OpenSkillIndex← back to search

Hacktricks-skills objection-android-pentest

Use Objection for runtime Android mobile app exploration and security testing. Use this skill whenever the user needs to perform dynamic analysis on Android apps, bypass SSL pinning, disable root detection, hook methods, inspect memory, or explore app internals at runtime. Trigger for any Android pentesting task involving Frida, runtime manipulation, or mobile security assessment.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial/SKILL.MD
source content

Objection Android Pentest Skill

A skill for using Objection to perform runtime exploration and security testing on Android applications.

What Objection Does

Objection is a runtime mobile exploration toolkit powered by Frida. It lets you:

  • Bypass security controls (SSL pinning, root detection)
  • Hook and inspect methods at runtime
  • Explore app internals without decompiling
  • Manipulate app behavior dynamically
  • Inspect memory, SQLite databases, and more

Important: Objection does NOT bypass jailbreak/root restrictions. You're still limited by the device's sandbox.

Setup

Installation

pip3 install objection

Connection Requirements

  1. ADB Connection: Establish a regular ADB connection to the device
  2. Frida Server: Start Frida server on the device and verify it's working
  3. Target App: Identify the app package name using 
    frida-ps -Uai

Starting Objection

# For rooted devices (specify gadget)
objection --gadget <package.name> explore

# For non-rooted devices
objection explore

Common Workflows

1. Environment Exploration

Gather initial reconnaissance about the app environment:

# View environment variables (may contain passwords, paths)
env

# Get Frida information
frida

2. Security Control Bypass

Disable SSL Pinning

android sslpinning disable

Disable Root Detection

# Disable root detection
android root disable

# Simulate rooted environment (for testing)
android root simulate

3. App Structure Discovery

List Components

# List all activities
android hooking list activities

# List all services
android hooking list services

# List all receivers
android hooking list receivers

Get Current Activity

android hooking get current_activity

Search Classes

# Search for classes by package name
android hooking search classes <package.name>

# List all loaded classes (grows as app is used)
android hooking list classes

Search Methods

# Search methods in a specific class
android hooking search methods <package.name> <ClassName>

# List declared methods with parameters
android hooking list class_methods <package.name>.<ClassName>

4. Method Hooking

Watch a Single Method

android hooking watch class_method <package.name>.<Class>.<method> \
  --dump-args \
  --dump-backtrace \
  --dump-return

Watch an Entire Class

android hooking watch class <package.name>.<Class> \
  --dump-args \
  --dump-return

Warning: Hooking entire classes can crash the application. Use with caution.

Modify Return Values

To force a method to return a specific value:

# Example: Force checkPin() to always return true
android hooking watch class_method <package.name>.<Class>.checkPin \
  --return true

5. Memory Operations

Dump Memory

# Dump all memory
memory dump all <local_destination>

# Dump specific range
memory dump from_base <base_address> <size_to_dump> <local_destination>

List Modules

memory list modules

Search and Write

# Search for patterns
memory search "<hex_pattern>" --string --offsets-only

# Write to memory
memory write "<address>" "<hex_pattern>" --string

6. Class Instances

# Print live instances of a class
android heap print_instances <fully.qualified.ClassName>

7. Keystore and Intents

# List keystore entries
android keystore list

# Launch activities/services
android intents launch_activity
android intent launch_service

8. SQLite Database Access

sqlite
# Interactive SQLite shell

9. File Operations

# Download from device
file download <remote_path> [<local_path>]

# Upload to device
file upload <local_path> [<remote_path>]

10. Screenshots

# Take screenshot
android ui screenshot /tmp/screenshot

# Disable FLAG_SECURE (enables hardware screenshot)
android ui FLAG_SECURE false

11. Shell Commands

android shell_exec <command>

File Transfer

# Import custom Frida script
import <local_path_to_frida_script>

Exit

exit

Best Practices

  1. Static Analysis First: Use static analysis to identify targets before dynamic hooking
  2. Start Small: Hook individual methods before entire classes
  3. Watch for Crashes: Extensive hooking can destabilize the app
  4. Document Findings: Keep track of hooked methods and their behavior
  5. Use Scripts: For repetitive tasks, create custom Frida scripts

Limitations

  • Hooking methods can crash applications (Frida limitation)
  • Cannot call instance methods directly on discovered objects
  • Cannot create new class instances through Objection
  • No built-in crypto method hooking shortcuts

References