This
is a stop-gap solution and won’t be necessary once Frida has an Android app
(pull-request welcome!).
First off, download the latest frida-server for Android:
$ curl -O http://build.frida.re/frida/android/bin/frida-server
$ chmod +x frida-serverNext, deploy frida-server on your device:
$ adb push frida-server /data/local/tmp/Spin up Frida
In one terminal (on your desktop), run the server:
$ adb shell
root@android:/ # /data/local/tmp/frida-server -t 0While that’s running, forward some local TCP ports to your device:
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:2704327042 is the port used for communicating with frida-server, and each
subsequent port is required for each of the next processes you inject into.
Now, just to verify things are working:
$ frida-ps -RShould give you a process list along the lines of:
PID NAME
1590 com.facebook.katana
13194 com.facebook.katana:providers
12326 com.facebook.orca
13282 com.twitter.android
…Great, we’re good to go then!
Tracing open() calls in Chrome
Alright, let’s have some fun. Fire up the Chrome app on your device and return to your desktop and run:
$ frida-trace -R -i open com.android.chrome
Uploading data...
open: Auto-generated handler …/linker/open.js
open: Auto-generated handler …/libc.so/open.js
Started tracing 2 functions. Press ENTER to stop.Now just play around with the Chrome app and you should start seeing open()
calls flying in:
1392 ms open()
1403 ms open()
1420 ms open()You can now live-edit the aforementioned JavaScript files as you read
man open, and start diving deeper and deeper into your Android apps.