Mobile Security Tools part 3: Objection

Background

As an Information Security Specialist at 2NS, I get to learn something new about cybersecurity every day. Through this blog, I aim to share insights, tools, and techniques that I find valuable in my work, hoping to help others in the field.

In this post, I’ll be going through how to use Objection!

Here's the previous blog posts on Mobile Security Tools-series:

• Part 1: scrcpy
• Part 2: Frida

Let's get started!

What is objection?

Objection is a runtime mobile exploration toolkit, powered by Frida. I wrote a blog post that explains what Frida is and how it can be setup on Android. You can find it from here.

It supports both iOS and Android.

Some of the features:

• Inspect and interact with container file systems.
• Bypass SSL pinning.
• Dump keychains.
• Perform memory related tasks, such as dumping & patching.
• Explore and manipulate objects on the heap.

Tutorial

Let's install and use Objection next.

Prerequisites

Objection can be used without rooting your phone, but for the sake of this tutorial, it is assumed you also have a rooted device. I used Magisk for rooting my phone.

My setup:
A rooted Pixel 6a
Android 13
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded

If you are new to adb, I recommend you to first read what it is.

Frida server needs to be setup and running. You can follow my tutorial to get that done.

Install objection

Run the following command to install objection:

sudo pip install objection

And that's it! You can test everything works as intended by calling the following command on terminal:

objection -g "com.android.settings" device-type

That command should print some basic information about the device in use.

Testing with an app

We can use Purposefully Insecure and Vulnerable Android Application to practice how Objection works.

Download the project from GitHub and extract the files. Go to platform-tools and use adb to install the .apk file:

./adb install /PATH-TO-FILE/pivaa.apk

You can use pwd to get the path to a folder you are currently in.

Next attach objection to the app we just installed. You can find the name of the package using find-command on the adb shell:

su
cd /data/app
find -name "*<name>*"

• su: superuser privileges
• cd /data/app: folder that has all the installed applications
• find -name "*<name>*": switch <name> to the app name you are trying to find, such as pivaa (find -name "*pivaa*") to find the name of the package.

Attach Objection:

objection -g com.htbridge.pivaa explore

The previous command opens an interactive shell that is attached to the target application.

Run the following command in the objection shell:

env

This command should show you information about different data storage locations the application might be using. By doing this we can be sure our connection is working. Objection has now been attached to the application!

What's next?

There's lots that can be done using Objection. Some good sources to learn more are listed here:

• Hacktricks Objection tutorial
• Objection Wiki

I hope this blog post helped you to get started with Objection!

Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!