objection v1.11 released: runtime mobile exploration
objection Runtime Mobile Exploration
introduction – objection Runtime Mobile Exploration
objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
The project’s name quite literally explains the approach as well, whereby runtime specific objects are injected into a running process and executed using Frida.
Note This is not some form of jailbreak/root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.
features – objection Runtime Mobile Exploration
Supporting both iOS and Android and having new features and improvements added regularly as the tool is used in real-world scenarios, the following is a short list of only a few key features:
For all supported platforms, objection allows you to:
- Patch iOS and Android applications, embedding a Frida gadget that can be used with
objectionor just Frida itself.
- Interact with the filesystem, listing entries as well as upload & download files where permitted.
- Perform various memory-related tasks, such as listing loaded modules and their respective exports.
- Attempt to bypass and simulate jailbroken or rooted environments.
- Discover loaded classes and list their respective methods.
- Perform common SSL pinning bypasses.
- Dynamically dump arguments from methods called as you use the target application.
- Interact with SQLite databases inline without the need to download the targeted database and use an external tool.
- Execute custom Frida scripts.
iOS-specific features in objection include the ability to:
- Dump the iOS keychain, and export it to a file.
- Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage.
- Dump various formats of information in human-readable forms.
- Bypass certain forms of TouchID restrictions.
- Watch for method executions by targeting all methods in a class, or just a single method.
- Monitor the iOS pasteboard.
- Dump encoded .plist files in a human-readable format without relying on external parsers.
Android specific features in objection include the ability to:
- List the applications Activities, Services, and Broadcast Receivers.
- Start arbitrary Activities available in the target application.
- Watch a class method, reporting execution as it happens.
This release has a significant change in how iOS applications are patched. Most importantly, after some help over at nowsecure/node-applesign#113, we realised we needed to set the bundle id and add the entitlement cloning flag. By default objection will now parse the bundleid from your
.mobileprovisionfile automatically, but if you need to set it to something else, you can use the new
-bflag on the
- Correctly parse
apktoolversions, even if build from source. (554c6c6) (via #449) (thanks @No-Cellist-7780)
- Improve support for patching iOS applications using a free developer account. (bb33bce)
Copyright (C) 2018