Objekt Cheat Sheet¶
Im Überblick
Objection ist ein mobiles Explorationstoolkit, das auf Frida aufgebaut ist, um Sicherheitsforschern und Penetrationsprüfern umfassende Möglichkeiten zur Analyse und Handhabung mobiler Anwendungen während der Laufzeit zu bieten. Das von Leon Jacobs entwickelte Objektion dient als leistungsstarke Schnittstelle zu den dynamischen Instrumentierungsfunktionen von Frida und bietet eine benutzerfreundliche Kommandozeilenschnittstelle für komplexe Sicherheitsbewertungen für mobile Anwendungen. Das Tool unterstützt sowohl iOS- als auch Android-Plattformen, so dass es eine wesentliche Komponente jeder mobilen Sicherheitsprüfung Arsenal.
Die primäre Stärke von Objection liegt in der Fähigkeit, eine Laufzeitmanipulation mobiler Anwendungen durchzuführen, ohne dass Quellcode-Zugriff oder Applikationsrecompilation erforderlich ist. Durch die Verwendung von Fridas Instrumentierungs-Engine kann Objection in Anwendungsfunktionen eingreifen, Verhalten ändern, Sicherheitskontrollen umgehen und sensible Informationen aus laufenden Anwendungen extrahieren. Diese Fähigkeit macht es besonders wertvoll für Black-Box-Sicherheitstests, bei denen herkömmliche statische Analyseansätze unzureichend oder unpraktisch sind.
Objection bietet eine umfassende Reihe von Funktionen wie SSL Pinning Bypass, Root/Jailbreak Erkennung Bypass, Dateisystem Exploration, Speicher Manipulation, und Verfahren Haken. Die modulare Architektur des Tools ermöglicht eine einfache Erweiterung und Anpassung, während seine intuitive Befehlsstruktur es sowohl Anfängern als auch erfahrenen Sicherheitsexperten zugänglich macht. Objection stellt eine signifikante Weiterentwicklung der mobilen Anwendungssicherheitstests dar, die bisher nur über komplexe benutzerdefinierte Frida-Skripte verfügbar waren.
• Installation
Python Paket Installation¶
Objektion installieren Python Paketmanager:
# Install via pip
pip3 install objection
# Install specific version
pip3 install objection==1.11.0
# Install with development dependencies
pip3 install objection[dev]
# Upgrade to latest version
pip3 install --upgrade objection
# Install from source
git clone https://github.com/sensepost/objection.git
cd objection
pip3 install .
Frida Installation¶
Installieren von Abhängigkeiten von Frida:
# Install Frida tools
pip3 install frida-tools
# Install Frida for Python
pip3 install frida
# Verify Frida installation
frida --version
# Install Frida server for Android
wget https://github.com/frida/frida/releases/latest/download/frida-server-android-arm64
adb push frida-server-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
Gerät Setup¶
Zielgeräte einrichten:
# Android device setup
adb devices
adb root
adb shell /data/local/tmp/frida-server &
# iOS device setup (jailbroken)
ssh root@ios-device
apt-get install frida
frida-server &
# Verify device connectivity
frida-ps -U
oder Basisnutzung
Anwendungsentdeckung¶
Discovering und Listing Anwendungen:
# List running applications
objection -g com.example.app explore
# List installed applications
frida-ps -Ua
# List running processes
frida-ps -U
# Get application information
objection -g com.example.app explore -c "env"
# List application activities (Android)
objection -g com.example.app explore -c "android hooking list activities"
Grundlagenforschung¶
Grundlegende Anwendungsexplorationsbefehle:
# Start Objection session
objection -g com.example.app explore
# Get environment information
env
# List loaded classes
android hooking list classes
# List class methods
android hooking list class_methods com.example.MainActivity
# Search for classes
android hooking search classes keyword
# Search for methods
android hooking search methods keyword
Dateisystem Operationen¶
Dateisystem Exploration und Manipulation:
# List files in application directory
ls
# Change directory
cd /data/data/com.example.app
# Download file from device
file download /data/data/com.example.app/databases/app.db ./app.db
# Upload file to device
file upload ./payload.txt /data/data/com.example.app/files/payload.txt
# Show file contents
cat /data/data/com.example.app/shared_prefs/settings.xml
# Find files by name
find /data/data/com.example.app -name "*.db"
Erweiterte Eigenschaften
SSL Pinning Bypass¶
Bypass SSL-Zertifikat Pinning:
# Disable SSL pinning (Android)
android sslpinning disable
# Disable SSL pinning (iOS)
ios sslpinning disable
# Monitor SSL pinning attempts
android sslpinning monitor
# Custom SSL pinning bypass
android hooking set return_value com.example.SSLPinning.verify true
Root/Jailbreak Detection Bypass¶
Umgehung der Wurzel- und Jailbreak-Erkennung:
# Disable root detection (Android)
android root disable
# Disable jailbreak detection (iOS)
ios jailbreak disable
# Monitor root detection attempts
android root monitor
# Simulate non-rooted environment
android root simulate
# Hook specific root detection methods
android hooking set return_value com.example.RootDetection.isRooted false
Methode Haken¶
Hooking und Manipulation von Anwendungsmethoden:
# Hook method and monitor calls
android hooking watch class com.example.MainActivity
# Hook specific method
android hooking watch class_method com.example.MainActivity.onCreate
# Set method return value
android hooking set return_value com.example.Security.isValid true
# Generate method hook template
android hooking generate simple com.example.MainActivity.login
# Hook constructor
android hooking watch class_method com.example.User.$init
Memory Operations¶
Erinnerungsexploration und Manipulation:
# Dump memory regions
memory dump all
# Dump specific memory region
memory dump 0x12345678 1024
# Search memory for patterns
memory search "password"
# Search memory for specific bytes
memory search --pattern "41 42 43 44"
# List memory regions
memory list
# Write to memory
memory write 0x12345678 "new_value"
Schlüsselspeicher und Kryptographie¶
Schlüsselspeicher und kryptographische Operationen:
# List keystore entries (Android)
android keystore list
# Dump keystore entry
android keystore detail alias_name
# Monitor cryptographic operations
android crypto monitor
# Hook encryption/decryption methods
android hooking watch class javax.crypto.Cipher
# Bypass certificate validation
android sslpinning disable --quiet
 Platform-Specific Features
Android-Specific Commands¶
Android-spezifische Funktionalität:
# List activities
android hooking list activities
# List services
android hooking list services
# List broadcast receivers
android hooking list receivers
# Start activity
android intent launch_activity com.example.MainActivity
# Send broadcast intent
android intent send_broadcast --action com.example.ACTION
# Monitor intents
android intent monitor
# Dump application heap
android heap dump
# Search heap for objects
android heap search instances com.example.User
iOS-Specific Commands¶
iOS-spezifische Funktionalität:
# List bundles
ios bundles list
# List classes in bundle
ios hooking list classes
# Monitor pasteboard
ios pasteboard monitor
# Dump keychain
ios keychain dump
# Monitor URL schemes
ios url_scheme monitor
# Hook Objective-C methods
ios hooking watch method "-[ViewController viewDidLoad]"
# List frameworks
ios bundles list_frameworks
# Monitor file operations
ios file monitor
Automatisierungsskripte
Automatisierte Bewertung¶
#!/usr/bin/env python3
# Objection automated assessment script
import subprocess
import json
import time
class ObjectionAutomation:
def __init__(self, package_name):
self.package_name = package_name
self.session = None
def start_session(self):
"""Start Objection session"""
cmd = f"objection -g \\\\{self.package_name\\\\} explore"
self.session = subprocess.Popen(
cmd.split(),
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
time.sleep(2)
def execute_command(self, command):
"""Execute command in Objection session"""
if self.session:
self.session.stdin.write(f"\\\\{command\\\\}\n")
self.session.stdin.flush()
time.sleep(1)
def run_security_assessment(self):
"""Run comprehensive security assessment"""
commands = [
"env",
"android sslpinning disable",
"android root disable",
"android hooking list activities",
"android hooking list services",
"android keystore list",
"memory dump all",
"file download /data/data/\\\\{\\\\}/databases/ ./databases/".format(self.package_name),
"android intent monitor"
]
for cmd in commands:
print(f"Executing: \\\\{cmd\\\\}")
self.execute_command(cmd)
time.sleep(2)
def close_session(self):
"""Close Objection session"""
if self.session:
self.execute_command("exit")
self.session.terminate()
# Usage
if __name__ == "__main__":
automation = ObjectionAutomation("com.example.app")
automation.start_session()
automation.run_security_assessment()
automation.close_session()
Batch Processing¶
#!/bin/bash
# Objection batch processing script
PACKAGE_LIST="packages.txt"
OUTPUT_DIR="objection_results"
mkdir -p $OUTPUT_DIR
while IFS= read -r package; do
echo "Processing package: $package"
# Create package-specific directory
mkdir -p "$OUTPUT_DIR/$package"
# Run Objection commands
objection -g $package explore -c "env" > "$OUTPUT_DIR/$package/env.txt"
objection -g $package explore -c "android hooking list activities" > "$OUTPUT_DIR/$package/activities.txt"
objection -g $package explore -c "android hooking list services" > "$OUTPUT_DIR/$package/services.txt"
objection -g $package explore -c "android keystore list" > "$OUTPUT_DIR/$package/keystore.txt"
# Disable security controls
objection -g $package explore -c "android sslpinning disable"
objection -g $package explore -c "android root disable"
echo "Completed processing: $package"
sleep 5
done < "$PACKAGE_LIST"
echo "Batch processing completed"
Custom Hook Generator¶
#!/usr/bin/env python3
# Custom Objection hook generator
import json
class HookGenerator:
def __init__(self):
self.hooks = []
def generate_method_hook(self, class_name, method_name, return_value=None):
"""Generate method hook"""
hook = \\\\{
"type": "method_hook",
"class": class_name,
"method": method_name,
"action": "monitor"
\\\\}
if return_value:
hook["return_value"] = return_value
hook["action"] = "modify"
self.hooks.append(hook)
return hook
def generate_class_hook(self, class_name):
"""Generate class hook"""
hook = \\\\{
"type": "class_hook",
"class": class_name,
"action": "monitor_all"
\\\\}
self.hooks.append(hook)
return hook
def generate_objection_script(self):
"""Generate Objection script from hooks"""
script_lines = []
for hook in self.hooks:
if hook["type"] == "method_hook":
if hook["action"] == "monitor":
script_lines.append(f"android hooking watch class_method \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\}")
elif hook["action"] == "modify":
script_lines.append(f"android hooking set return_value \\\\{hook['class']\\\\}.\\\\{hook['method']\\\\} \\\\{hook['return_value']\\\\}")
elif hook["type"] == "class_hook":
script_lines.append(f"android hooking watch class \\\\{hook['class']\\\\}")
return "\n".join(script_lines)
def save_script(self, filename):
"""Save generated script to file"""
script = self.generate_objection_script()
with open(filename, 'w') as f:
f.write(script)
# Usage example
generator = HookGenerator()
generator.generate_method_hook("com.example.Security", "isValid", "true")
generator.generate_method_hook("com.example.Auth", "checkPassword", "true")
generator.generate_class_hook("com.example.Crypto")
script = generator.generate_objection_script()
print(script)
Integrationsbeispiele
Frida Script Integration¶
// Custom Frida script for Objection
Java.perform(function() \\\\{
// Hook login method
var MainActivity = Java.use("com.example.MainActivity");
MainActivity.login.implementation = function(username, password) \\\\{
console.log("[+] Login attempt:");
console.log(" Username: " + username);
console.log(" Password: " + password);
// Call original method
var result = this.login(username, password);
console.log(" Result: " + result);
return result;
\\\\};
// Hook encryption method
var CryptoUtils = Java.use("com.example.CryptoUtils");
CryptoUtils.encrypt.implementation = function(data) \\\\{
console.log("[+] Encryption called with: " + data);
// Return plaintext instead of encrypted data
return data;
\\\\};
\\\\});
Burp Suite Integration
#!/usr/bin/env python3
# Burp Suite and Objection integration
import requests
import subprocess
import time
class BurpObjectionIntegration:
def __init__(self, burp_proxy, package_name):
self.burp_proxy = burp_proxy
self.package_name = package_name
self.session = requests.Session()
self.session.proxies = \\\\{'http': burp_proxy, 'https': burp_proxy\\\\}
self.session.verify = False
def setup_objection(self):
"""Setup Objection with SSL pinning bypass"""
commands = [
f"objection -g \\\\{self.package_name\\\\} explore",
"android sslpinning disable",
"android root disable"
]
for cmd in commands:
subprocess.run(cmd.split())
time.sleep(2)
def test_endpoints(self, endpoints):
"""Test endpoints through Burp proxy"""
for endpoint in endpoints:
try:
response = self.session.get(endpoint)
print(f"Endpoint: \\\\{endpoint\\\\} - Status: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"Error testing \\\\{endpoint\\\\}: \\\\{e\\\\}")
# Usage
integration = BurpObjectionIntegration("http://127.0.0.1:8080", "com.example.app")
integration.setup_objection()
integration.test_endpoints(["https://api.example.com/login", "https://api.example.com/data"])
OWASP ZAP Integration¶
#!/usr/bin/env python3
# OWASP ZAP and Objection integration
from zapv2 import ZAPv2
import subprocess
import time
class ZAPObjectionIntegration:
def __init__(self, zap_proxy, package_name):
self.zap = ZAPv2(proxies=\\\\{'http': zap_proxy, 'https': zap_proxy\\\\})
self.package_name = package_name
def setup_mobile_testing(self):
"""Setup mobile testing environment"""
# Start Objection
subprocess.Popen([
"objection", "-g", self.package_name, "explore",
"-c", "android sslpinning disable"
])
time.sleep(5)
# Configure ZAP for mobile testing
self.zap.core.set_option_use_proxy_chain(True)
self.zap.core.set_option_proxy_chain_name("127.0.0.1")
self.zap.core.set_option_proxy_chain_port(8080)
def run_active_scan(self, target_url):
"""Run active scan against mobile app endpoints"""
# Spider the application
scan_id = self.zap.spider.scan(target_url)
# Wait for spider to complete
while int(self.zap.spider.status(scan_id)) < 100:
time.sleep(1)
# Run active scan
scan_id = self.zap.ascan.scan(target_url)
# Wait for scan to complete
while int(self.zap.ascan.status(scan_id)) < 100:
time.sleep(1)
# Get results
alerts = self.zap.core.alerts()
return alerts
# Usage
integration = ZAPObjectionIntegration("http://127.0.0.1:8080", "com.example.app")
integration.setup_mobile_testing()
alerts = integration.run_active_scan("https://api.example.com")
Fehlerbehebung
Verbindungsprobleme¶
# Check Frida server status
adb shell ps|grep frida-server
# Restart Frida server
adb shell killall frida-server
adb shell /data/local/tmp/frida-server &
# Check device connectivity
frida-ps -U
# Test Objection connection
objection -g com.android.settings explore -c "env"
# Debug connection issues
objection -g com.example.app explore --debug
Anwendungsfragen¶
# Check if application is running
adb shell ps|grep com.example.app
# Start application
adb shell am start -n com.example.app/.MainActivity
# Check application permissions
adb shell dumpsys package com.example.app|grep permission
# Clear application data
adb shell pm clear com.example.app
# Reinstall application
adb uninstall com.example.app
adb install app.apk
Performance Issues¶
# Monitor device resources
adb shell top
# Check memory usage
adb shell dumpsys meminfo com.example.app
# Monitor CPU usage
adb shell dumpsys cpuinfo
# Check storage space
adb shell df
# Optimize Frida performance
frida-server -l 0.0.0.0:27042
Sicherheitsbedenken
Operationelle Sicherheit¶
Gerätesicherheit: - Verwenden Sie spezielle Testgeräte - Geräteisolation implementieren - Regelmäßige Sicherheitsupdates - Monitor für Malware - Sichere Datenspeicherung
Netzwerksicherheit: - Verwenden Sie VPN für Ferntests - Implementierung der Verkehrsverschlüsselung - Netzwerkaktivität überwachen - Sichere Proxykonfigurationen - Regelmäßige Netzprüfungen
Rechtliche und ethische Überlegungen¶
Authorized Testing Only: - ordnungsgemäße Genehmigung erhalten - Testbereich definieren - Dokumentation aller Aktivitäten - Verantwortungsvolle Offenlegung - Datenschutzrechte achten
Beste Praktiken: - Einsatz in kontrollierten Umgebungen - Regelmäßige Sicherheitsbewertungen - Durchführung von Sanierungsmaßnahmen - Monitor für unbefugte Nutzung - Audit-Strecken beibehalten
Referenzen
ANHANG Projektion GitHub Repository 2. Frida-Dokumentation 3. OWASP Mobile Security Testing Guide_ 4. Android Security Testing 5. [iOS Sicherheitstest](URL_32__