In this tutorial we show how to do function tracing on your Android device.
Setting up your Android device
Before you start, you will need to root your device in case you haven’t done so already. Also note that most of our testing has involved Android 4.4, and while we do support 4.2 all the way through 6.0, there’s for now limited support for ART and we would recommend that you start out with a Dalvik-powered ARM device or emulator for the time being.
You will also need the
adb tool from the Android SDK.
First off, download the latest
frida-server for Android from our releases
page and get it running on your
For the last step, make sure you start frida-server as root, i.e. if you are doing this on a rooted device, you might need to su and run it from that shell.
Next, make sure
adb can see your device:
This will also ensure that the adb daemon is running on your desktop, which allows Frida to discover and communicate with your device regardless of whether you’ve got it hooked up through USB or WiFi.
A quick smoke-test
Now, on your desktop it’s time to make sure the basics are working. Run:
This should give you a process list along the lines of:
Great, we’re good to go then!
Tracing open() calls in Chrome
Alright, let’s have some fun. Fire up the Chrome app on your device and return to your desktop and run:
Now just play around with the Chrome app and you should start seeing
calls flying in:
man open, and start diving deeper and deeper into your Android apps.
Building your own tools
While the CLI tools like frida, frida-trace, etc., are definitely
quite useful, there might be times when you’d like to build your own tools
harnessing the powerful Frida APIs. For that we would
recommend reading the chapters on Functions and
Messages, and anywhere you see
substitute that with