Skip to main content

Overview

Objection wraps Frida into an interactive REPL with pre-built commands for the most common mobile pentesting tasks. No JavaScript needed for the bulk of day-to-day analysis, SSL unpinning, root bypass, file system exploration, and class enumeration are single commands. Built on top of Frida, Frida server must be running on the device first. Works on: Android · iOS

Install

pip install objection
Verify:
objection --version
Requires Frida server on device. See Frida setup.

Connect to App

Spawn app (start fresh):
objection -g com.example.app explore
Attach to running process:
objection -g "App Name" explore
Attach by PID:
objection -g <PID> explore

SSL Pinning Bypass

Single command, covers OkHttp, TrustManager, Cordova, Xamarin, and more:
android sslpinning disable
iOS:
ios sslpinning disable
Run on spawn to catch pinning during app startup:
objection -g com.example.app explore --startup-command "android sslpinning disable"

Root / Jailbreak Detection Bypass

Android:
android root disable
iOS:
ios jailbreak disable

Environment Info

env
Shows: data directory, external storage path, bundle/package details, architecture.

File System

ls                          # current directory
cd /data/data/com.example/
ls
filesystem download sensitive.db  # pull file to host
filesystem upload local.txt /sdcard/

Memory

List loaded modules:
memory list modules
List exports from a module:
memory list exports libart.so
Search memory for string:
memory search --string "password"
Dump memory region:
memory dump all mem.dmp

Java / Class Exploration (Android)

List all loaded classes:
android hooking list classes
Search classes by keyword:
android hooking search login --only-classes
List methods of a class:
android hooking list class_methods com.example.app.LoginActivity
Hook all methods of a class (log calls + args):
android hooking watch com.example.app.LoginActivity
Hook specific method:
android hooking watch com.example.app.LoginActivity!checkCredentials --dump-args --dump-return

Intent / Activity

List activities:
android hooking list activities
Start an exported activity:
android intent launch_activity com.example.app.AdminActivity

Shared Preferences

objection has no Android shared-preferences command. Read the XML files directly from the app’s data dir:
cd /data/data/com.example.app/shared_prefs/
ls
filesystem download prefs.xml

Keystore

List Android KeyStore entries:
android keystore list

iOS Extras

List all classes:
ios hooking list classes
Hook Objective-C method:
ios hooking watch "-[LoginViewController verifyCredentials:password:]" --dump-args --dump-return
Dump keychain:
ios keychain dump
Bypass biometric / TouchID:
ios ui biometrics_bypass
List URL schemes (read from Info.plist — objection has no urlscheme command):
ios plist cat Info.plist

Run Commands on Startup

Bypass SSL pinning before the app code runs:
objection -g com.example.app explore \
  --startup-command "android sslpinning disable" \
  --startup-command "android root disable"

Patch APK (no Frida server needed)

Objection can repackage an APK with Frida gadget embedded, useful on non-rooted devices:
# Patch APK
objection patchapk --source target.apk

# Install patched APK
adb install target.objection.apk

# Launch app — objection connects automatically
objection -g com.example.app explore
Patched APK must be signed. objection patchapk handles signing automatically if apksigner and keytool are in PATH.