Objection

What Objection Is

Objection is a Frida wrapper. It gives you a REPL where you can poke at a running app, inspect classes, call methods, dump memory, and run pre-built bypass scripts without writing a single line of JavaScript.

When Frida feels like overkill, Objection is usually what I reach for first.

Installation

pip install objection

# Verify
objection version

You still need frida-server running on Android, or the Frida launch daemon on iOS. Objection does not replace Frida, it sits on top of it.

Getting In

# Attach to a running app
objection -g com.target.app explore

# Spawn the app and attach
objection -g com.target.app explore --startup-command 'android sslpinning disable'

Once you are in, you get a prompt:

com.target.app on (Pixel 6: 13) [usb] # 

Tab completion works. Use it.

Things I Use On Every Engagement

Disable SSL pinning

android sslpinning disable

This handles OkHttp, TrustManager, WebView, and most of the common pinning libraries. On iOS:

ios sslpinning disable

Disable root or jailbreak detection

android root disable
ios jailbreak disable

These hook the common detection methods. They will not catch custom checks, but they handle the lazy ones, and most apps are lazy.

Dump the keychain (iOS)

ios keychain dump
ios keychain dump --json /tmp/keychain.json

This pulls every keychain item the app can access. Tokens, refresh tokens, biometric-gated secrets if you can satisfy the gate.

Dump shared preferences and storage (Android)

android hooking list activities
env
ls /data/data/com.target.app/
file download /data/data/com.target.app/shared_prefs/prefs.xml /tmp/prefs.xml

Find classes and methods

android hooking search classes login
android hooking search methods checkPin

Watch a method without writing a hook

android hooking watch class_method com.target.app.Auth.checkPin --dump-args --dump-return --dump-backtrace

This is huge. You get arguments, return values, and a stack trace, in one command, no script needed.

Invoke a method directly

android hooking generate simple com.target.app.LicenseManager

Generates a Frida snippet you can edit. Useful for calling internal methods with custom arguments.

Memory operations

memory list modules
memory list exports libssl.so
memory dump from_base libssl.so 4096 /tmp/libssl_head.bin
memory search --string "api.target.com"

iOS-Specific Goodies

# List the app's URL handlers
ios url-handlers list

# Cookie jar
ios cookies get

# NSUserDefaults
ios nsuserdefaults get

# Plist files
ios plist cat /var/mobile/Containers/.../Library/Preferences/com.target.app.plist

Android-Specific Goodies

# Intents
android intent launch_activity com.target.app/.HiddenActivity
android intent launch_service com.target.app/.SyncService

# Heap dump
android heap search instances com.target.app.User
android heap execute <object_id> getEmail

The heap search plus heap execute combo is gold. You can find live instances of a class in memory and call methods on them. Want the current logged-in user object? Find the instance, call its getters.

Where Objection Falls Short

• Custom obfuscated apps where class names are mangled, you need raw Frida to find what you want
• Native code hooking, Objection focuses on the runtime layers
• Anything where the pre-built bypass scripts do not match the target's specific protection. In those cases I drop back to Frida and write the hook by hand

Workflow

The pattern I follow:

1. Spawn the app with Objection
2. Run the standard bypasses, SSL pinning, root, jailbreak
3. Use android hooking watch or ios hooking watch on anything I find interesting in the decompiled code
4. Dump storage, keychain, preferences
5. Drop to raw Frida only when Objection cannot do what I need

Related Notes

• Frida
• SSL Pinning Bypass
• Mobile Pentesting Fundamentals