Skip to main content

Using a Local Frida Client

Step-by-step guide to using a local Frida client to interact with a remote Frida server running on an iOS and Android devices hosted in the cloud with and without the VPN, including setup and execution. This approach is useful for hooking into an application before it launches, which is a limitation of Corellium’s built-in Frida feature set.

Executing Frida using the VPN

Ensure you're connected to the Corellium VPN using the OpenVPN configuration from the web interface. Also, install Frida and USBFlux on your local machine.

Executing Frida on Rooted Android

  1. Connect over ADB 
    adb connect <device-services-ip>:5001
  2. Run a Frida script 
    frida -U -f package_name -l android-jailbreak.js
    • -U: Targets a USB-connected device or Frida server
    • -f: Launches the app by package name
    • -l: Loads the script (android-jailbreak.js)

Executing Frida on Non-Rooted Android

  1. Connect over ADB

    adb connect <device-services-ip>:5001

  2. Patch the APK with Frida Gadget

    objection patchapk --source app.apk

  3. Add Frida Gadget Config File

    {
      "interaction": {
        "type": "listen",
        "address": "0.0.0.0",
        "port": 27042,
        "on_load": "resume"
      }
    }

    Place the config file in lib/arm64-v8a/ inside the APK.

  4. Repack the APK (ensuring resources.arsc is uncompressed)

    unzip app-patched.apk -d unpacked/
    cd unpacked/
    zip -0 -X -r ../app-fixed.apk . -x "resources.arsc"
    zip -0 -X ../app-fixed.apk resources.arsc

  5. Align the APK

    zipalign -p -f 4 app-fixed.apk app-aligned.apk

  6. Sign the APK

    Generate a debug keystore (only once):

    keytool -genkey -v -keystore debug.keystore -alias debugkey \
    -keyalg RSA -keysize 2048 -validity 10000 \
    -storepass android -keypass android \
    -dname "CN=Android Debug,O=Android,C=US"

    Use APK Signer to Sign the APK:

    apksigner sign --ks debug.keystore --ks-key-alias debugkey \
    --ks-pass pass:android --key-pass pass:android \
    --out app-signed.apk app-aligned.apk

  7. Install the APK

    adb install -r app-signed.apk

  8. Launch and Attach with Frida

    Manually launch the app on device, then attach:

    frida -U -n com.your.app
    note

    Frida will not be able to spawn the application on a Non-Rooted device. Please ensure you manually launch the app via the Corellium UI before running the command above.

Executing Frida on Jailbroken iOS

  1. Verify device connection (optional)

    idevice_id -l

  2. Run a Frida script

    frida -U -f bundle_identifier -l jailbreak.js
    • -U: USB or local Frida device
    • -f: App bundle identifier
    • -l: Script to inject

Executing Frida on Non-Jailbroken iOS

  1. Mount the Developer Disk Image

    or

    • Install pymobiledevice3 and libusb. These will be used to mount a Developer Disk Image to the Corellium VM 
      pip install -U pymobiledevice3 && brew install libusb
    • Mount: 
      pymobiledevice3 mounter auto-mount

  2. Place Frida Gadget

    info

    This refers to your local machine’s Frida cache directory. Create the path if it doesn't exist.

    • macOS: ~/.cache/frida/gadget-ios.dylib

  3. Run a Frida Script

    idevice_id -l
    frida-ps -Ua
    frida -U -f bundle_identifier -l jailbreak.js
    note

    This only applies to apps marked as debuggable.

Executing Frida without the VPN

Use SSH tunneling and Frida.

ssh -M -Ssock -N -f -L 27042:[remote-host]:27042 [jump-server]  # iOS
ssh -M -Ssock -N -f -L 5001:[remote-host]:5001 [jump-server]    # Android

Port Forwarding

Executing Frida on iOS without a VPN connection requires properly configured Port Forwarding, as Frida communicates over TCP port 27042.

Port Forwarding

note

Port Forwarding is not available in Viper Essentials Licenses.

Executing Frida on Rooted Android

  1. Connect over ADB 
    adb connect localhost:5001
  2. Run a Frida script 
    frida -U -f package_name -l android-jailbreak.js
    • -U: Targets a USB-connected device or Frida server
    • -f: Launches the app by package name
    • -l: Loads the script (android-jailbreak.js)

Executing Frida on Non-Rooted Android

  1. Connect over ADB

    adb connect localhost:5001

  2. Patch the APK with Frida Gadget & Execute Frida

Executing Frida on Jailbroken iOS

  1. Run a Frida script 
    frida -H localhost:27042 -f bundle_identifier -l jailbreak.js
    • -H: Remote Frida Server Host
    • -f: App bundle identifier
    • -l: Script to inject

Executing Frida on Non-Jailbroken iOS

Not currently supported.

Sample Frida Scripts

Example Frida scripts can be found on Frida Code Share