Skip to content

Writing MASTG Frooky Hook Configurations

This guide defines how to write and use Frooky hook configurations in MASTG demos. Frooky (@MASTG-TOOL-0145) is a Frida-based dynamic analysis tool that uses JSON-based hook configurations, providing a declarative approach to method interception without writing custom Frida scripts.

Version Requirements

  • Python 3+
  • Frooky installed via pip
  • Frida server 17 or later running on the target device

Location and naming

  • Place hook configurations inside the demo folder and name them hooks.json.
  • If multiple hook configurations are needed, use specific names (for example, hooks_ssl.json, hooks_keystore.json) and document which to run in the demo Steps and run.sh.

Examples:

  • demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/hooks.json
  • iOS DEMO: TBD (currently no iOS demos use Frooky)

Runtime and invocation

Typical spawn usage in run.sh:

frooky -U -f org.owasp.mastestapp --platform android hooks.json

### Hook configuration format

Hook configurations are JSON files that declare which classes and methods to instrument:

```json
{
  "category": "STORAGE",
  "hooks": [
    {
      "class": "androidx.security.crypto.EncryptedSharedPreferences$Editor",
      "methods": [
        "putString",
        "putStringSet"
      ]
    }
  ]
}

{
  "category": "RESILIENCE",
  "hooks": [
    {
      "class": "java.io.File",
      "method": "$init",
      "overloads": [
        {
          "args": ["java.lang.String"]
        }
      ],
      "filterEventsByStacktrace": ["org.owasp.mastestapp"]
    }
  ]
}

Key fields:

  • category: A label for grouping hooks (for example, STORAGE, CRYPTO, NETWORK).
  • hooks: Array of hook definitions.
    • class: Fully qualified class name to hook.
    • methods: Array of method names to intercept.
    • method: One method name (alternative to methods array).
      • overloads: Optional array of overload signatures to specify which method variants to hook.
    • filterEventsByStacktrace: Optional array of strings; only events with stack traces containing these strings will be included in the output.

See more in the frooky Usage page.

Output format

Frooky outputs JSON Lines (NDJSON) format to output.json.

Best practices

  • Keep hook configurations focused on the specific APIs relevant to the demo.
  • Use meaningful category names that align with MASVS categories.
  • The output JSON provides structured data that can be directly referenced in the demo's Observation section. For example as {{ output.json }}.
  • Stack traces are automatically captured, helping identify the code locations calling the hooked methods.

Troubleshooting

  • Ensure Frida server is running on the target device before executing frooky.
  • Use -f for spawn mode when early instrumentation is needed.
  • Use -n for attach mode when the app is already running.
  • Check that the class and method names in hooks.json match the target app's actual implementation.