Mobile app security basics: Understanding hooking frameworks

Everything you need to know about hooking — techniques, risks, and, of course, mitigation. 

First, a definition. A hooking framework is a tool or technique that allows a user to intercept and modify the behavior of mobile applications at runtime. Hooking frameworks can pose significant risks if exploited by malicious actors, as they can enable unauthorized access, data theft, and application tampering. However, hooking frameworks also have legitimate uses in debugging, testing, and performance monitoring.

What does a hooking framework do? 

Hooking frameworks inject code into an application process during runtime, allowing them to intercept and modify specific events, function calls, or data flows. This is achieved through various techniques, like modifying the application's binary code, overwriting function pointers, or leveraging operating system features designed for debugging and instrumentation.

Some popular hooking frameworks include Frida (iOS and Android), Xposed (Android), LSPosed (Android), and Substrate (iOS and Android). These frameworks provide powerful tools for dynamic analysis of applications — allowing users to inspect and manipulate the behavior of applications at a low level — and enabling advanced functionality like runtime patching, code tracing, and method hooking.

Hooking techniques  

Hooking frameworks employ several techniques to intercept and modify application behavior, including:

Function hooking  

Function hooking is a technique used by hooking frameworks to intercept and modify function calls. This can be achieved by overwriting function pointers or modifying the function code in memory directly using inline hooking.

In the case of overwriting function pointers, the hooking framework modifies the memory location that stores the address of the function being hooked. Instead of pointing to the original function, the pointer is redirected to a custom implementation provided by the hooking framework. When the hooked function is called, the custom implementation is executed instead, allowing the hooking framework to perform additional operations or modify the function's behavior.

Inline hooking involves modifying the application's binary code directly. With inline hooking, the hooking framework inserts a jump instruction at the beginning of the function being hooked, redirecting the execution flow to a custom implementation. The custom implementation can implement its own functionality and completely replace the function that is being hooked. It can also call back into the original implementation if it wants to reuse (part) of the original.

Method swizzling  

Method swizzling is a technique used in hooking frameworks for the iOS platform. It involves replacing the implementation of Objective-C method with a custom implementation, allowing the hooking framework to intercept and modify the method's behavior. This is achieved by leveraging the dynamic nature of Objective-C, where method implementations are stored in a separate data structure and can be modified at runtime.

When a method is swizzled, the hooking framework replaces the original implementation with its own custom implementation. This custom implementation can perform additional operations before or after calling the original implementation, or it can completely replace the original behavior. Method swizzling is a powerful technique that enables hooking frameworks to modify the behavior of applications without modifying the original code.

The history of hooking frameworks 

Hooking frameworks have a long history that can be traced back to the early days of software development. The concept of hooking emerged as developers needed ways to intercept and modify the behavior of system functions or APIs for various purposes, such as debugging, extending functionality, or reverse engineering.

In the 1990s, early hooking techniques involved modifying the code or data segments of running processes, often using low-level system APIs or kernel-mode drivers. As software systems became more complex, user-mode hooking frameworks began to emerge in the early 2000s, allowing developers to hook into processes and functions without the need for kernel-mode drivers or direct code modifications, reducing the risk of system instability and security vulnerabilities.

With the rise of cross-platform development, frameworks like Frida, initially released in 2014, provided a powerful and versatile hooking solution that could work across multiple platforms, including Windows, macOS, Linux, iOS, and Android. Frida introduced a scripting environment that allowed developers to write hooks in languages like Python, JavaScript, and C, making it easier to instrument and analyze running processes.

As mobile platforms like iOS and Android gained popularity, hooking frameworks specifically designed for mobile environments became increasingly important. Frameworks like Cydia Substrate (for iOS) and Xposed Framework (for Android) gained traction among developers and security researchers for modifying and extending the functionality of mobile apps and operating systems.

Today, hooking frameworks have become essential tools in the field of security research and malware analysis, enabling researchers to instrument and monitor the behavior of applications at runtime, identify vulnerabilities, and develop defensive mechanisms.

Throughout the years, we have seen that hooking frameworks have evolved by becoming more flexible and easier to use, by attempting to hide their presence better and better and by including new hooking and tracing techniques. We expect this to continue as hooking framework developers continually find ways around the new defenses designed to mitigate them.

Popular hooking frameworks  

Several popular hooking frameworks are widely used in the mobile app security community, each with its own strengths and capabilities. Here are three of the most prominent frameworks:

Frida

Frida is an open-source hooking framework that allows developers to inject code into running processes on various platforms, including Android and iOS. It provides a powerful scripting environment that enables developers to inspect, modify, and manipulate the behavior of applications at runtime. Frida supports multiple programming languages, such as Python, JavaScript, and C, making it a versatile tool for security researchers, reverse engineers, and developers.

One of the key advantages of Frida is its cross-platform compatibility, allowing developers to use the same tools and techniques across different operating systems and architectures. Frida also offers advanced features like code tracing, function hooking, and memory access, making it a comprehensive tool for dynamic analysis and instrumentation.

Xposed framework

The Xposed Framework is a popular hooking framework designed for the Android platform. One key difference with Frida is that Xposed can hook only an application’s Java code, while Frida can hook the native application binary in addition to Java code. Xposed allows developers to modify the behavior of applications and the Android system itself without modifying the original code. Xposed works by injecting code into running processes, enabling developers to intercept and modify method calls, access private data, and implement custom functionality.

One of the key advantages of the Xposed Framework is its ease of use and extensive community support. Developers can create and share modules that extend or modify the functionality of applications and system components.

LSPosed 

Because traditional Xposed implementations require a custom recovery or a modified boot image, LSPosed was developed to solve this by integrating with Magisk, a systemless root solution that modifies the boot partition without touching the system partition. This approach ensures that the device remains in a stock state, making it easier to update the operating system and reducing the risk of potential conflicts or instability.

One of the key advantages of LSPosed is its compatibility with various Android versions and device configurations. It supports both Zygisk and Riru modes, allowing it to work seamlessly with different Magisk setups. Additionally, LSPosed offers dual app and multi-user support, enabling users to selectively apply Xposed modules to specific apps or user profiles.

Like Xposed, LSPosed can only hook Java code, rather than both native and Java code.

Substrate 

Substrate is a hooking framework developed by Saurik, the creator of Cydia, for iOS devices. It allows developers to modify the behavior of applications and system components by injecting code into running processes. Substrate is particularly popular in the jailbreaking community, as it enables the creation of tweaks and modifications for jailbroken iOS devices.

Substrate supports various programming languages, including C, C++, and Objective-C, and provides a set of APIs for interacting with the iOS runtime. It leverages techniques like method swizzling and function hooking to intercept and modify application behavior. However, Substrate requires a jailbroken device, which can be a limitation for some users and organizations.

Security risks of hooking frameworks 

While hooking frameworks have legitimate use cases, they can also often be exploited, posing significant security risks to mobile applications and their users. Some of those risks include:

1. Data exfiltration: By intercepting and modifying application behavior, hooking frameworks can be used to capture sensitive data, such as user credentials, financial information, or personal data, as it is processed by the application. This data can then be exfiltrated to remote servers controlled by attackers. For example, a malicious hooking framework could intercept and log all network traffic generated by a banking application, potentially capturing sensitive financial data or login credentials. Alternatively, it could hook into the application's memory and directly access sensitive data stored in memory, such as encryption keys or authentication tokens. 
2. Application tampering: Hooking frameworks can be used to tamper with the behavior of applications, bypassing security checks, disabling protection mechanisms, or introducing malicious functionality. This can lead to unauthorized access. For instance, a hooking framework could be used to bypass jailbreak or root detection mechanisms, allowing a malicious application to run on a device that would otherwise be protected. It could also be used to disable certificate pinning or SSL/TLS validation, enabling man-in-the-middle attacks or the interception of encrypted communications. 
3. Privacy violations: By intercepting and modifying application behavior, hooking frameworks can monitor and intercept user interactions, system events, and sensor data, potentially violating user privacy and enabling unauthorized tracking or surveillance. For example, an attacker could intercept and log all user input, such as keystrokes or touch events, effectively creating a keylogger. It could also monitor system events like incoming calls or messages or access sensor data like the device's location or camera, enabling unauthorized tracking or surveillance. 
4. Intellectual property theft: In some cases, hooking frameworks may be used to reverse engineer proprietary algorithms, protocols, or code, enabling intellectual property theft or the creation of unauthorized clones or modifications. By intercepting and modifying application behavior, a hooking framework could be used to extract proprietary algorithms or protocols used by the application. This could enable the creation of unauthorized clones or modifications, potentially infringing on intellectual property rights and causing financial or reputational damage to the original developers. 
5. Fraud: One famous example of malware using hooking frameworks to assist in banking fraud is the FjordPhantom malware, discovered in 2023. This malware places mobile apps into a virtual environment where the app could be hooked. The attackers would hook APIs for Accessibility Services to return false information to bypass screen reader detection and evade app defenses. Read more on how FjordPhantom used hooking frameworks to attack apps.

Detecting hooking frameworks 

To mitigate the risks posed by hooking frameworks, it is essential for mobile app developers and security teams to implement effective detection mechanisms. Several techniques can be employed to identify the presence of hooking frameworks:

1. Runtime integrity checks: Applications can perform runtime checks to verify the integrity of their code and data segments, as well as critical memory regions like the Global Offset Table (GOT) and Procedure Linkage Table (PLT). Any unauthorized modifications or suspicious instructions can indicate the presence of a hooking framework. 
2. Anti-debugging and anti-tampering measures: Implementing anti-debugging and anti-tampering measures can make it more difficult for hooking frameworks to attach to the application process or modify its behavior. These measures can include checks for debuggers, emulators, and other instrumentation tools, as well as obfuscation and code-hardening techniques. 
3. Monitoring system events and API calls: Hooking frameworks often rely on specific system events or API calls to inject their code into the application process. Monitoring and validating these events and calls can help detect potential hooking attempts. 
4. Sandboxing and virtualization: Running applications within a sandboxed or virtualized environment can isolate them from potential hooking frameworks and provide an additional layer of protection. 
5. User education and awareness: Educating users about the risks of installing untrusted applications or enabling unknown developer options can help mitigate the risk of inadvertently enabling hooking frameworks on their devices.

Mitigating hooking framework risks 

In addition to detection mechanisms, mobile app developers and security teams can implement various mitigation strategies to reduce the risks posed by hooking frameworks:

1. Code obfuscation and hardening: Obfuscating the application's code and implementing code hardening techniques can make it more difficult for hooking frameworks to understand and manipulate the application's behavior.
2. Secure communication and encryption: Implementing secure communication protocols and encrypting sensitive data can help prevent data exfiltration and tampering, even if a hooking framework is present.
3. Secure key storage and management: Storing and managing cryptographic keys securely, using hardware-backed keystores or secure enclaves, can prevent hooking frameworks from accessing and misusing these keys.
4. Runtime application self-protection (RASP) and app shielding: Implementing RASP and app shielding solutions can provide continuous monitoring and protection against various threats, including hooking frameworks, by preventing suspicious behavior at runtime. App shielding solutions should prevent hooking frameworks from attaching, rather than simply detecting them. Once a hooking framework attaches to an application, it can often be enough for attackers to exploit the app.
5. Regular security updates and patching: Keeping applications and their dependencies up to date with the latest security patches and updates can help mitigate known vulnerabilities that could be exploited by hooking frameworks.

Conclusion 

Hooking frameworks are powerful tools that can be used for both legitimate and malicious purposes. While they offer valuable capabilities for debugging, testing, and performance monitoring, they can also pose significant risks if exploited by malicious actors. To mitigate these risks, mobile app developers and security teams should implement robust detection mechanisms, employ code hardening and obfuscation techniques, and adopt secure coding practices and secure communication protocols.

Additionally, user education and awareness play a crucial role in preventing the inadvertent enabling of hooking frameworks on devices. By taking a proactive and comprehensive approach to mobile app security, organizations can better protect their applications, data, and users from the potential threats posed by hooking frameworks.