Imagine a man confined in a room and observed by a researcher over a video surveillance system. Imagine that the surveillance cameras can also, at any time, zoom in-and-out to scrutinize the atoms, molecules, cells, tissues, organs, or organ systems that make up the man. Next, give our imaginary researcher a technology that monitors the man’s vital signs, thoughts, and emotions. Finally, let’s say that same technology allows the researcher to periodically inject thoughts into the man’s brain and study the effects of those implanted thoughts on the man’s behavior.

Of course this tall tale sounds too crazy to be true; because it is (at this time anyway).

The dystopian metaphor, however, illustrates the power of two open-source tools developed by NowSecure security researchers Sergi Alvarez and Ole André Vadla Ravnås. Substitute the man with a mobile app. Substitute the video surveillance/high-powered microscope technology with Radare (created by Sergi), and the thought-monitoring/injection technology with Frida (created by Ole André).

At the end of last year, Sergi (aka pancake) and Ole André (aka oleavr) partnered up to combine the powers of Radare and Frida, creating one of the most powerful mobile app security tools available today — R2Frida. Sergi and Ole André recently answered some questions about Radare and Frida, and why the tools are better together. Below are their answers, some edited for length and clarity.

What are Radare and Frida and what are they used for?

Pancake: Frida is a very flexible and portable dynamic tracer providing Objective-C APIs and optional Python and JavaScript interfaces, which allow a user to interact with target processes from the inside — a crucial part of dynamic analysis.

Radare, on the other hand, focuses on static analysis and low level manipulations — a crucial part of reverse engineering. In addition, Radare provides a compact command line interface and r2pipe bindings for task automation.

I built Radare because I found myself spending a lot of time staring at hex dumps and disassembled code, and existing tools were just not very good.

Oleavr: Frida is a dynamic instrumentation toolkit you can use to tap into running software to observe, augment, or replace behavior. Frida stands out from many existing tools because it doesn’t need access to source code and can be used on iOS and Android devices that aren’t jailbroken or rooted. It lets you do all of this through APIs available from Objective-C, which are also exposed to higher-level languages through bindings (e.g., for JavaScript).

I built Frida to overcome lots of different challenges I faced as both a developer and reverse engineer where observing and modifying running software was key to solving a problem. This is why Frida provides low-level building-blocks meant to be rapidly and easily assembled into tools designed for the task at hand. Whether that’s an API tracer, an in-process fuzzer, a fault-injection tool for quality assurance, or a heads-up display for gamers — Frida is just there to provide the engine so people can build awesome tools.

Frida is used by developers, security researchers, quality assurance engineers, etc., in both open source projects and across a wide range of commercial applications.

Radare is a static analysis engine that allows you to put a piece of software or data under an ultra-powerful microscope to study or modify it. Whereas dynamic analysis tools let you observe software as it’s running, software today is so complex that it’s highly unlikely that the running software will show off all of its tricks while you’re observing it. Behavior tends to change depending on many factors such as the system it runs on, the input provided (e.g., which buttons are pushed, or what is received from a remote server). This is where Radare really shines because it helps you understand the inner machinery of unknown software, find hidden backdoors, spot vulnerabilities in code-paths that are rarely ever unlocked, and unlock those code-paths. Radare also lets you modify the binary that you’re studying. All of this is accessible right from the blazing fast command-line interface, and you can even automate such interactions from a wide range of languages through r2pipe. In addition, Radare also comes with built-in debugging functionality that blows traditional debuggers like GDB (GNU Debugger) and LLDB (LLDB Debugger) out of the water.

What does it mean that these two tools have come together?

Pancake: Combining both tools into one joins the best capabilities of both worlds. You can examine the target process using Radare’s powerful command line interface and static analysis capabilities to, for example, find code and data references, or annotate comments in the disassembly. At the same time, you can use the dynamic, real-time features of Frida to inspect and manipulate the app while it runs from the inside. The combined tool, R2Frida, lowers the entry barrier for Frida users and opens a new horizon of possibilities for Radare users.

Oleavr: R2Frida is an integration where the analyst using Radare gets instant access to the running software through Frida. It also includes an integration in the other direction, where Frida-injected JavaScript code can communicate with a running Radare instance.

How does the integration make each tool more powerful?

Pancake: Having Frida integrate with Radare means you can are now able to attach to remote iOS processes or spawn an application by simply plugging-in the USB cable. R2Frida provides the interface to import all the symbolic and Objective-C information from Frida into Radare, providing a much richer disassembly experience.

Also, if you hook a function using Frida, then Radare can inspect the changes in memory. This is very useful for debugging issues in Frida because Radare can disassemble and patch Frida hooks in real time. R2pipe-frida.js also provides an interface to run Radare commands from Frida, extending the capabilities with a large range of commands and static analysis functionality.

In addition, R2Frida provides Cycript syntax support, the language designed by Saurik in his Cycript tool.  This language provides a higher level method for constructing expressions that interact with native code inside the target app, making it simpler and shorter than using plain JavaScript. This allows users to mix Objective-C-like syntax with plain JavaScript, so working with pointers and structs is more natural, while still enjoying all the benefits of a dynamic language like JavaScript. This makes it easier to inspect and manipulate an application’s behavior.

Oleavr: I strongly believe that combining static and dynamic analysis results in the whole being greater than the sum of its parts. Studying code in Radare and being able to instantly see how the code behaves when it’s running (e.g., by seeing what the input data may look like in any part of the system) really accelerates the analysis process.

Likewise, understanding software by observing its behavior with Frida is much easier if you can instantly dive into the code and look at the surrounding logic. You can also quickly gain an understanding of which parts of the program are touched during normal operation by finding internal functions with Radare and then placing probes on all of them with Frida. For example, with this knowledge you can then explore a new part of the program manually by hitting a button that wasn’t touched previously and quickly see what kind of new code-paths are reached as a result.

This is a game-changer because it’s all about context – i.e., some code may not be very clear until you observe it at runtime, whereas observing behavior at runtime is much more valuable if you’re also able to see the code that is exhibiting that behavior.

What does the future have in store for Frida, Radare, and the integration of these two powerful tools?

Pancake: The future of both Frida and Radare looks promising.  Each tool has a vibrant community of users and supporters. The ability to create new tools on top of Frida and Radare opens the door to infinite possibilities of new reverse engineering tools for researchers.

Oleavr: What’s so cool about this integration is that it makes it easy to build new tools that harness the combined power of static and dynamic analysis. I’m really excited to see what the community will do with these brand new super-powers.

What is the connection between Frida, Radare, and NowSecure?

Pancake: Both projects are long-standing open source projects that have been around for approximately 10 years. NowSecure hired each of us. So it made a lot of sense for us to cooperate, merge both tools, and provide better open-source tools for researchers.

Oleavr: Both projects were born out of our passions for what started as hobby projects, and those projects were carefully nurtured through the years in our spare-time and on holidays. Then, around 2015, we were introduced to NowSecure and realized our passions and goals aligned really well. NowSecure can harness the projects to bring products to market more quickly, and we creators can provide new features and bug-fixes much faster than we could in only our spare-time. NowSecure has also expanded its team with valuable expertise, and each project gains additional battle-testing and credibility in the field. The hope is that this increased awareness of Frida and Radare will introduce the tools to developers across the globe that can help improve them. This not only benefits the tools themselves, it helps make NowSecure products even better.


Learn more about Frida, Radare, or check out the combination of the two — R2Frida — on GitHub now.

What to read next:

Ole André Vadla Ravnås

linkedin icon twitter icon

Security Researcher at NowSecure

Ole is the creator of Frida, an open-source tool for performing dynamic instrumentation of mobile apps, and indulges his passion for reverse-engineering as a security researcher at NowSecure.