Appearance
Objection Cheat Sheet
Overview
Objection is a runtime mobile exploration toolkit built on top of Frida, designed to provide security researchers and penetration testers with comprehensive capabilities for analyzing and manipulating mobile applications during runtime. Developed by Leon Jacobs, Objection serves as a powerful interface to Frida's dynamic instrumentation capabilities, offering a user-friendly command-line interface for performing complex mobile application security assessments. The tool supports both iOS and Android platforms, making it an essential component of any mobile security testing arsenal.
The primary strength of Objection lies in its ability to perform runtime manipulation of mobile applications without requiring source code access or application recompilation. By leveraging Frida's instrumentation engine, Objection can hook into application functions, modify behavior, bypass security controls, and extract sensitive information from running applications. This capability makes it particularly valuable for black-box security testing scenarios where traditional static analysis approaches are insufficient or impractical.
Objection provides a comprehensive set of features including SSL pinning bypass, root/jailbreak detection bypass, file system exploration, memory manipulation, and method hooking. The tool's modular architecture allows for easy extension and customization, while its intuitive command structure makes it accessible to both novice and experienced security professionals. Objection represents a significant advancement in mobile application security testing, providing capabilities that were previously only available through complex custom Frida scripts.
Installation
Python Package Installation
Installing Objection via Python package manager:
bash
# Install via pip
pip3 install objection
# Install specific version
pip3 install objection==1.11.0
# Install with development dependencies
pip3 install objection[dev]
# Upgrade to latest version
pip3 install --upgrade objection
# Install from source
git clone https://github.com/sensepost/objection.git
cd objection
pip3 install .Frida Installation
Installing Frida dependencies:
bash
# Install Frida tools
pip3 install frida-tools
# Install Frida for Python
pip3 install frida
# Verify Frida installation
frida --version
# Install Frida server for Android
wget https://github.com/frida/frida/releases/latest/download/frida-server-android-arm64
adb push frida-server-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-serverDevice Setup
Setting up target devices:
bash
# Android device setup
adb devices
adb root
adb shell /data/local/tmp/frida-server &
# iOS device setup (jailbroken)
ssh root@ios-device
apt-get install frida
frida-server &
# Verify device connectivity
frida-ps -UBasic Usage
Application Discovery
Discovering and listing applications:
bash
# List running applications
objection -g com.example.app explore
# List installed applications
frida-ps -Ua
# List running processes
frida-ps -U
# Get application information
objection -g com.example.app explore -c "env"
# List application activities (Android)
objection -g com.example.app explore -c "android hooking list activities"Basic Exploration
Basic application exploration commands:
bash
# Start Objection session
objection -g com.example.app explore
# Get environment information
env
# List loaded classes
android hooking list classes
# List class methods
android hooking list class_methods com.example.MainActivity
# Search for classes
android hooking search classes keyword
# Search for methods
android hooking search methods keywordFile System Operations
File system exploration and manipulation:
bash
# List files in application directory
ls
# Change directory
cd /data/data/com.example.app
# Download file from device
file download /data/data/com.example.app/databases/app.db ./app.db
# Upload file to device
file upload ./payload.txt /data/data/com.example.app/files/payload.txt
# Show file contents
cat /data/data/com.example.app/shared_prefs/settings.xml
# Find files by name
find /data/data/com.example.app -name "*.db"Advanced Features
SSL Pinning Bypass
Bypassing SSL certificate pinning:
bash
# Disable SSL pinning (Android)
android sslpinning disable
# Disable SSL pinning (iOS)
ios sslpinning disable
# Monitor SSL pinning attempts
android sslpinning monitor
# Custom SSL pinning bypass
android hooking set return_value com.example.SSLPinning.verify trueRoot/Jailbreak Detection Bypass
Bypassing root and jailbreak detection:
bash
# Disable root detection (Android)
android root disable
# Disable jailbreak detection (iOS)
ios jailbreak disable
# Monitor root detection attempts
android root monitor
# Simulate non-rooted environment
android root simulate
# Hook specific root detection methods
android hooking set return_value com.example.RootDetection.isRooted falseMethod Hooking
Hooking and manipulating application methods:
bash
# Hook method and monitor calls
android hooking watch class com.example.MainActivity
# Hook specific method
android hooking watch class_method com.example.MainActivity.onCreate
# Set method return value
android hooking set return_value com.example.Security.isValid true
# Generate method hook template
android hooking generate simple com.example.MainActivity.login
# Hook constructor
android hooking watch class_method com.example.User.$initMemory Operations
Memory exploration and manipulation:
bash
# Dump memory regions
memory dump all
# Dump specific memory region
memory dump 0x12345678 1024
# Search memory for patterns
memory search "password"
# Search memory for specific bytes
memory search --pattern "41 42 43 44"
# List memory regions
memory list
# Write to memory
memory write 0x12345678 "new_value"Keystore and Cryptography
Keystore and cryptographic operations:
bash
# List keystore entries (Android)
android keystore list
# Dump keystore entry
android keystore detail alias_name
# Monitor cryptographic operations
android crypto monitor
# Hook encryption/decryption methods
android hooking watch class javax.crypto.Cipher
# Bypass certificate validation
android sslpinning disable --quietPlatform-Specific Features
Android-Specific Commands
Android-specific functionality:
bash
# List activities
android hooking list activities
# List services
android hooking list services
# List broadcast receivers
android hooking list receivers
# Start activity
android intent launch_activity com.example.MainActivity
# Send broadcast intent
android intent send_broadcast --action com.example.ACTION
# Monitor intents
android intent monitor
# Dump application heap
android heap dump
# Search heap for objects
android heap search instances com.example.UseriOS-Specific Commands
iOS-specific functionality:
bash
# List bundles
ios bundles list
# List classes in bundle
ios hooking list classes
# Monitor pasteboard
ios pasteboard monitor
# Dump keychain
ios keychain dump
# Monitor URL schemes
ios url_scheme monitor
# Hook Objective-C methods
ios hooking watch method "-[ViewController viewDidLoad]"
# List frameworks
ios bundles list_frameworks
# Monitor file operations
ios file monitorAutomation Scripts
Automated Assessment
python
#!/usr/bin/env python3
# Objection automated assessment script
import subprocess
import json
import time
class ObjectionAutomation:
def __init__(self, package_name):
self.package_name = package_name
self.session = None
def start_session(self):
"""Start Objection session"""
cmd = f"objection -g {self.package_name} explore"
self.session = subprocess.Popen(
cmd.split(),
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
time.sleep(2)
def execute_command(self, command):
"""Execute command in Objection session"""
if self.session:
self.session.stdin.write(f"{command}\n")
self.session.stdin.flush()
time.sleep(1)
def run_security_assessment(self):
"""Run comprehensive security assessment"""
commands = [
"env",
"android sslpinning disable",
"android root disable",
"android hooking list activities",
"android hooking list services",
"android keystore list",
"memory dump all",
"file download /data/data/{}/databases/ ./databases/".format(self.package_name),
"android intent monitor"
]
for cmd in commands:
print(f"Executing: {cmd}")
self.execute_command(cmd)
time.sleep(2)
def close_session(self):
"""Close Objection session"""
if self.session:
self.execute_command("exit")
self.session.terminate()
# Usage
if __name__ == "__main__":
automation = ObjectionAutomation("com.example.app")
automation.start_session()
automation.run_security_assessment()
automation.close_session()Batch Processing
bash
#!/bin/bash
# Objection batch processing script
PACKAGE_LIST="packages.txt"
OUTPUT_DIR="objection_results"
mkdir -p $OUTPUT_DIR
while IFS= read -r package; do
echo "Processing package: $package"
# Create package-specific directory
mkdir -p "$OUTPUT_DIR/$package"
# Run Objection commands
objection -g $package explore -c "env" > "$OUTPUT_DIR/$package/env.txt"
objection -g $package explore -c "android hooking list activities" > "$OUTPUT_DIR/$package/activities.txt"
objection -g $package explore -c "android hooking list services" > "$OUTPUT_DIR/$package/services.txt"
objection -g $package explore -c "android keystore list" > "$OUTPUT_DIR/$package/keystore.txt"
# Disable security controls
objection -g $package explore -c "android sslpinning disable"
objection -g $package explore -c "android root disable"
echo "Completed processing: $package"
sleep 5
done < "$PACKAGE_LIST"
echo "Batch processing completed"Custom Hook Generator
python
#!/usr/bin/env python3
# Custom Objection hook generator
import json
class HookGenerator:
def __init__(self):
self.hooks = []
def generate_method_hook(self, class_name, method_name, return_value=None):
"""Generate method hook"""
hook = {
"type": "method_hook",
"class": class_name,
"method": method_name,
"action": "monitor"
}
if return_value:
hook["return_value"] = return_value
hook["action"] = "modify"
self.hooks.append(hook)
return hook
def generate_class_hook(self, class_name):
"""Generate class hook"""
hook = {
"type": "class_hook",
"class": class_name,
"action": "monitor_all"
}
self.hooks.append(hook)
return hook
def generate_objection_script(self):
"""Generate Objection script from hooks"""
script_lines = []
for hook in self.hooks:
if hook["type"] == "method_hook":
if hook["action"] == "monitor":
script_lines.append(f"android hooking watch class_method {hook['class']}.{hook['method']}")
elif hook["action"] == "modify":
script_lines.append(f"android hooking set return_value {hook['class']}.{hook['method']} {hook['return_value']}")
elif hook["type"] == "class_hook":
script_lines.append(f"android hooking watch class {hook['class']}")
return "\n".join(script_lines)
def save_script(self, filename):
"""Save generated script to file"""
script = self.generate_objection_script()
with open(filename, 'w') as f:
f.write(script)
# Usage example
generator = HookGenerator()
generator.generate_method_hook("com.example.Security", "isValid", "true")
generator.generate_method_hook("com.example.Auth", "checkPassword", "true")
generator.generate_class_hook("com.example.Crypto")
script = generator.generate_objection_script()
print(script)Integration Examples
Frida Script Integration
javascript
// Custom Frida script for Objection
Java.perform(function() {
// Hook login method
var MainActivity = Java.use("com.example.MainActivity");
MainActivity.login.implementation = function(username, password) {
console.log("[+] Login attempt:");
console.log(" Username: " + username);
console.log(" Password: " + password);
// Call original method
var result = this.login(username, password);
console.log(" Result: " + result);
return result;
};
// Hook encryption method
var CryptoUtils = Java.use("com.example.CryptoUtils");
CryptoUtils.encrypt.implementation = function(data) {
console.log("[+] Encryption called with: " + data);
// Return plaintext instead of encrypted data
return data;
};
});Burp Suite Integration
python
#!/usr/bin/env python3
# Burp Suite and Objection integration
import requests
import subprocess
import time
class BurpObjectionIntegration:
def __init__(self, burp_proxy, package_name):
self.burp_proxy = burp_proxy
self.package_name = package_name
self.session = requests.Session()
self.session.proxies = {'http': burp_proxy, 'https': burp_proxy}
self.session.verify = False
def setup_objection(self):
"""Setup Objection with SSL pinning bypass"""
commands = [
f"objection -g {self.package_name} explore",
"android sslpinning disable",
"android root disable"
]
for cmd in commands:
subprocess.run(cmd.split())
time.sleep(2)
def test_endpoints(self, endpoints):
"""Test endpoints through Burp proxy"""
for endpoint in endpoints:
try:
response = self.session.get(endpoint)
print(f"Endpoint: {endpoint} - Status: {response.status_code}")
except Exception as e:
print(f"Error testing {endpoint}: {e}")
# Usage
integration = BurpObjectionIntegration("http://127.0.0.1:8080", "com.example.app")
integration.setup_objection()
integration.test_endpoints(["https://api.example.com/login", "https://api.example.com/data"])OWASP ZAP Integration
python
#!/usr/bin/env python3
# OWASP ZAP and Objection integration
from zapv2 import ZAPv2
import subprocess
import time
class ZAPObjectionIntegration:
def __init__(self, zap_proxy, package_name):
self.zap = ZAPv2(proxies={'http': zap_proxy, 'https': zap_proxy})
self.package_name = package_name
def setup_mobile_testing(self):
"""Setup mobile testing environment"""
# Start Objection
subprocess.Popen([
"objection", "-g", self.package_name, "explore",
"-c", "android sslpinning disable"
])
time.sleep(5)
# Configure ZAP for mobile testing
self.zap.core.set_option_use_proxy_chain(True)
self.zap.core.set_option_proxy_chain_name("127.0.0.1")
self.zap.core.set_option_proxy_chain_port(8080)
def run_active_scan(self, target_url):
"""Run active scan against mobile app endpoints"""
# Spider the application
scan_id = self.zap.spider.scan(target_url)
# Wait for spider to complete
while int(self.zap.spider.status(scan_id)) < 100:
time.sleep(1)
# Run active scan
scan_id = self.zap.ascan.scan(target_url)
# Wait for scan to complete
while int(self.zap.ascan.status(scan_id)) < 100:
time.sleep(1)
# Get results
alerts = self.zap.core.alerts()
return alerts
# Usage
integration = ZAPObjectionIntegration("http://127.0.0.1:8080", "com.example.app")
integration.setup_mobile_testing()
alerts = integration.run_active_scan("https://api.example.com")Troubleshooting
Connection Issues
bash
# Check Frida server status
adb shell ps | grep frida-server
# Restart Frida server
adb shell killall frida-server
adb shell /data/local/tmp/frida-server &
# Check device connectivity
frida-ps -U
# Test Objection connection
objection -g com.android.settings explore -c "env"
# Debug connection issues
objection -g com.example.app explore --debugApplication Issues
bash
# Check if application is running
adb shell ps | grep com.example.app
# Start application
adb shell am start -n com.example.app/.MainActivity
# Check application permissions
adb shell dumpsys package com.example.app | grep permission
# Clear application data
adb shell pm clear com.example.app
# Reinstall application
adb uninstall com.example.app
adb install app.apkPerformance Issues
bash
# Monitor device resources
adb shell top
# Check memory usage
adb shell dumpsys meminfo com.example.app
# Monitor CPU usage
adb shell dumpsys cpuinfo
# Check storage space
adb shell df
# Optimize Frida performance
frida-server -l 0.0.0.0:27042Security Considerations
Operational Security
Device Security:
- Use dedicated testing devices
- Implement device isolation
- Regular security updates
- Monitor for malware
- Secure data storage
Network Security:
- Use VPN for remote testing
- Implement traffic encryption
- Monitor network activity
- Secure proxy configurations
- Regular network audits
Legal and Ethical Considerations
Authorized Testing Only:
- Obtain proper authorization
- Define testing scope
- Document all activities
- Follow responsible disclosure
- Respect privacy rights
Best Practices:
- Use in controlled environments
- Regular security assessments
- Implement remediation measures
- Monitor for unauthorized use
- Maintain audit trails