Home Objection Quick Start
Post
Cancel

Objection Quick Start

Posted Sep 15, 2021 Updated Dec 29, 2022
By Alexander Wells
3 min read
  1. Setup
  2. Android & iOS
  3. Android
  4. iOS

Setup

Install Objection

The objection python package will need to be installed as well as frida-tools:

1

pip3 install frida-tools objection

Test Objection

Ensure the package is working by running the objection command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

root@kali:~# objection

Usage: objection [OPTIONS] COMMAND [ARGS]...
       _   _         _   _
   ___| |_|_|___ ___| |_|_|___ ___
  | . | . | | -_|  _|  _| | . |   |
  |___|___| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion)
  
       Runtime Mobile Exploration
          by: @leonjza from @sensepost

  By default, communications will happen over USB, unless the --network
  option is provided.

Find Application

Use Frida to check for installed applications on the phone:

Show running applications:

1

frida-ps -Ua
  • -U for USB mode
  • -a for applications only

Show all installed applications:

1

frida-ps -Uai
  • -i for install applications

You should see something like this:

1
2
3
4
5

root@kali:~# frida-ps -Ua

 PID  Name        Identifier               
----  ----------  -------------------------
2594  DuckDuckGo  com.duckduckgo.mobile.ios

Attach to Application

Once we know the name of our target application, we can attach to it with the following command:

1

objection -g NAME explore
  • Where NAME is DuckDuckGo or com.duckduckgo.mobile.ios in the above example.

A command can be executed as soon as Objection attaches to an application using:

1

objection -g com.duckduckgo.mobile.ios explore --startup-command "COMMAND"
  • COMMAND might be something like ios sslpinning disable on an iPhone.

A single command can be executed instead of exploring the application:

1

objection -g com.duckduckgo.mobile.ios run "COMMAND"
  • COMMAND might be something like ios cookies get on an iPhone.


Android & iOS

Files

DescriptionCommand
Get Environment Infoenv
View files in current Dirls
Print current Dirpwd
Print file contentsfile cat FILENAME
Download file (from Phone)file download PHONE_FILE [PC_FILE]
Upload file (to Phone)file upload PC_FILE [PHONE_FILE]

HTTP Server

DescriptionCommand
Start HTTP Server (in current dir)file http start
Stop HTTP Serverfile http stop
Status of HTTP Serverfile http status

Hooking

ios examples used below. Commands should work for both ios and android.

DescriptionCommand
List Application Classesios hooking list classes
Search for Classios hooking search classes SEARCH_STRING
List Class Methodsios hooking list class_methods CLASS_NAME
Search for Methodsios hooking search methods SEARCH_STRING
Hook ALL Class Methods (View params)ios hooking watch class CLASS_NAME
Hook Single Class Methodsios hooking watch method "-[CLASS_NAME METHOD_NAME]" –dump-args –dump-return –dump-backtrace
Change Boolean Method Return Valueios hooking set return_value "-[CLASS_NAME METHOD_NAME]" false
Generate Frida hooking templateios hooking generate simple CLASS_NAME

Other

DescriptionCommand
View Jobsjobs list
Stop/Kill Jobsjobs kill JOB_ID


Android

SSLPinning & Root Detection

DescriptionCommand
Disable SSLPinningandroid sslpinning disable
Disable SSLPinning (quiet mode)android sslpinning disable –quiet
Disable Jailbreak Detectionandroid root disable

Android Hooking

DescriptionCommand
List Activitiesandroid hooking list activities
List Receiversandroid hooking list receivers
List Servicesandroid hooking list services
Get Current Activityandroid hooking get current_activity


iOS

SSLPinning & Jailbreak Detection

DescriptionCommand
Disable SSLPinningios sslpinning disable
Disable SSLPinning (quiet mode)ios sslpinning disable –quiet
Disable Jailbreak Detectionios jailbreak disable

iOS Application Info

DescriptionCommand
Get Binary Infoios info binary
Get PList Filesios plist cat Info.plist
Get Application Bundlesios bundles list_bundles
Get External Frameworksios bundles list_frameworks

iOS DataStorage

DescriptionCommand
Get Keychainios keychain dump
Get Keychain (Auto-Decode)ios keychain dump –smart
Get Keychain (Save-As JSON)ios keychain dump –json keychain.json
View Cookiesios cookies get
View NSUserDefaultsios nsuserdefaults get
View NSURLCredentialStorageios nsurlcredentialstorage dump
Pasteboard Monitorios pasteboard monitor
security, mobile
security mobile ios android frida objection
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents