How to redirect where an app read/save its file?

Question

I have an application running on an Android 12 emulator that saves its settings to /data/data and its downloaded files to /storage/emulated/0/Android/data/.

By "downloaded files", I am referring to the files necessary for its operation, which are downloaded after the first execution.

I am attempting to configure it to save and load these files from a folder that the emulator shares with Windows, generally referred to as "shared folder".

The total size of these files is approximately 6GB, and my goal is to avoid duplicating these files for each emulator, enabling them all to read from the same folder.

The application does not provide an option to move this data to the SD card, I have checked this by looking at settings > app > storage.

I tried hooking the app using Frida:

frida -U -p <system_server_pid> -l tracker.js

var functionsToHook = ['open', 'fopen', 'stat'];

function applyHooks(session) {
  functionsToHook.forEach(function(func) {
      Interceptor.attach(Module.findExportByName(null, func), {
          onEnter: function(args) {
              try {
                var path = Memory.readCString(ptr(args[0]));
                if (path.includes('/storage/emulated/0/Android/data/')) {
                    console.log('\n\n', func, path);
                    console.log(Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n'));
                }
              } 
              catch (e) {
                    console.log(e);
              }
          }
      });
  });
}

; however, it seems the app has some form of anti-hook or anti-debug, as it crashes when it reach the login page. It crashes even with an empty js script.

Until the point of the crash, i could see that console.log is printing the mentioned folder and the app is reading it using "stat" and a custom library:

stat /storage/emulated/0/Android/data/...
0x7baaa055725d libabc.so!0x5125d

I attempted using the same script to hook the system_server process, but as the app is using a custom lib to read the folder the hook on the server is not capturing it.

Is it possible to achieve this desired behavior by hooking into any other process or specific function?

My intention is to redirect the app to search for its file into the shared folder.

Answer 1

For testing if the app has a anti-hook or anti-debug functions present connect with Frida without any script.

regarding your Frida script: You are hooking the six methods ´open´, fopen, read, write, close, stat and based on your Frida code you assume that each function gets the file path as C-String in the first argument (args[0]) - which is not the case.

• open first argument is char* -> no problem
• fopen first argument is char* -> no problem
• read first argument is a file descriptor (int) -> code will crash
• write first argument is a file descriptor (int) -> code will crash
• close first argument is a file descriptor (int) -> code will crash
• stat first argument is char* -> no problem

So you can see that there are three hooked methods which will not work and most likely crash the app because you make wrong assumptions on the argument type. So you should remove these hooks from your code.

var functionsToHook = ['open', 'fopen', 'stat'];

functionsToHook.forEach(function(func) {
    Interceptor.attach(Module.findExportByName(null, func), {
        onEnter: function(args)  {
            try {
                var path = Memory.readCString(); // readUtf8String would also be an option
                console.log("path:", path);
                if (path.includes('/data/media/0/android/data'))
                    console.log(func + ' called on folder: ' + path);
            } 
            catch (e) {
            //console.log('Error reading memory:', e);
            }
        }
  });
});