Android

In this tutorial we show how to do function tracing on your Android device.

Setting up your Android device

Before you start, you will need to root your device in case you haven’t done so already. It is technically also possible to use Frida without rooting your device, for example by repackaging the app to include frida-gadget, or using a debugger to accomplish the same. But, for this introduction we’re going to focus on the simplest case: a rooted device.

Also note that most of our recent testing has been taking place on a Pixel 3 running Android 9. Older ROMs may work too, but if you’re running into basic issues like Frida crashing the system when launching an app, this is due to ROM-specific quirks. We cannot test on all possible devices, so we count on your help to improve on this. However if you’re just starting out with Frida it is strongly recommended to go for a Pixel or Nexus device running the latest official software, or a device whose software is as close to AOSP as possible. Another option is using an emulator, ideally with a Google-provided Android 9 emulator image for arm or arm64. (x86 may work too but has gone through significantly less testing.)

You will also need the adb tool from the Android SDK.

First off, download the latest frida-server for Android from our releases page and uncompress it.

unxz frida-server.xz

Now, let’s get it running on your device:

$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"

Some apps might be able to detect the frida-server location. Renaming the frida-server binary to a random name, or moving it to another location such as /dev may do the trick.

For the last step, make sure you start frida-server as root, i.e. if you are doing this on a rooted device, you might need to su and run it from that shell.

adb on a production build

If you get adbd cannot run as root in production builds after running adb root
you need to prefix each shell command with su -c. For example: adb shell "su -c chmod 755 /data/local/tmp/frida-server"

Next, make sure adb can see your device:

$ adb devices -l

This will also ensure that the adb daemon is running on your desktop, which allows Frida to discover and communicate with your device regardless of whether you’ve got it hooked up through USB or WiFi.

A quick smoke-test

Now, on your desktop it’s time to make sure the basics are working. Run:

$ frida-ps -U

This should give you a process list along the lines of:

  PID NAME
 1590 com.facebook.katana
13194 com.facebook.katana:providers
12326 com.facebook.orca
13282 com.twitter.android
…

Great, we’re good to go then!

Tracing open() calls in Chrome

Alright, let’s have some fun. Fire up the Chrome app on your device and return to your desktop and run:

$ frida-trace -U -i open -N com.android.chrome
Uploading data...
open: Auto-generated handler …/linker/open.js
open: Auto-generated handler …/libc.so/open.js
Started tracing 2 functions. Press Ctrl+C to stop.

Now just play around with the Chrome app and you should start seeing open() calls flying in:

1392 ms	open()
1403 ms	open()
1420 ms	open()

You can now live-edit the aforementioned JavaScript files as you read man open, and start diving deeper and deeper into your Android apps.

Building your own tools

While the CLI tools like frida, frida-trace, etc., are definitely quite useful, there might be times when you’d like to build your own tools harnessing the powerful Frida APIs. For that we would recommend reading the chapters on Functions and Messages, and anywhere you see frida.attach() just substitute that with frida.get_usb_device().attach().