← All Cheatsheets

mobile-pentest

Frida — Dynamic Instrumentation & Hooking

Frida dynamic instrumentation toolkit for hooking, bypassing, and analyzing mobile and desktop apps.

16 views Apr 2026 lazyhackers

Setup & Connection (6)

pip install frida-tools

Install Frida CLI tools

install setup

frida-ls-devices

List connected devices

setup devices

frida-ps -U

List processes on USB device

setup processes usb

frida-ps -H 192.168.1.100

List processes on remote device

setup processes remote

frida-server &

Start frida-server on device (run on device via adb shell)

setup server

adb push frida-server /data/local/tmp/ && adb shell "chmod +x /data/local/tmp/frida-server && /data/local/tmp/frida-server &"

Deploy and start frida-server on Android

setup android server

Attach & Spawn (6)

frida -U com.target.app -l hook.js

Attach to running app with script (USB)

attach script

frida -U -f com.target.app -l hook.js --no-pause

Spawn (launch) app with script from start

spawn script

frida -H 192.168.1.100 com.target.app -l hook.js

Attach via remote Frida server

remote attach

frida -U com.target.app

Attach interactively (REPL mode)

attach repl

frida-trace -U -i "open" com.target.app

Trace all calls to open() function

trace function

frida-trace -U -m "-[NSURLSession *]" com.target.app

Trace iOS NSURLSession network calls

trace ios network

Common Hook Scripts (5)

Java.perform(function(){ var SSL = Java.use('com.android.org.conscrypt.TrustManagerImpl'); SSL.checkTrustedRecursive.overload('java.security.cert.X509Certificate[]','byte[]','java.lang.String','boolean','boolean','java.util.List').implementation = function(){ return Java.use('java.util.ArrayList').$new(); }; });

Bypass SSL pinning (Conscrypt TrustManager)

ssl-pinning bypass android

Java.perform(function(){ var RootCheck = Java.use('com.target.app.RootUtils'); RootCheck.isRooted.implementation = function(){ return false; }; });

Bypass root detection — override isRooted()

root-bypass android

Java.perform(function(){ Java.use('android.app.Activity').onResume.implementation = function(){ console.log('[+] onResume called'); this.onResume(); }; });

Hook Android Activity lifecycle

hook android activity

Interceptor.attach(Module.findExportByName('libc.so','open'), { onEnter: function(args){ console.log('open(): ' + Memory.readUtf8String(args[0])); } });

Hook native libc open() calls

hook native libc

Java.perform(function(){ var obj = Java.use('com.target.app.Crypto'); obj.decrypt.implementation = function(data){ var result = this.decrypt(data); console.log('[DECRYPTED] ' + result); return result; }; });

Hook crypto function and log decrypted output

hook crypto decrypt

objection (Frida wrapper) (7)

objection -g com.target.app explore

Launch objection REPL against app

objection repl

android sslpinning disable

Disable SSL pinning (inside objection)

objection ssl-pinning bypass

android root disable

Bypass root detection (inside objection)

objection root bypass

android hooking list classes

List all loaded classes

objection classes

android hooking list class_methods com.target.app.ClassName

List methods of a class

objection methods

android hooking watch class com.target.app.ClassName

Hook all methods in a class

objection hook class

memory dump all /tmp/memdump.bin

Dump app memory

objection memory dump