Skip to content

Frida Android Helper #1974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Frida Android Helper #1974

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 74 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,79 @@ This is the main tool you need to connect to an android device (emulated or phys

Take a look to the following list of [**ADB Commands**](adb-commands.md) to learn how to use adb.


## Frida Android Helper (FAH) workflows

FAH is a Python CLI that drives ADB (via pure-python-adb) to automate common Android pentest/reversing tasks. It assumes a rooted device for features like iptables/tcpdump.

Key workflows:

- **Frida-server lifecycle** (fast dynamic instrumentation setup):

```bash
fah server start
fah server stop
fah server reboot
fah server update
fah server update 17.2.1
```

- **Global proxy settings** (system HTTP proxy):

```bash
fah proxy enable
fah proxy enable 192.168.137.137 8888
fah proxy disable
fah proxy get
```

- **Transparent proxy over USB (adb reverse + iptables DNAT)**:

```bash
fah rproxy enable
fah rproxy enable 8888
fah rproxy disable
```

Then run Burp/mitmproxy in transparent mode on the host and keep the device on any Wi-Fi.

- **Exported component enumeration + invocation**:
`fah intent <type> [package] [target]` where `<type>` is `activity|service|receiver|provider`. It lists components and can run by index or emit manual `am` commands. For receivers, it prints one `am broadcast` per manifest action and falls back to `-a fah.intent.TEST` if none is declared.

<details>
<summary>FAH intent examples</summary>

```bash
fah intent activity com.example.app
fah intent activity com.example.app 7
fah intent activity com.example.app manual

fah intent service com.example.app
fah intent service com.example.app 3
fah intent service com.example.app manual

fah intent receiver com.example.app
fah intent receiver com.example.app 2
fah intent receiver com.example.app manual

fah intent provider com.example.app
fah intent provider com.example.app 1
fah intent provider com.example.app manual
```

</details>

- **Runtime DEX dumping (ART DefineClass hook)**:

```bash
fah dexdump com.example.app
fah dexdump com.example.app --duration 45
fah dexdump com.example.app --attach
fah dexdump com.example.app --keep-device-files
```

Outputs to `./fah_dexdump/<deviceSerial>/<package>_<timestamp>/`.

## Smali

Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\
Expand Down Expand Up @@ -900,5 +973,5 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)

- [Frida Android Helper (FAH)](https://github.com/secuworm2/frida-android-helper2)
{{#include ../../banners/hacktricks-training.md}}