This week marked the debut of Frida 12.3, an open-source dynamic instrumentation toolkit. NowSecure Security Researcher Ole André Vadla Ravnås created Frida and the company sponsors and maintains the open-source software (OSS) toolkit used by developers, reverse engineers and security researchers around the globe. NowSecure strongly supports OSS by hosting many projects on GitHub and sponsoring projects such as Capstone Engine.
The latest Frida release offers an exciting new app crash reporting feature that will save users untold time in determining what went wrong. For example, if you previously launched an app that crashed, Frida notified you that the process terminated but you wouldn’t know why.
However, this Frida 12.3 enhancement changes that. Thanks to integration with native crash reporting for Android and iOS, Frida provides more details about the cause of failed jobs and enhances iOS crash reporting. In the video below, Ole André explains how the new 12.3 feature captures a simulated buggy application’s behavior, demonstrating how Frida responds to different crash scenarios, and how the new Crash details inform developers.
Designed for advanced users, Frida is built into NowSecure solutions and comprises a major portion of our dynamic application security testing solution. Frida has been used to test hundreds of thousands of applications at scale as part of the NowSecure platform. You can see how it’s incorporated by obtaining a demo of the NowSecure platform.
Internally, our NowSecure team uses the Frida 12.3 crash reporting feature to help distinguish between the different reasons a mobile app crashes while performing dynamic application security testing (DAST). For example, a mobile app might crash due to a flaw in the app or testing environment, or because instrumentation slightly alters timing and exposes a bug.
Making it easy to surface why an app crashed significantly speeds the triage process and reduces technical support issues. This in turn benefits our customers in the form of faster time to resolution.
Drilling Down to the Frida API Level
As a user of Frida APIs, the new crash reporting feature is visible in two places:
- The Session class’ existing
detached()signal used to only have one single parameter, which is the detach reason. There’s now a second argument, which is a
null/Noneif no crash occurred (or no crash reporter integration is available for the current platform).
Deviceclass now has a new signal named
process-crashed, which is passed a single parameter: a
Crashobject. This is useful for monitoring crashes system-wide.
Crash object has the process ID of the process that crashed, its name, a human-readable summary of the crash, the raw report generated by iOS/Android, and a dictionary of platform-specific parameters.
Under the Hood
On iOS, Frida injects an internal agent into
launchd, where it hooks
posix_spawn() so it can observe apps and services getting started. This hook is used to selectively manipulate the arguments passed to
posix_spawn(), in order to start the process suspended, so Frida can perform early instrumentation on it. When implementing the crash reporter integration for iOS, this same agent was extended so it recognizes the crash reporter service being started, and informs Frida about it. Frida can then apply another internal agent to the crash reporter. This agent observes Apple’s crash reporter going about its business, and transmits the produced crash log to Frida. It also coerces the crash reporter into producing a higher quality crash report by enabling symbolication, fixing up Frida-specific artifacts, etc.
The implementation on Android is much simpler. On Android, Frida uses logcat to monitor the crash buffer and parses the different types of log messages produced when a crash occurs.
Frida 12.3 also significantly improves support for Android 9 and provides a number of bug fixes. For more insight into reverse engineering using Frida, don’t miss the “Advanced Frida and Radare — A Hacker’s Delight” extensive training NowSecure researchers will conduct at Black Hat USA 2019. Sign up now before the class fills up.