Introduction to Frida Objection

Android application penetration testing often requires dynamic analysis to understand runtime behavior, bypass security controls, and identify vulnerabilities. While Frida offers unparalleled power for runtime instrumentation, it can be complex to write custom scripts for every scenario. This is where Objection, a runtime mobile exploration toolkit powered by Frida, comes in. Objection simplifies common mobile application analysis tasks, providing an interactive shell to explore, manipulate, and bypass security mechanisms without writing a single line of Frida script.

This hands-on guide will walk you through setting up Frida and Objection, demonstrating its core capabilities for interactive Android runtime analysis, and showcasing practical use cases in penetration testing.

Prerequisites for Interactive Analysis

Before diving into Objection, ensure you have the following:

• Rooted Android Device or Emulator: Necessary for Frida to inject into processes.
• ADB (Android Debug Bridge): For interacting with the Android device.
• Python 3: Objection is a Python tool.
• Frida-tools: The Python client and server components.

Setting Up Your Environment

Follow these steps to prepare your testing environment:

Step 1: Install Python and ADB

Ensure Python 3 is installed and in your PATH. ADB can typically be installed via your distribution’s package manager or by downloading the Android SDK Platform-Tools.

# On Debian/Ubuntu
sudo apt update
sudo apt install python3 python3-pip adb

# On macOS with Homebrew
brew install python adb

Step 2: Install Frida-tools and Objection

Install both Frida-tools and Objection using pip:

pip3 install frida-tools objection

Step 3: Deploy Frida Server to Android Device

Download the appropriate Frida server binary for your Android device’s architecture (e.g., frida-server-*-android-arm64 for 64-bit ARM devices) from the Frida releases page. Push it to your device and make it executable:

# Check device architecture
adb shell getprop ro.product.cpu.abi

# Download the correct frida-server (example for arm64)
# curl -LO https://github.com/frida/frida/releases/download/20.X.X/frida-server-20.X.X-android-arm64.xz
# unxz frida-server-20.X.X-android-arm64.xz

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"

Step 4: Run Frida Server

Start the Frida server on your Android device. It’s often best to run it in the background:

adb shell "/data/local/tmp/frida-server &"

Alternatively, you can forward the Frida server’s port (default 27042) to your host machine for more reliable communication:

adb reverse tcp:27042 tcp:27042

Basic Objection Usage: Attaching and Exploring

With Frida server running, you can now attach Objection to a target application. First, identify the target app’s package name. Let’s assume our target is com.example.insecureapp.

adb shell pm list packages | grep insecure

To launch and attach Objection:

objection -g com.example.insecureapp explore

The explore command will launch the app (if not already running) and provide you with an interactive Objection prompt. If the app is already running, you can attach using objection -g com.example.insecureapp explore --startup (this typically waits for the app to start). Alternatively, you can use the PID with objection -p [PID] explore.

Exploring Classes and Methods

Once attached, you can start exploring the application’s runtime. A common first step is to enumerate loaded classes and their methods:

android hooking list classes
android hooking search classes [keyword]
android hooking list class_methods [class_name]

For example, to list methods of a specific class:

android hooking list class_methods com.example.insecureapp.MainActivity

Advanced Techniques with Objection

Method Hooking and Overriding

Objection allows you to hook methods, observe their arguments, return values, and even override them. This is crucial for bypassing checks (e.g., root detection, anti-tampering) or modifying application logic.

# Hook a method and print arguments/return value
android hooking set method_return_value com.example.insecureapp.Utils.isRooted:false
android hooking watch class_method com.example.insecureapp.SecurityCheck.verifyChecksum --dump-args --dump-backtrace --dump-return

The set method_return_value command is powerful for immediate bypasses. For more granular control, watch class_method allows you to inspect calls.

Bypassing SSL Pinning

SSL Pinning is a common security control. Objection provides a built-in command to attempt to disable it across various common implementations:

android sslpinning disable

This command injects Frida scripts designed to hook common SSL pinning libraries (OkHttp, TrustManager, etc.) and force them to trust any certificate. After executing this, you should be able to intercept traffic using a proxy like Burp Suite or OWASP ZAP.

Interacting with the File System and Shared Preferences

You can read and write files directly on the device from the Objection shell, which is useful for modifying configuration files or extracting sensitive data from sandboxed storage.

# List directories
android ls /data/data/com.example.insecureapp/shared_prefs

# Read a file
android cat /data/data/com.example.insecureapp/shared_prefs/app_config.xml

# Upload/Download files (using `file upload` and `file download` with host paths)
file download /data/data/com.example.insecureapp/databases/app.db .

Accessing shared preferences is particularly useful as many apps store user data, tokens, or settings there.

android hooking get preferences
android hooking set preference [name] [key] [value] [type]

Memory Dumping and Heap Exploration

Understanding what’s in memory can reveal sensitive data like API keys, plaintext credentials, or cryptographic materials. Objection can help with this:

android hooking search memory [keyword]
android heap search instances [class_name]
android heap dump all [output_directory]

android heap dump all can generate a large memory dump that can be analyzed offline using tools like Volatility or custom scripts.

Practical Scenario: Bypassing Root Detection

Consider an application that refuses to run on a rooted device. We can often bypass this using Objection.

1. Identify Root Check Method: Use android hooking search classes root or android hooking search methods isRooted to find potential root detection functions.

android hooking search classes root

Let’s say we find a method com.example.insecureapp.SecurityCheck.isRooted().

2. Hook and Override: Set the return value of this method to false.

android hooking set method_return_value com.example.insecureapp.SecurityCheck.isRooted:false

Now, when the application calls isRooted(), it will always receive false, effectively bypassing the root detection.

3. Verify: Observe the application’s behavior. If it proceeds past the root check, the bypass was successful.

Conclusion

Frida Objection significantly streamlines the dynamic analysis phase of Android application penetration testing. By providing an interactive shell and abstracting complex Frida scripting, it empowers testers to quickly identify and exploit vulnerabilities, bypass security controls, and gain deeper insights into application runtime behavior. From simple class enumeration to complex method hooking and SSL pinning bypasses, Objection is an indispensable tool in any mobile pentester’s arsenal. Master its commands, and you’ll dramatically increase your efficiency and effectiveness in securing Android applications.