how to use Frida for runtime hooking on cloud phones
how to use Frida for runtime hooking on cloud phones
if you are doing legitimate mobile security research, app behavior analysis, or in-house QA debugging, Frida is the most flexible Android instrumentation tool available. it attaches to a running process and lets you replace methods, log arguments, dump memory, and observe the runtime behavior of Java and native code from a JavaScript script on your laptop. cloud phones are an ideal Frida target because they are real arm64 Android hardware reachable over ADB-over-network, and the cloud phone’s session state is persistent so you can iterate on your hook script without redeploying anything.
this guide covers the full setup: install Frida on your laptop, push the Frida server to the cloud phone, attach to a target app, write a hook that logs method calls, and dump or rewrite arguments at runtime.
what Frida is good for and what it is not
Frida shines for three legitimate workflows. first, security research on apps you own or are authorized to test (your own production app, your client’s app under contract, your CTF target). second, debugging native crashes that need runtime context. third, validating SDK behavior (does the analytics SDK actually send what its docs claim).
Frida is not a tool for bypassing security on apps you do not own. doing so violates the Computer Misuse Act in most jurisdictions and the terms of service of every major platform. cloud phones, like any device, are subject to the same legal rules. cloudf.one’s terms forbid using cloud phones for unauthorized access; honor those terms.
for context on cloud phone basics, see cloud phone vs physical Android device and how to set up ADB on cloudf.one.
prerequisites
on your laptop: Python 3.9 or newer, Frida tools, network reachability to the cloud phone over ADB-over-network. cloud phone must be rooted or running a debuggable build of the target app. cloudf.one phones offer rooted variants for security research; specify when you provision.
# install Frida tools on your laptop
pip install frida-tools
# verify
frida --version
note the version number. the frida-server you push to the cloud phone must match this version exactly.
step 1: connect to your cloud phone
adb connect adb-sg.cloudf.one:5555
adb devices
if your cloud phone is not rooted, only debuggable builds of your own apps can be instrumented. for rooted Frida-targets, request a rooted phone in cloudf.one provisioning.
step 2: download and push frida-server
frida-server runs on the device and listens for commands from the laptop frida CLI.
# download for arm64 Android (matching your installed frida version)
FRIDA_VER=$(frida --version)
wget https://github.com/frida/frida/releases/download/$FRIDA_VER/frida-server-$FRIDA_VER-android-arm64.xz
xz -d frida-server-$FRIDA_VER-android-arm64.xz
# push to the cloud phone
adb -s adb-sg.cloudf.one:5555 push frida-server-$FRIDA_VER-android-arm64 /data/local/tmp/frida-server
adb -s adb-sg.cloudf.one:5555 shell chmod 755 /data/local/tmp/frida-server
start it on the cloud phone:
adb -s adb-sg.cloudf.one:5555 shell "su -c '/data/local/tmp/frida-server &'"
if not rooted, drop the su -c:
adb -s adb-sg.cloudf.one:5555 shell "/data/local/tmp/frida-server &"
verify from your laptop:
frida-ps -U
you should see a list of processes running on the cloud phone. if frida-ps errors with “no devices found,” restart adb (adb kill-server && adb start-server) and re-connect.
step 3: attach to a running app
pick an app you own. for example, your debug build with package com.example.app.
# launch the app on the cloud phone
adb -s adb-sg.cloudf.one:5555 shell am start -n com.example.app/.MainActivity
# attach Frida
frida -U -n com.example.app
you’ll get a Frida REPL connected to the running app process.
step 4: write a hook script
create hook.js:
Java.perform(function() {
var Login = Java.use("com.example.app.LoginActivity");
Login.checkPassword.implementation = function(input) {
console.log("[+] checkPassword called with: " + input);
var result = this.checkPassword(input);
console.log("[+] checkPassword returned: " + result);
return result;
};
});
run with the script:
frida -U -n com.example.app -l hook.js
now every call to LoginActivity.checkPassword logs the input and the return value. this is the simplest form of method hooking.
step 5: spawn vs attach
attaching catches the app already running. spawning launches the app under Frida control so you can hook methods that fire during cold start.
# spawn instead of attach
frida -U -f com.example.app -l hook.js --no-pause
-f says “spawn this package,” --no-pause says “let the app run normally after spawning.”
step 6: hook native code
Frida can also instrument native libraries (.so files).
var libcrypto = Module.findExportByName("libcrypto.so", "EVP_DecryptInit_ex");
Interceptor.attach(libcrypto, {
onEnter: function(args) {
console.log("[+] EVP_DecryptInit_ex called");
console.log(" cipher: " + args[1]);
},
onLeave: function(retval) {
console.log(" retval: " + retval);
}
});
this hooks a native OpenSSL function and logs entries. native hooks are powerful for understanding crypto, networking, and JNI bridges.
step 7: dump memory
Java.perform(function() {
var addr = ptr("0x7fab123450"); // some address you found
var data = Memory.readByteArray(addr, 256);
console.log(hexdump(data));
});
memory dumping is useful for forensics: pulling cached secrets out of the heap, finding decrypted payloads, etc. only do this on apps you own or have authorization to test.
step 8: SSL pinning bypass for legitimate testing
certificate pinning is implemented in Java (in OkHttp, Volley, or custom code) and sometimes in native libraries (BoringSSL). Frida can patch the pin-verify method to always return success.
a common OkHttp pin-bypass:
Java.perform(function() {
var CertificatePinner = Java.use("okhttp3.CertificatePinner");
CertificatePinner.check.overload(
"java.lang.String", "java.util.List"
).implementation = function(hostname, peerCertificates) {
console.log("[+] bypassing pin check for " + hostname);
};
});
this is for legitimate security research. running this on apps you do not own, or to bypass security in production, is unethical and likely illegal. the OWASP MAS testing guide covers when this is appropriate.
step 9: scripting with the Python API
for repeatable workflows, drive Frida from Python.
import frida
def on_message(message, data):
print(message)
device = frida.get_usb_device()
session = device.attach("com.example.app")
with open("hook.js") as f:
script = session.create_script(f.read())
script.on("message", on_message)
script.load()
import sys
sys.stdin.read() # keep alive
this is what you’d run in CI to capture traces from automated test runs.
clean up
stop frida-server when done:
adb -s adb-sg.cloudf.one:5555 shell pkill frida-server
if you do not stop it, the next person to use the cloud phone will inherit your frida-server process.
try Frida on a real Singapore cloud phone
register for a free trial and request a rooted Singapore cloud phone for security research. push frida-server, attach to your debug-build app, write a 5-line hook. for ongoing security work, scale to a paid plan with persistent rooted devices.
frequently asked questions
does Frida need root on the cloud phone?
for instrumenting third-party apps, yes. for instrumenting your own debuggable build, no (use gadget mode). cloudf.one offers rooted variants for security research.
can I use Frida on an emulator?
yes, but emulators fail many Android attestation checks (Play Integrity, SafetyNet) that real apps gate behavior on. cloud phones avoid these false negatives because they are real arm64 hardware.
what is the difference between Frida and Xposed?
Xposed (and EdXposed, LSPosed) are persistent module frameworks that hook at boot. Frida is a runtime-attach tool. Frida is more flexible for ad-hoc research; Xposed is better for persistent modifications. cloud phones support both but Frida is the more common research tool.
does Frida persist across reboots?
no. frida-server stops on reboot and your hooks are gone. for persistent modifications, use Xposed. for repeatable research, script the frida-server start in your test setup.
is Frida hooking legal?
hooking your own apps is legal. hooking apps you have written authorization to test is legal. hooking arbitrary apps without permission is not. follow OWASP MAS testing guidance for ethical scope.