ReddRadar
Agent skill
performing-dynamic-analysis-of-android-app
Performs runtime dynamic analysis of Android applications using Frida, Objection, and Android Debug Bridge to observe application behavior during execution, intercept function calls, modify runtime values, and identify vulnerabilities that static analysis misses. Use when testing Android apps for runtime security flaws, hooking sensitive methods, bypassing client-side protections, or analyzing obfuscated applications. Activates for requests involving Android dynamic analysis, runtime hooking, Frida Android instrumentation, or live app behavior analysis.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/performing-dynamic-analysis-of-android-app
SKILL.md
Performing Dynamic Analysis of Android App
When to Use
Use this skill when:
- Static analysis results need runtime validation on an actual Android device
- The target app uses obfuscation (DexGuard, custom packers) that prevents effective static analysis
- Testing requires observing actual API calls, decrypted data, or runtime-generated values
- Assessing root detection, tamper detection, or anti-debugging implementations
Do not use this skill on production environments without authorization -- dynamic instrumentation can alter app behavior and trigger security alerts.
Prerequisites
- Rooted Android device or emulator (Genymotion, Android Studio AVD with writable system)
- Frida server installed on device matching the architecture (arm64, x86_64)
- Python 3.10+ with
frida-toolsandobjectionpackages - ADB configured and device connected
- Target APK installed on device
Workflow
Step 1: Setup Frida Server on Android Device
# Check device architecture
adb shell getprop ro.product.cpu.abi
# Output: arm64-v8a
# Download matching Frida server from GitHub releases
# https://github.com/frida/frida/releases
# Push to device
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &
# Verify Frida connection
frida-ps -U
Step 2: Enumerate Application Attack Surface
# List all packages
frida-ps -U -a
# Attach Objection for high-level exploration
objection --gadget com.target.app explore
# List activities, services, receivers
android hooking list activities
android hooking list services
android hooking list receivers
# List loaded classes
android hooking list classes
android hooking search classes com.target.app
Step 3: Hook Sensitive Methods
# Hook all methods of a class
android hooking watch class com.target.app.auth.LoginManager
# Hook specific method with argument dumping
android hooking watch class_method com.target.app.auth.LoginManager.authenticate --dump-args --dump-return
# Hook crypto operations
android hooking watch class javax.crypto.Cipher --dump-args
android hooking watch class java.security.MessageDigest --dump-args
# Hook network calls
android hooking watch class okhttp3.OkHttpClient --dump-args
android hooking watch class java.net.URL --dump-args
Step 4: Write Custom Frida Scripts for Deep Analysis
// hook_crypto.js - Intercept encryption/decryption operations
Java.perform(function() {
var Cipher = Java.use("javax.crypto.Cipher");
Cipher.doFinal.overload("[B").implementation = function(input) {
var mode = this.getAlgorithm();
console.log("[Cipher] Algorithm: " + mode);
console.log("[Cipher] Input: " + bytesToHex(input));
var result = this.doFinal(input);
console.log("[Cipher] Output: " + bytesToHex(result));
return result;
};
function bytesToHex(bytes) {
var hex = [];
for (var i = 0; i < bytes.length; i++) {
hex.push(("0" + (bytes[i] & 0xFF).toString(16)).slice(-2));
}
return hex.join("");
}
});
# Execute custom Frida script
frida -U -f com.target.app -l hook_crypto.js --no-pause
Step 5: Bypass Root Detection
// root_bypass.js - Common root detection bypass
Java.perform(function() {
// Bypass RootBeer library
var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer");
RootBeer.isRooted.implementation = function() {
console.log("[RootBeer] isRooted() bypassed");
return false;
};
// Bypass generic file-based root checks
var File = Java.use("java.io.File");
var originalExists = File.exists;
File.exists.implementation = function() {
var path = this.getAbsolutePath();
var rootPaths = ["/system/app/Superuser.apk", "/system/xbin/su",
"/sbin/su", "/system/bin/su", "/data/local/bin/su"];
if (rootPaths.indexOf(path) >= 0) {
console.log("[Root] Blocked check for: " + path);
return false;
}
return originalExists.call(this);
};
// Bypass SafetyNet/Play Integrity
try {
var SafetyNet = Java.use("com.google.android.gms.safetynet.SafetyNetApi");
console.log("[SafetyNet] Class found - may need additional bypass");
} catch(e) {}
});
Step 6: Analyze Network Communication at Runtime
// network_monitor.js - Monitor all HTTP requests
Java.perform(function() {
// Hook OkHttp3
try {
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
var Interceptor = Java.use("okhttp3.Interceptor");
var Chain = Java.use("okhttp3.Interceptor$Chain");
console.log("[OkHttp] Monitoring network requests...");
var Request = Java.use("okhttp3.Request");
Request.url.implementation = function() {
var url = this.url();
console.log("[OkHttp] URL: " + url.toString());
return url;
};
} catch(e) {
console.log("[OkHttp] Not found, trying HttpURLConnection");
}
// Hook HttpURLConnection
var URL = Java.use("java.net.URL");
URL.openConnection.overload().implementation = function() {
console.log("[URL] Opening: " + this.toString());
return this.openConnection();
};
});
Step 7: Extract Decrypted Data and Secrets
# Using Objection for quick extraction
objection --gadget com.target.app explore
# Dump Android Keystore entries
android keystore list
android keystore dump
# Search heap for sensitive objects
android heap search instances com.target.app.model.User
android heap evaluate <handle> "JSON.stringify(clazz)"
# Memory string search
memory search "password" --string
memory search "api_key" --string
Key Concepts
| Term | Definition |
|---|---|
| Dynamic Instrumentation | Modifying application behavior at runtime by injecting code into the running process |
| Method Hooking | Replacing or wrapping function implementations to intercept arguments and return values |
| Frida Server | Daemon running on the target device that receives instrumentation commands from the host |
| Dalvik/ART Runtime | Android runtime environments; Frida hooks at the ART level for Java/Kotlin methods |
| Heap Inspection | Examining live objects in the application's memory heap to extract runtime data |
Tools & Systems
- Frida: Dynamic instrumentation toolkit for injecting JavaScript into native Android processes
- Objection: Higher-level Frida wrapper with pre-built Android and iOS security testing commands
- frida-trace: Automated method tracing utility for quick reconnaissance of app behavior
- Drozer: Android security assessment framework for testing IPC and exported components
- Android Studio Profiler: Runtime monitoring for CPU, memory, and network activity
Common Pitfalls
- Frida version mismatch: The Frida server on the device must match the frida-tools version on the host. Version mismatches cause connection failures.
- Anti-Frida detection: Some apps detect Frida by checking for the Frida server process, scanning memory for Frida signatures, or monitoring
/proc/self/maps. Use Frida Gadget injection or custom server builds. - Obfuscated class names: When ProGuard/R8 is applied, class and method names are shortened (e.g.,
a.b.c.d()). Useandroid hooking search classesto discover actual runtime names. - Multi-DEX apps: Large apps split across multiple DEX files may not have all classes loaded at startup. Hook class loaders or use
Java.enumerateLoadedClasses()after app is fully initialized.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?