BestHub
Sign in
Information Security 10 min read

How to Use Frida RPC to Bypass Mobile App Encryption and Build a FastAPI Proxy

This article explains how to employ Frida RPC to intercept and forward encrypted mobile app requests, demonstrates the required environment, provides hook scripts for encryption and decryption, and shows how to wrap them in a FastAPI service for automated crawling.

Python Crawling & Data Mining
Python Crawling & Data Mining
Python Crawling & Data Mining
How to Use Frida RPC to Bypass Mobile App Encryption and Build a FastAPI Proxy

Frida RPC Algorithm Forwarding

Introduction

Hello, I'm sharing a tool for app protocol reverse engineering using Frida RPC.

Why Use RPC Forwarding

Most Android apps are built with Java and native C++ code, placing critical encryption in .so libraries, which makes analysis difficult. By using RPC you can directly call Java or native methods, avoiding the need to reverse‑engineer complex encryption layers.

Environment

pixel2   v10 (rooted)
Magisk   v23.0
Charles  v4.6.2
Drony    v1.3.154
Python   v3.8.6
frida    v14.2.18

RPC Forwarding Example

The target app is "dodovip".

Capture

Network capture shows the login API http://api.dodovip.com/api/user/login with an encrypted payload.

Analysis

Decompiled the APK with jadx and searched for the keyword Encrypt. The encryption logic resides in com.dodonew.online.http.RequestUtil.

Java.perform(function () {
    function printMap2(map) {
        return Java.cast(map, Java.use("java.util.HashMap"));
    }
    // Hook encryption method
    Java.use("com.dodonew.online.http.RequestUtil").encodeDesMap.overload('java.lang.String','java.lang.String','java.lang.String').implementation = function (data, desKey, desIV) {
        console.log("RequestUtil encodeDesMap is called");
        console.log("data:", data);
        console.log("desKey:", desKey);
        console.log("desIV:", desIV);
        let result = this.encodeDesMap(data, desKey, desIV);
        console.log("Result:", result);
        return result;
    };
    // Hook parameter map method
    Java.use("com.dodonew.online.http.RequestUtil").paraMap.overload('java.util.Map','java.lang.String','java.lang.String').implementation = function (addMap, append, sign) {
        console.log("RequestUtil paraMap is called");
        console.log("addMap:", addMap);
        console.log("addMap (cast):", printMap2(addMap));
        console.log("append:", append);
        console.log("sign:", sign);
        let result = this.paraMap(addMap, append, sign);
        console.log("Result:", result);
        return result;
    };
    // Hook decryption method
    Java.use("com.dodonew.online.http.RequestUtil").decodeDesJson.implementation = function (json, desKey, desIV) {
        console.log("RequestUtil decodeDesJson is called");
        console.log("json:", json);
        console.log("desKey:", desKey);
        console.log("desIV:", desIV);
        let result = this.decodeDesJson(json, desKey, desIV);
        console.log("Result:", result);
        return result;
    };
});

Organize

From the hooks we derive two helper functions: one for request encryption and one for response decryption.

// Request encryption
function callparaMap(username, userPwd, timeStamp) {
    let result = "";
    Java.perform(function () {
        let map = Java.use("java.util.HashMap").$new();
        map.put("timeStamp", timeStamp);
        map.put("loginImei", "Androidnull");
        map.put("equtype", "ANDROID");
        map.put("userPwd", userPwd);
        map.put("username", username);
        let r1 = Java.use("com.dodonew.online.http.RequestUtil").paraMap(map, "sdlkjsdljf0j2fsjk", "sign");
        result = Java.use("com.dodonew.online.http.RequestUtil").encodeDesMap(r1, "65102933", "32028092");
    });
    return result;
}

// Response decryption
function calldecodedesjson(data) {
    let result = "";
    Java.perform(function () {
        result = Java.use("com.dodonew.online.http.RequestUtil").decodeDesJson(data, "65102933", "32028092");
    });
    return result;
}

Build Service

Wrap the Frida script in a FastAPI server to expose HTTP endpoints for encryption and decryption.

from fastapi import FastAPI
from pydantic import BaseModel
import uvicorn, frida

jsCode = """
function callparaMap(username, userPwd, timeStamp) { /* same as above */ }
function calldecodedesjson(data) { /* same as above */ }
rpc.exports = { encrypt: callparaMap, decode: calldecodedesjson };
"""

process = frida.get_usb_device().attach('com.dodonew.online')
script = process.create_script(jsCode)
script.load()

app = FastAPI()

@app.get("/getencrypt")
async def getencrypt(username: str, password: str, timestamp: str):
    result = script.exports.encrypt(username, password, timestamp)
    return {"data": result}

class Item(BaseModel):
    data: str

@app.post("/getdecode")
async def getdecode(item: Item):
    result = script.exports.decode(item.data)
    return {"data": result}

if __name__ == "__main__":
    uvicorn.run(app, port=8080)

Run the server (e.g., python app.py) and access the endpoints on port 8080.

Construct Request

Use the /getencrypt endpoint to obtain the encrypted payload, send it to the real API, then decode the response with /getdecode.

import requests, time, json

dt = int(time.time() * 1000)
# Get encrypted request data
r1 = requests.get(f"http://127.0.0.1:8080/getencrypt?username=18903916120&password=1111×tamp={dt}").json()
payload = {"Encrypt": r1["data"]}
# Send to real login API
login_resp = requests.post("http://api.dodovip.com/api/user/login", json=payload)
# Decode the response
decode_resp = requests.post("http://127.0.0.1:8080/getdecode", json={"data": login_resp.text}).json()
print(decode_resp)

Summary

The target app applies two layers of DES encryption; by leveraging Frida RPC you can replicate the encryption and decryption logic with only a few lines of JavaScript, expose them via a Python FastAPI service, and automate data collection. The method requires a rooted device or emulator but provides a concise alternative to full static analysis.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

RPCMobile Securityreverse engineeringFastAPIFrida
Python Crawling & Data Mining
Written by

Python Crawling & Data Mining

Life's short, I code in Python. This channel shares Python web crawling, data mining, analysis, processing, visualization, automated testing, DevOps, big data, AI, cloud computing, machine learning tools, resources, news, technical articles, tutorial videos and learning materials. Join us!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment