objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. The project’s name quite literally explains the approach as well, whereby runtime specific objects are injected into a running process and executed using Frida.
Note This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.
Features
Currently, only iOS is supported with Android support coming soon.
For iOS, objection allows you to:
- Interact with the iOS filesystem, listing entries as well as upload & download files where permitted.
- Perform various memory related tasks, such as listing loaded modules and their respective exports.
- Dump the iOS keychain, and export it to a file.
- Attempt to bypass and simulate Jailbreak detections.
- Perform common SSL pinning bypasses.
- Dump data from NSUserDefaults and the shared NSHTTPCookieStorage.
- Dynamically dump arguments from methods called as you use the target application.
- Dump various formats of information in human readable forms.
- Bypass certain forms of TouchID restrictions.
- Execute custom Frida scripts.
Prerequisites
To run objection, all you need is the python3 interpreter to be available. The installation via pip should take care of all of the dependencies needed.
As for the mobile applications though, for iOS, an unencrypted IPA is needed. If you have the source code of the application you want to explore, then you can simply embed and load the FridaGadget.gylib in the project.
Installation
Installation is simply a matter of pip3 install objection. This will give you the objection command.
Usage
The objection command contains a number of subcommands. Certain subcommands may contain flags to set various configurations and options. To get a list of available options, run any objection command with the --help flag. For example:
$ objection --help
Usage: objection [OPTIONS] COMMAND [ARGS]...
_ _ _ _
___| |_ |_|___ ___| |_|_|___ ___
| . | . | | | -_| _| _| | . | |
|___|___|_| |___|___|_| |_|___|_|_|
|___|(object)inject(ion)
Runtime Mobile Exploration
by: @leonjza from @sensepost
By default, communications will happen over USB, unless the --network
option is provided.
Options:
-N, --network Connect using a network connection instead of USB.
[default: False]
-h, --host TEXT [default: 127.0.0.1]
-p, --port INTEGER [default: 27042]
-g, --gadget TEXT Name of the Frida Gadget/Process to connect to.
[default: Gadget]
--help Show this message and exit.
Commands:
device_type Get information about an attached device.
explore Start the objection exploration REPL.
patchipa Patch an IPA with the FridaGadget dylib.
version Prints the current version and exists
The most commonly used subcommand is explore, which will start the objection exploration REPL. Considering the options in the above --help output, to connect to a Frida gadget hosted on the network, one would execute objection -N explore.
The exploration REPL will autocomplete commands when the [TAB] key is pressed whenever possible. If you need some help, prefixing your full command with the help keyword will print documentation and usage examples for the command in question.
Add Comment