Android
Prerequisites
| Requirement | Notes |
|---|---|
| Rooted Android device | Required for frida-server; alternatives: gadget repackaging or debugger injection |
adb (Android SDK Platform Tools) | Must be installed on host machine |
frida-server binary | Download from github.com/frida/frida/releases matching device ABI |
| Frida Python package on host | pip install frida-tools |
Recommended test hardware: Pixel or Nexus device running the latest official Android (close to AOSP). Emulator: Google-provided Android 9 image for arm or arm64. x86 emulators are less tested.
Known issue: On some ROMs, Frida may crash the system when launching an app — this is a ROM-specific quirk unrelated to Frida itself.
Step 1 — Identify Device ABI
1adb shell getprop ro.product.cpu.abilist
Common values: arm64-v8a, armeabi-v7a, x86_64, x86. Download the frida-server binary matching the first (preferred) ABI listed.
Step 2 — Decompress frida-server
1unxz frida-server-<version>-android-<abi>.xz
Step 3 — Deploy and Start frida-server on Device
1adb root # escalate adb to root (may not be needed)
2adb push frida-server /data/local/tmp/
3adb shell "chmod 755 /data/local/tmp/frida-server"
4adb shell "/data/local/tmp/frida-server &"
Production build note: If adb root fails with adbd cannot run as root in production builds, prefix each shell command with su -c:
1adb shell "su -c chmod 755 /data/local/tmp/frida-server"
2adb shell "su -c /data/local/tmp/frida-server &"
Evasion tip: Some apps detect frida-server by its default path or name. Rename the binary or deploy to /dev/ instead.
Step 4 — Verify Host–Device Connectivity
1adb devices -l
This ensures the adb daemon is running on the host, which Frida uses to discover the device over USB or Wi-Fi.
Step 5 — Smoke Test with frida-ps
1frida-ps -U
-U selects the USB-connected device. Expected output (process list):
PID NAME
1590 com.facebook.katana
13194 com.facebook.katana:providers
12326 com.facebook.orca
13282 com.twitter.android
...
If this returns a populated list, frida-server is running correctly.
Example: Tracing open() Calls in Chrome
1frida-trace -U -i open -N com.android.chrome
Expected startup output:
Uploading data...
open: Auto-generated handler …/linker/open.js
open: Auto-generated handler …/libc.so/open.js
Started tracing 2 functions. Press Ctrl+C to stop.
Live trace output while using the app:
1392 ms open()
1403 ms open()
1420 ms open()
frida-trace auto-generates JavaScript handler stubs (.js files) that can be live-edited without restarting the trace session.
Key frida-trace Flags
| Flag | Meaning |
|---|---|
-U | Target USB device |
-i <func> | Intercept native function by name (supports wildcards, e.g. -i "open*") |
-N <package> | Target Android app by package name |
-p <pid> | Target process by PID instead of package name |
Building Custom Tools
For programmatic access, use the Frida Python or JavaScript APIs. When adapting desktop examples to Android USB targets, replace:
1session = frida.attach("process_name")
with:
1device = frida.get_usb_device()
2session = device.attach("com.example.app")
Relevant API docs:
Deployment Modes Summary
| Mode | Root Required | Method |
|---|---|---|
frida-server | Yes | Push binary, run as root |
frida-gadget (repackage) | No | Embed .so in APK, resign |
| Debugger injection | No | Attach via JDWP/ptrace |