Mobile Security

objection – Runtime Mobile Exploration

objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. The project’s name quite literally explains the approach as well, whereby runtime specific objects are injected into a running process and executed using Frida.

Note This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.


Currently, only iOS is supported with Android support coming soon.

For iOS, objection allows you to:

  • Interact with the iOS filesystem, listing entries as well as upload & download files where permitted.
  • Perform various memory related tasks, such as listing loaded modules and their respective exports.
  • Dump the iOS keychain, and export it to a file.
  • Attempt to bypass and simulate Jailbreak detections.
  • Perform common SSL pinning bypasses.
  • Dump data from NSUserDefaults and the shared NSHTTPCookieStorage.
  • Dynamically dump arguments from methods called as you use the target application.
  • Dump various formats of information in human readable forms.
  • Bypass certain forms of TouchID restrictions.
  • Execute custom Frida scripts.


To run objection, all you need is the python3 interpreter to be available. The installation via pip should take care of all of the dependencies needed.

As for the mobile applications though, for iOS, an unencrypted IPA is needed. If you have the source code of the application you want to explore, then you can simply embed and load the FridaGadget.gylib in the project.


Installation is simply a matter of pip3 install objection. This will give you the objection command.


The objection command contains a number of subcommands. Certain subcommands may contain flags to set various configurations and options. To get a list of available options, run any objection command with the --help flag. For example:


$ objection --help
Usage: objection [OPTIONS] COMMAND [ARGS]...

       _     _         _   _
   ___| |_  |_|___ ___| |_|_|___ ___
  | . | . | | | -_|  _|  _| | . |   |
  |___|___|_| |___|___|_| |_|___|_|_|

       Runtime Mobile Exploration
          by: @leonjza from @sensepost

  By default, communications will happen over USB, unless the --network
  option is provided.

  -N, --network       Connect using a network connection instead of USB.
                      [default: False]
  -h, --host TEXT     [default:]
  -p, --port INTEGER  [default: 27042]
  -g, --gadget TEXT   Name of the Frida Gadget/Process to connect to.
                      [default: Gadget]
  --help              Show this message and exit.

  device_type  Get information about an attached device.
  explore      Start the objection exploration REPL.
  patchipa     Patch an IPA with the FridaGadget dylib.
  version      Prints the current version and exists

The most commonly used subcommand is explore, which will start the objection exploration REPL. Considering the options in the above --help output, to connect to a Frida gadget hosted on the network, one would execute objection -N explore.

The exploration REPL will autocomplete commands when the [TAB] key is pressed whenever possible. If you need some help, prefixing your full command with the help keyword will print documentation and usage examples for the command in question.

Download Objection

About the author


Add Comment

Click here to post a comment

Leave a Reply


%d bloggers like this: