In this tutorial we show how to do function tracing on your Android device.
Setting up your Android device
Before you start, you will need to root your device in case you haven’t done so already. It is technically also possible to use Frida without rooting your device, for example by repackaging the app to include frida-gadget, or using a debugger to accomplish the same. But, for this introduction we’re going to focus on the simplest case: a rooted device.
Also note that most of our recent testing has been taking place on a Pixel 3 running Android 9. Older ROMs may work too, but if you’re running into basic issues like Frida crashing the system when launching an app, this is due to ROM-specific quirks. We cannot test on all possible devices, so we count on your help to improve on this. However if you’re just starting out with Frida it is strongly recommended to go for a Pixel or Nexus device running the latest official software, or a device whose software is as close to AOSP as possible. Another option is using an emulator, ideally with a Google-provided Android 9 emulator image for arm or arm64. (x86 may work too but has gone through significantly less testing.)
You will also need the
adb tool from the Android SDK.
First off, download the latest
frida-server for Android from our releases
page and get it running on your
For the last step, make sure you start frida-server as root, i.e. if you are doing this on a rooted device, you might need to su and run it from that shell.
Next, make sure
adb can see your device:
This will also ensure that the adb daemon is running on your desktop, which allows Frida to discover and communicate with your device regardless of whether you’ve got it hooked up through USB or WiFi.
A quick smoke-test
Now, on your desktop it’s time to make sure the basics are working. Run:
This should give you a process list along the lines of:
Great, we’re good to go then!
Tracing open() calls in Chrome
Alright, let’s have some fun. Fire up the Chrome app on your device and return to your desktop and run:
Now just play around with the Chrome app and you should start seeing
calls flying in:
man open, and start diving deeper and deeper into your Android apps.
Building your own tools
While the CLI tools like frida, frida-trace, etc., are definitely
quite useful, there might be times when you’d like to build your own tools
harnessing the powerful Frida APIs. For that we would
recommend reading the chapters on Functions and
Messages, and anywhere you see
substitute that with