> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Objection

> Runtime mobile exploration toolkit built on Frida: SSL pinning bypass, root detection bypass, memory exploration, and app analysis without recompiling.

## Overview

Objection wraps Frida into an interactive REPL with pre-built commands for the most common mobile pentesting tasks. No JavaScript needed for the bulk of day-to-day analysis, SSL unpinning, root bypass, file system exploration, and class enumeration are single commands.

Built on top of Frida, Frida server must be running on the device first.

Works on: Android · iOS

***

## Install

```bash theme={"dark"}
pip install objection
```

Verify:

```bash theme={"dark"}
objection --version
```

Requires Frida server on device. See [Frida setup](/mobile/tools/frida).

***

## Connect to App

Spawn app (start fresh):

```bash theme={"dark"}
objection -g com.example.app explore
```

Attach to running process:

```bash theme={"dark"}
objection -g "App Name" explore
```

Attach by PID:

```bash theme={"dark"}
objection -g <PID> explore
```

***

## SSL Pinning Bypass

Single command, covers OkHttp, TrustManager, Cordova, Xamarin, and more:

```
android sslpinning disable
```

iOS:

```
ios sslpinning disable
```

Run on spawn to catch pinning during app startup:

```bash theme={"dark"}
objection -g com.example.app explore --startup-command "android sslpinning disable"
```

***

## Root / Jailbreak Detection Bypass

Android:

```
android root disable
```

iOS:

```
ios jailbreak disable
```

***

## Environment Info

```
env
```

Shows: data directory, external storage path, bundle/package details, architecture.

***

## File System

```
ls                          # current directory
cd /data/data/com.example/
ls
filesystem download sensitive.db  # pull file to host
filesystem upload local.txt /sdcard/
```

***

## Memory

List loaded modules:

```
memory list modules
```

List exports from a module:

```
memory list exports libart.so
```

Search memory for string:

```
memory search --string "password"
```

Dump memory region:

```
memory dump all mem.dmp
```

***

## Java / Class Exploration (Android)

List all loaded classes:

```
android hooking list classes
```

Search classes by keyword:

```
android hooking search login --only-classes
```

List methods of a class:

```
android hooking list class_methods com.example.app.LoginActivity
```

Hook all methods of a class (log calls + args):

```
android hooking watch com.example.app.LoginActivity
```

Hook specific method:

```
android hooking watch com.example.app.LoginActivity!checkCredentials --dump-args --dump-return
```

***

## Intent / Activity

List activities:

```
android hooking list activities
```

Start an exported activity:

```
android intent launch_activity com.example.app.AdminActivity
```

***

## Shared Preferences

objection has no Android shared-preferences command. Read the XML files directly from the app's data dir:

```
cd /data/data/com.example.app/shared_prefs/
ls
filesystem download prefs.xml
```

***

## Keystore

List Android KeyStore entries:

```
android keystore list
```

***

## iOS Extras

List all classes:

```
ios hooking list classes
```

Hook Objective-C method:

```
ios hooking watch "-[LoginViewController verifyCredentials:password:]" --dump-args --dump-return
```

Dump keychain:

```
ios keychain dump
```

Bypass biometric / TouchID:

```
ios ui biometrics_bypass
```

List URL schemes (read from Info.plist — objection has no `urlscheme` command):

```
ios plist cat Info.plist
```

***

## Run Commands on Startup

Bypass SSL pinning before the app code runs:

```bash theme={"dark"}
objection -g com.example.app explore \
  --startup-command "android sslpinning disable" \
  --startup-command "android root disable"
```

***

## Patch APK (no Frida server needed)

Objection can repackage an APK with Frida gadget embedded, useful on non-rooted devices:

```bash theme={"dark"}
# Patch APK
objection patchapk --source target.apk

# Install patched APK
adb install target.objection.apk

# Launch app — objection connects automatically
objection -g com.example.app explore
```

<Note>
  Patched APK must be signed. `objection patchapk` handles signing automatically if `apksigner` and `keytool` are in PATH.
</Note>
