This directory contains ready-to-use FRIDA scripts for mobile application security testing.
frida-scripts/
├── universal/ # Cross-platform scripts (Android & iOS)
├── android/ # Android-specific scripts
├── ios/ # iOS-specific scripts
└── README.md # This file
Purpose: Bypasses SSL certificate pinning on both Android and iOS Targets:
- Android: OkHTTP3, HttpsURLConnection, X509TrustManager, Volley
- iOS: NSURLSession, SecTrustEvaluate, tls_helper_create_peer_trust
Usage:
frida -U -l universal/ssl-pinning-bypass.js com.example.appPurpose: Bypasses common root detection mechanisms Targets:
- RootBeer library
- File system checks
- Runtime.exec() commands
- Package manager queries
- Build properties
Usage:
frida -U -l android/root-detection-bypass.js com.example.appPurpose: Bypasses anti-debugging techniques Targets:
- Debug.isDebuggerConnected()
- ApplicationInfo.FLAG_DEBUGGABLE
- Native ptrace detection
- Timing-based detection
- Process name checks
Usage:
frida -U -l android/anti-debugging-bypass.js com.example.appPurpose: Bypasses jailbreak detection mechanisms Targets:
- File existence checks
- URL scheme detection (cydia://)
- Sandbox violation detection
- System call monitoring
- Anti-debugging (ptrace)
Usage:
frida -H device-ip -l ios/jailbreak-detection-bypass.js com.example.appPurpose: Bypasses Touch ID/Face ID authentication Targets:
- LAContext evaluatePolicy
- SecItemCopyMatching
- UIAlertController biometric prompts
- Custom biometric implementations
Usage:
frida -H device-ip -l ios/biometric-bypass.js com.example.app# Android (USB)
frida -U -l script.js package.name
# Android (Network)
frida -H device-ip -l script.js package.name
# iOS (Network)
frida -H device-ip -l script.js bundle.identifier
# With spawn (start app)
frida -U -f package.name -l script.js
# Attach to running process
frida -U package.name -l script.jsMost scripts can be customized by modifying:
- Target package/bundle identifiers
- Detection patterns (file paths, strings)
- Return values for bypassed functions
- Logging verbosity
You can combine multiple scripts:
frida -U -l universal/ssl-pinning-bypass.js -l android/root-detection-bypass.js com.example.app// Script header with description and purpose
console.log("[*] Script name loaded");
// Platform detection
if (Java.available) {
// Android-specific code
Java.perform(function() {
// Hook Java methods
});
}
if (ObjC.available) {
// iOS-specific code
// Hook Objective-C methods
}
// Native code hooks (cross-platform)
var nativeFunction = Module.findExportByName("library", "function");
if (nativeFunction) {
Interceptor.attach(nativeFunction, {
onEnter: function(args) {
// Log or modify arguments
},
onLeave: function(retval) {
// Log or modify return value
}
});
}
console.log("[*] Script setup complete!");- Error Handling: Always wrap hooks in try-catch blocks
- Logging: Use consistent logging format
[*],[+],[-] - Platform Detection: Check for Java/ObjC availability
- Graceful Degradation: Continue if specific hooks fail
- Documentation: Comment complex hooks and modifications
Before using scripts in production:
- Test on known vulnerable applications
- Verify hooks are working with logging
- Test on different OS versions
- Check for performance impact
- Validate bypass effectiveness
- Follow the established directory structure
- Use consistent naming conventions
- Include comprehensive documentation
- Test on multiple applications and OS versions
- Update this README.md
/*
* Script Name - Brief Description
* Purpose: Detailed description of what the script does
* Targets: List of specific components/libraries targeted
* Author: Your name/handle
* Version: 1.0
*/
console.log("[*] Script Name loaded");
// Your implementation here
console.log("[*] Script Name setup complete!");-
Script Not Loading
- Check file path and permissions
- Verify FRIDA server is running
- Check device connectivity
-
Hooks Not Working
- Verify target methods exist in the application
- Check for obfuscated method names
- Use
Java.enumerateLoadedClasses()to find classes
-
Application Crashes
- Add error handling to hooks
- Check for null pointers
- Reduce hook complexity
-
Detection Still Works
- Application may use different detection methods
- Check for native/JNI implementations
- Consider additional bypass techniques
// Enable verbose logging
Java.perform(function() {
console.log("[*] Available classes:");
Java.enumerateLoadedClasses({
onMatch: function(name, handle) {
if (name.includes("Security") || name.includes("Root")) {
console.log("Found: " + name);
}
},
onComplete: function() {
console.log("[*] Class enumeration complete");
}
});
});- Only use on applications you own or have authorization to test
- Respect intellectual property rights
- Follow responsible disclosure practices
- Comply with local laws and regulations
These scripts are provided for:
- Security research and education
- Authorized penetration testing
- Application security assessment
- Learning mobile security concepts
Happy scripting! 🔍📱