explaingit

sensepost/objection

9,096PythonAudience · developerComplexity · 3/5LicenseSetup · moderate

TLDR

A runtime security testing toolkit for iOS and Android apps that works without jailbreaking your device, letting you inspect network traffic, file storage, and memory of running apps.

Mindmap

mindmap
  root((objection))
    What it does
      Runtime inspection
      SSL bypass
      Keychain dump
      Memory exploration
    How it works
      Built on Frida
      No jailbreak needed
      Code injection
    Use cases
      Penetration testing
      App security review
      File storage audit
    Setup
      pip install
      Frida required
      iOS or Android device
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Intercept and inspect encrypted HTTPS traffic from a mobile app during a security assessment.

USE CASE 2

Dump saved credentials from an iOS app's Keychain without jailbreaking the device.

USE CASE 3

Browse and extract files from an Android app's private storage at runtime.

USE CASE 4

Inspect live objects in an app's memory to find sensitive data exposures.

Tech stack

PythonFrida

Getting it running

Difficulty · moderate Time to first run · 30min

Requires Frida installed on both your computer and the target device, the device must have the Frida server binary running.

Free to use and share, but any software you distribute that includes this code must also be open-source under the same GPL v3 terms.

In plain English

objection is a security testing toolkit for mobile apps on iOS and Android. It is built for people who need to examine how a mobile application behaves at runtime, meaning while it is actually running on a device, rather than just reading its code. The notable aspect is that you do not need to jailbreak an iPhone or root an Android device to use it. The toolkit runs on top of a technology called Frida, which lets you inject code into a running process and observe or change its behavior. Through objection you can browse and interact with the app's private file storage, intercept and bypass SSL certificate checks (a common technique used to inspect encrypted network traffic during security assessments), dump saved credentials from the iOS Keychain, and inspect objects that are currently alive in the app's memory. Other capabilities listed include patching memory, exploring the heap (the area of memory where the app stores objects while running), and a range of additional features documented in the project wiki. The tool is aimed at security professionals doing mobile penetration testing, though it can also be used by developers who want to understand what their app exposes at runtime. Installation is a single pip command. The project is licensed under the GNU General Public License version 3. The README is short and points to the project wiki for full feature documentation and screenshots.

Copy-paste prompts

Prompt 1
I'm using objection to test an iOS app. Show me how to attach to a running process and bypass SSL certificate pinning so I can see its HTTPS traffic.
Prompt 2
Using objection on Android, how do I list and download files from an app's private data directory without rooting the device?
Prompt 3
I want to dump all credentials stored in an iOS app's Keychain using objection. Write the commands I need.
Prompt 4
How do I use objection to explore live Objective-C objects in memory on a running iOS app?
Open on GitHub → Explain another repo

← sensepost on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.