objection
📱 objection - runtime mobile exploration
A runtime security testing toolkit for iOS and Android apps that works without jailbreaking your device, letting you inspect network traffic, file storage, and memory of running apps.
objection is a security testing toolkit for mobile apps on iOS and Android. It is built for people who need to examine how a mobile application behaves at runtime, meaning while it is actually running on a device, rather than just reading its code. The notable aspect is that you do not need to jailbreak an iPhone or root an Android device to use it.
The toolkit runs on top of a technology called Frida, which lets you inject code into a running process and observe or change its behavior. Through objection you can browse and interact with the app's private file storage, intercept and bypass SSL certificate checks (a common technique used to inspect encrypted network traffic during security assessments), dump saved credentials from the iOS Keychain, and inspect objects that are currently alive in the app's memory.
Other capabilities listed include patching memory, exploring the heap (the area of memory where the app stores objects while running), and a range of additional features documented in the project wiki. The tool is aimed at security professionals doing mobile penetration testing, though it can also be used by developers who want to understand what their app exposes at runtime.
Installation is a single pip command. The project is licensed under the GNU General Public License version 3. The README is short and points to the project wiki for full feature documentation and screenshots.
Where it fits
- Intercept and inspect encrypted HTTPS traffic from a mobile app during a security assessment.
- Dump saved credentials from an iOS app's Keychain without jailbreaking the device.
- Browse and extract files from an Android app's private storage at runtime.
- Inspect live objects in an app's memory to find sensitive data exposures.