Frida as an Alternative to Network Tracing

Jay Allen
6 min readMay 11, 2021

With network tracing getting harder, Frida is becoming a better way to break into black boxes.

Picture: (used under license)

Recently, a client asked if I could document the network behavior of a suite of mobile applications running on both Android and iOS. I thought at first that this would be straightforward.

The bad news? It was anything but. The good news? I discovered Frida, which let me tackle the problem in a whole other light.

The Black Boxes Are Getting More Opaque

In the good ol’ days of the Web, it was pretty easy to proxy a Web browser through a web debugging proxy like Fiddler or Burp Suite and capture its traffic. And that still works for many situations. However, there are many cases where this either falls short or is impossible.

A major issue is tracing mobile application behavior. To decrypt a mobile app’s encrypted web traffic over HTTPS, you have to get the app you want to trace to sign requests using a security certificate generated by your debugging proxy. On modern devices, this usually means (for Android) rooting your device with something like Magisk or (for iPhone) jailbreaking with an app such as unc0ver.

Even then, however, you still may not be able to get a specific app to use your user certificate. Many apps use a technique known as certificate pinning. As explained by Ray Wenderlich, pinning associates a host with its certificate or public key, which is bundled with the app at compile time. If an app is using pinning, it’ll reject any attempts at using a user certificate.

And that’s not the end of your woes. What if the app you want to trace isn’t even using HTTP/2.0 for all of its communications? More and more apps are adapting HTTP/3, which doesn’t even use TCP as its transport layer — all messages are sent via the UDP-based protocol QUIC. And some apps use other protocols for specialized tasks; for example, Instagram leverages MQTT for real-time notifications.

What is Frida?

Enter Frida. Frida is, in the words of its developer, “GreaseMonkey for native applications.” It provides a framework for hooking native application function and object method calls on a large variety of platforms — including Android and…