This repository contains various Frida scripts to perform static and dynamic privacy analysis on Android applications to produce summary files.
With the changes in Frida 17, we are now compiling the Frida javascript code using the built-in compiler in the Python API. This allows us to include the Java bridge in the code executed. Previously this was bundled globally in Frida and this step was not needed.
This means there are now some node.js related files in the project folder.
Including the node_modules that will be created on first run of a Frida Script.
To share this across the tools that use frida, make sure to run the scripts from the root of this repo. For example:
python TLS-intercept/intercept.pySo that the code takes the shared packges.json and node_modules etc.
If you don't, the code will generate the required files in the folder the code was executed from.
-
Install AVD and cmdline tools (an install of Android Studio comes with all required tools). The chosen AVD must be a rooted device, example commands for installation are:
sdkmanager "system-images;android-30;google_apis;arm64-v8a", followed byavdmanager create avd --name Pixel3RootedArm64 --device "pixel_3" --package "system-images;android-30;google_apis;arm64-v8a" --abi "arm64-v8a" -
To see installed emulators use
emulator -list-avdsand to run instance of emulator useemulator -avd Pixel3RootedArm64
-
Download Frida Server: Download the Frida server for Android from Frida Releases. Ensure the version installed matches the emulator OS version.
-
Push Frida Server to Emulator: Push the downloaded Frida server to the emulator's
/data/local/tmpdirectory.adb root adb push frida-server-XX.X-android-arm64 /data/local/tmp/
-
Start Frida Server on Emulator: Change relevant permissions and start the Frida server.
adb shell chmod 755 /data/local/tmp/frida-server-XX.X-android-arm64 adb shell /data/local/tmp/frida-server-XX.X-android-arm64 & -
Test installation: Run
frida-ps -Uto list processes on the connected emulator.
- Emulator is running with Frida server started as setup above.
- Android platform tools and build tools are in PATH (the commands
aptandadbare required). - This repository provides a requirements.txt for installing requirements via pip, but the recommended dependency management system is Poetry. Run
poetry installin the root repository to install dependencies, thenpoetry shellto activate the environment.
To do a complete run using all tools, use test-privacy.sh.
Usage: ./test-privacy.sh <package-name> <path-to-apk>.
Example usage: ./test-privacy.sh com.bose.bosemusic ../apkfiles/BoseMusic_8.0.5_Apkpure.apk.
One of the most noteworthy scripts from the suite is the TLS-intercept tool. This hooks into the Android conscrypt function to intercept TLS messages being sent and received by the application in real time.
Usage: python TLS-intercept/intercept.py <package-name> <out-dir>
Example usage: python TLS-intercept/intercept.py com.bose.bosemusic ./logs/bose
Output: The tool runs for 10 seconds by default (can be switched to terminate by user input by uncommenting relevant code in intercept.py) and produces messages.csv, which contains all intercepted messages in the format [MESSAGE_ID, TIMESTAMP, MESSAGE]. Users can then query the database to find messages of interest, for example those containing sensitive information.