From e141718ed7ec42438e34def922f20b240fcf94e4 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 9 Mar 2026 18:58:00 +0000 Subject: [PATCH] Add content from: Frida Android Helper --- .../android-app-pentesting/README.md | 75 ++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index ff7922799c5..27a39cbff85 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -18,6 +18,79 @@ This is the main tool you need to connect to an android device (emulated or phys Take a look to the following list of [**ADB Commands**](adb-commands.md) to learn how to use adb. + +## Frida Android Helper (FAH) workflows + +FAH is a Python CLI that drives ADB (via pure-python-adb) to automate common Android pentest/reversing tasks. It assumes a rooted device for features like iptables/tcpdump. + +Key workflows: + +- **Frida-server lifecycle** (fast dynamic instrumentation setup): + +```bash +fah server start +fah server stop +fah server reboot +fah server update +fah server update 17.2.1 +``` + +- **Global proxy settings** (system HTTP proxy): + +```bash +fah proxy enable +fah proxy enable 192.168.137.137 8888 +fah proxy disable +fah proxy get +``` + +- **Transparent proxy over USB (adb reverse + iptables DNAT)**: + +```bash +fah rproxy enable +fah rproxy enable 8888 +fah rproxy disable +``` + +Then run Burp/mitmproxy in transparent mode on the host and keep the device on any Wi-Fi. + +- **Exported component enumeration + invocation**: +`fah intent [package] [target]` where `` is `activity|service|receiver|provider`. It lists components and can run by index or emit manual `am` commands. For receivers, it prints one `am broadcast` per manifest action and falls back to `-a fah.intent.TEST` if none is declared. + +
+FAH intent examples + +```bash +fah intent activity com.example.app +fah intent activity com.example.app 7 +fah intent activity com.example.app manual + +fah intent service com.example.app +fah intent service com.example.app 3 +fah intent service com.example.app manual + +fah intent receiver com.example.app +fah intent receiver com.example.app 2 +fah intent receiver com.example.app manual + +fah intent provider com.example.app +fah intent provider com.example.app 1 +fah intent provider com.example.app manual +``` + +
+ +- **Runtime DEX dumping (ART DefineClass hook)**: + +```bash +fah dexdump com.example.app +fah dexdump com.example.app --duration 45 +fah dexdump com.example.app --attach +fah dexdump com.example.app --keep-device-files +``` + +Outputs to `./fah_dexdump//_/`. + ## Smali Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\ @@ -900,5 +973,5 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone) - [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail) - +- [Frida Android Helper (FAH)](https://github.com/secuworm2/frida-android-helper2) {{#include ../../banners/hacktricks-training.md}}