Using a Local Frida Client
Step-by-step guide to using a local Frida client to interact with a remote Frida server running on an iOS and Android devices hosted in the cloud with and without the VPN, including setup and execution. This approach is useful for hooking into an application before it launches, which is a limitation of Corellium’s built-in Frida feature set.
Executing Frida using the VPN
Ensure you're connected to the Corellium VPN using the OpenVPN configuration from the web interface. Also, install Frida and USBFlux on your local machine.
Executing Frida on Rooted Android
- Connect over ADB
adb connect <device-services-ip>:5001
- Run a Frida script
frida -U -f package_name -l android-jailbreak.js
-U
: Targets a USB-connected device or Frida server-f
: Launches the app by package name-l
: Loads the script (android-jailbreak.js
)
Executing Frida on Non-Rooted Android
-
Connect over ADB
adb connect <device-services-ip>:5001
-
Patch the APK with Frida Gadget
objection patchapk --source app.apk
-
Add Frida Gadget Config File
{
"interaction": {
"type": "listen",
"address": "0.0.0.0",
"port": 27042,
"on_load": "resume"
}
}Place the config file in
lib/arm64-v8a/
inside the APK. -
Repack the APK (ensuring resources.arsc is uncompressed)
unzip app-patched.apk -d unpacked/
cd unpacked/
zip -0 -X -r ../app-fixed.apk . -x "resources.arsc"
zip -0 -X ../app-fixed.apk resources.arsc -
Align the APK
zipalign -p -f 4 app-fixed.apk app-aligned.apk
-
Sign the APK
Generate a debug keystore (only once):
keytool -genkey -v -keystore debug.keystore -alias debugkey \
-keyalg RSA -keysize 2048 -validity 10000 \
-storepass android -keypass android \
-dname "CN=Android Debug,O=Android,C=US"Use APK Signer to Sign the APK:
apksigner sign --ks debug.keystore --ks-key-alias debugkey \
--ks-pass pass:android --key-pass pass:android \
--out app-signed.apk app-aligned.apk -
Install the APK
adb install -r app-signed.apk
-
Launch and Attach with Frida
Manually launch the app on device, then attach:
frida -U -n com.your.app
noteFrida will not be able to spawn the application on a Non-Rooted device. Please ensure you manually launch the app via the Corellium UI before running the command above.
Executing Frida on Jailbroken iOS
-
Verify device connection (optional)
idevice_id -l
-
Run a Frida script
frida -U -f bundle_identifier -l jailbreak.js
-U
: USB or local Frida device-f
: App bundle identifier-l
: Script to inject
Executing Frida on Non-Jailbroken iOS
-
Mount the Developer Disk Image
- Download from: https://github.com/mspvirajpatel/Xcode_Developer_Disk_Images/releases
- Mount:
ideviceimagemounter -t Developer /path/to/DeveloperDiskImage.dmg /path/to/DeveloperDiskImage.dmg.signature
or
- Install pymobiledevice3 and libusb. These will be used to mount a Developer Disk Image to the Corellium VM
pip install -U pymobiledevice3 && brew install libusb
- Mount:
pymobiledevice3 mounter auto-mount
-
Place Frida Gadget
infoThis refers to your local machine’s Frida cache directory. Create the path if it doesn't exist.
- macOS:
~/.cache/frida/gadget-ios.dylib
- macOS:
-
Run a Frida Script
idevice_id -l
frida-ps -Ua
frida -U -f bundle_identifier -l jailbreak.jsnoteThis only applies to apps marked as debuggable.
Executing Frida without the VPN
Use SSH tunneling and Frida.
ssh -M -Ssock -N -f -L 27042:[remote-host]:27042 [jump-server] # iOS
ssh -M -Ssock -N -f -L 5001:[remote-host]:5001 [jump-server] # Android
Port Forwarding
Executing Frida on iOS without a VPN connection requires properly configured Port Forwarding, as Frida communicates over TCP port 27042.
Port Forwarding is not available in Viper Essentials Licenses.
Executing Frida on Rooted Android
- Connect over ADB
adb connect localhost:5001
- Run a Frida script
frida -U -f package_name -l android-jailbreak.js
-U
: Targets a USB-connected device or Frida server-f
: Launches the app by package name-l
: Loads the script (android-jailbreak.js
)
Executing Frida on Non-Rooted Android
-
Connect over ADB
adb connect localhost:5001
-
Patch the APK with Frida Gadget & Execute Frida
- Please follow the same steps to patch the application from the VPN Section.
Executing Frida on Jailbroken iOS
- Run a Frida script
frida -H localhost:27042 -f bundle_identifier -l jailbreak.js
-H
: Remote Frida Server Host-f
: App bundle identifier-l
: Script to inject
Executing Frida on Non-Jailbroken iOS
Not currently supported.
Sample Frida Scripts
Example Frida scripts can be found on Frida Code Share