Master Frida on Android: Server, Gadget, and Inject – Setup, Usage, and Pitfalls

Introduction

Frida is one of the most widely used tools for Android reverse engineering. It provides a hook framework that allows dynamic inspection of function arguments, return values, code injection, and logic modification without altering the target source code.

frida‑server Usage

Requirements: Rooted device.

Effect: No persistent injection; requires a computer‑side script for immediate execution.

Steps:

Download the appropriate frida‑server‑xxx from the official site (match version and architecture).

Install the Python client tools: pip install frida==<version>, pip install frida-tools, and pip install objection.

Push frida‑server‑xxx to /data/local/tmp on the device.

Set executable permissions: chmod 777 frida‑server‑xxx (requires root).

Start the server: ./frida‑server‑xxx -P.

Connect from the computer using commands such as frida -U -l xxx.js -p pid, frida -U -l xxx.js -n process_name, or objection -g process_name explore.

Proceed with hooking on the device.

For objection, you can load a JavaScript file after connection: import xxx.js.

Typical Java method hooking commands:

android hooking watch class_method method_name --dump-args --dump-return --dump-backtrace

(hook a single method).

android hooking watch class class_name --dump-args --dump-return --dump-backtrace

(hook all methods of a class).

Notes: The three dump parameters control whether arguments, return values, and backtraces are displayed.

Pitfalls:

The process name used with objection -g or frida -U -n must be the name shown by frida-ps -U, not the one from ps -A.

The -P flag improves stability by preventing pre‑load optimizations that could crash the device.

For dynamically loaded code, prefer frida -U -l xxx.js over direct method hooking.

When hooking source‑available methods, use the de‑obfuscated name obtained from tools like JEB.

frida‑gadget Usage (Non‑Root Hooking)

Requirements (any one): The target app’s signature or the ability to inject code without signature constraints.

Effect: Supports both persistent injection on the device and remote script execution from a computer.

Steps:

Download the appropriate frida‑gadget‑xxx (match version and architecture) and extract the .so file.

Place the .so into the target APK’s lib directory under the correct ABI folder (e.g., arm64‑v8a, armeabi‑v7a, x86).

Create a config file named libfrida‑gadget.config.so alongside the .so. The file’s content follows the format shown in the official documentation.

Inject a call to System.loadLibrary("frida‑gadget") via smali code at the application’s entry point (or use LIEF to modify the ELF).

Re‑package and re‑sign the APK (the framework’s signing key can be replaced with your own using tools like signerNew.jar).

Install the modified APK on the device.

Place your hook script (e.g., frida_script.js) in /data/local/tmp and ensure the config matches the script name.

Example Hook Script: (illustrated in the article’s image) logs a message with Log.e and prints “Have fun!”.

Pitfalls:

When using the framework, adjust the provided config files to match your target version and architecture.

Install required Python libraries (e.g., lief) before running the framework.

APK signing issues may arise on Android 11+ due to misaligned resources.arsc; use zipalign before signing.

Connecting via frida -H 0.0.0.0:27042 is more reliable than USB mode for some devices.

frida‑inject Usage (Device‑Side Persistent Injection)

Requirements: Rooted device.

Effect: Persistent injection with the script residing on the device; no computer‑side Python or Frida installation needed.

Steps:

Download frida‑inject‑xxx (match version and architecture) and extract.

Push the binary to /data/local/tmp on the device.

Make it executable: chmod 777 frida‑inject‑xxx.

Place the JavaScript hook file in the same directory.

Run the injection, e.g.,

./frida‑inject-16.1.4-android-arm64 -s frida_script.js -p 5795

.

Pitfalls:

The process name for -n must be the app’s display name, not the package name; using PID ( -p) is more reliable.

Summary

This article introduced the environment setup, basic usage, and common pitfalls for frida‑server, frida‑gadget, and frida‑inject on Android. Advanced topics such as method invocation, SO library hooking, memory address manipulation, and custom parameter logging are beyond the scope of this guide and can be explored via the official Frida JavaScript API documentation.