Injecting Frida into an Android App

Download the Frida Gadget appropriate for the architecture you are assessing.  The gadget will be injected into the .apk file.  You can also make any other changes necessary before re-packaging.

You will need the .so file for the next step.  Extract the .so file with the following command:


Unpackage the .apk file with the following command:

apktool d filename.apk

You will now have a new uncompressed folder.  CD into that directory and look for the /lib folder.  That folder will have another folder and will be specific to the architecture.  For example, /lib/armeabi-v7a

You will need to copy the Frida Gadget .so file into this directory.

cp ../path/path/lib/armeabi-v7a

In order for the Frida gadget to start you will need to inject a loadLibrary into an area of the app that launches.  The goal is to have this launch before any other part of the code executes.  Take a look at the Manifest file to determine some activities.  The main activity might be a good choice.

Edit the .smali to include the following:

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V


Ensure the manifest has the following:

<uses-permission android:name="android.permission.INTERNET" />

Make any other changes you want before the next step.  For example, if you are testing on an older version of Android you might want to modify the manifest file to allow the older version.



Repackage the application with the following command:

apktool b –o patched.apk /path/to/dir/unpackedfiles

The next step is to sign the new .apk file.

If you don’t have a keystore you can create one with this command:

keytool -genkey -v -keystore forpatch.keystore -alias patchit -keyalg RSA -keysize 2048 -validity 10000

This will create a new .keystore file in the directory you are currently in.  Now you can sign the .apk file with the following command:

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore forpatch.keystore -storepass 123456 patched.apk patchit

Use the following command to zipalign the .apk file

zipalign 4 patched.apk patched-final.apk

The .apk file can now be installed onto your device.  Fingers crossed that everything works…

Note: there are tools that automate this process, such as objection.  But understanding what the tool is doing behind the scenes is good.

The following command with objection will accomplish what the above did.

objection patchapk -s binary.apk