Introduction to Frida Objection

In the dynamic world of Android application penetration testing and reverse engineering, tools that offer unparalleled visibility and control over an application’s runtime are invaluable. Frida, a dynamic instrumentation toolkit, stands out as a powerful framework for injecting scripts into processes. Building upon Frida’s capabilities, Objection is a runtime mobile exploration toolkit, powered by Frida, that provides an interactive shell to perform various tasks like bypassing SSL pinning, examining memory, manipulating methods, and much more, all without writing a single line of Frida script initially. This article will guide you from the basics of setting up Objection to leveraging its advanced features for comprehensive Android app runtime exploration.

Setting Up Your Environment

Before diving into Objection, ensure you have the necessary prerequisites installed and configured:

1. Android Device Setup (Rooted or Emulator)

Objection requires a rooted Android device or an emulator with root access. Ensure ADB (Android Debug Bridge) is installed on your host machine and that your device is detected:

adb devices

You should see your device listed. If not, troubleshoot your ADB connection.

2. Installing Frida Server on Android

Download the appropriate Frida server binary for your Android device’s architecture (e.g., frida-server-*-android-arm64 for 64-bit ARM devices) from the Frida releases page. Push it to your device and run it:

adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell"chmod 755 /data/local/tmp/frida-server"adb shell"/data/local/tmp/frida-server &"

Confirm Frida server is running by checking for listening ports or by running frida-ps -U on your host. If it runs in the background, you won’t get a prompt back immediately from the adb shell "/data/local/tmp/frida-server &" command.

3. Installing Frida and Objection on Your Host Machine

Install the Frida client and Objection using pip:

pip install frida-tools objection

Verify installations:

frida --versionobjection --version

Basic Runtime Exploration with Objection

Let’s begin with some fundamental Objection commands. For this tutorial, we’ll use a hypothetical target application with package name com.example.targetapp.

Attaching to a Running Application

First, launch your target application on the Android device. Then, attach Objection to it:

objection --gadget 'com.example.targetapp' explore

The --gadget flag instructs Objection to inject into the specified package. You’ll be presented with an Objection shell prompt.

Bypassing SSL Pinning

One of the most common tasks in mobile app pentesting is bypassing SSL pinning. Objection makes this trivial:

android sslpinning disable

This command injects a Frida script that attempts to disable common SSL pinning mechanisms. You can also specify certain libraries to target if needed.

Bypassing Root Detection

Many applications employ root detection to prevent execution on compromised devices. Objection can often bypass this:

android root disable

This command hooks various Android APIs related to root detection, tricking the app into believing it’s running on a non-rooted device.

Advanced Features and Techniques

Objection’s true power lies in its ability to delve deeper into the application’s runtime state.

1. Exploring Application Environment

Gain insights into the app’s environment:

• env: Displays environment variables, package info, and device details.

• android heap dump: Dumps the Java heap, useful for memory analysis and finding sensitive data.

2. Interacting with the File System

Explore and manipulate the app’s private file system without leaving the Objection shell:

• fs ls /data/data/com.example.targetapp/shared_prefs: List contents of a directory.

• fs cat /data/data/com.example.targetapp/shared_prefs/app_prefs.xml: View content of a file.

• fs download /data/data/com.example.targetapp/databases/app.db: Download files to your host machine.

• fs upload /path/to/local/file.txt /data/data/com.example.targetapp/cache/file.txt: Upload files to the device.

3. Runtime Class and Method Manipulation

This is where Objection truly shines for dynamic analysis.

Searching for Classes and Methods

Before you can hook anything, you need to know what to hook. Objection provides powerful search capabilities:

android hooking search classes <keyword>android hooking search methods <class_name> <keyword>

For example, to find all classes related to authentication:

android hooking search classes auth

Or to find methods within a specific class:

android hooking search methods com.example.targetapp.AuthManager login

Hooking Methods

Once you identify a method, you can hook it to observe arguments, return values, and even modify them.

android hooking set class_method com.example.targetapp.AuthManager.loginandroid hooking set class_method com.example.targetapp.AuthManager.login --dump-args --dump-backtrace --dump-return

When the login method is called, Objection will print its arguments, the call stack (backtrace), and its return value. You can also trace all methods in a class:

android hooking watch class com.example.targetapp.AuthManager

Calling Methods and Instantiating Classes

You can even call static methods or instantiate classes and invoke methods on them directly:

android hooking call static com.example.targetapp.utils.AppUtils.getVersionCode()android hooking generate_sig <class_name> <method_name> # Helps with arguments

For more complex interactions, you might need to use Objection’s explore mode with custom scripts.

4. Dex Dumping

Objection can dump an application’s DEX files from memory, which is useful for static analysis or if the application loads DEX files dynamically at runtime:

android dex dump

This command will save all loaded DEX files to your current directory on the host machine, typically named dump.dex, dump-1.dex, etc. These can then be decompiled using tools like Jadx or Ghidra.

5. Loading Custom Frida Scripts

For scenarios that go beyond Objection’s built-in commands, you can load your custom Frida JavaScript scripts directly:

objection --gadget 'com.example.targetapp' explore --script /path/to/your/frida_script.js

This allows you to leverage the full power of Frida’s API for highly specific and complex instrumentation tasks, while still operating within the Objection ecosystem. Your script will be injected alongside Objection’s own scripts.

Real-world Scenario: Bypassing a Simple License Check

Imagine an application with a simple license check in a method like com.example.targetapp.LicenseChecker.isLicensed(), which returns a boolean. We want to force it to return true.

Step 1: Attach and Search

objection --gadget 'com.example.targetapp' exploreandroid hooking search methods com.example.targetapp.LicenseChecker isLicensed

Confirm the method signature.

Step 2: Hook and Modify Return Value

We can use Objection’s set return_value feature:

android hooking set class_method com.example.targetapp.LicenseChecker.isLicensed --set-return-value true

Now, every call to isLicensed() will be intercepted, and Objection will force it to return true, effectively bypassing the license check.

Conclusion

Frida Objection dramatically streamlines the process of Android application runtime exploration, providing an interactive, powerful, and user-friendly interface to Frida’s robust instrumentation capabilities. From basic tasks like bypassing SSL pinning and root detection to advanced method hooking, file system interaction, and memory analysis, Objection empowers security researchers and penetration testers to gain deep insights into application behavior without extensive script writing. By mastering Objection, you unlock a new level of efficiency and effectiveness in your mobile security assessments, making it an indispensable tool in your arsenal.