Full Report
introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection. The name being a play on the words “object” and “injection”. objection is a runtime exploration toolkit powered by Frida, aimed at mobile platforms. iOS only for now, objection aims to allow you to perform various security related tasks on unencrypted iOS applications, at runtime, on non-jailbroken iOS devices. Features include inspecting the application specific keychain, as well as inspecting various artifacts left on disk during (or after) execution.
Analysis Summary
# Tool/Technique: objection
## Overview
objection is a runtime exploration toolkit, powered by Frida, designed for mobile platforms, specifically targeting iOS applications for security assessment purposes. Its primary goal is to enable security analysis tasks on unencrypted iOS applications at runtime, even on non-jailbroken devices, operating within the application's sandbox constraints.
## Technical Details
- Type: Tool
- Platform: iOS (Mobile)
- Capabilities: Runtime exploration, filesystem interaction, SSL pinning bypass, keychain inspection, SQLite manipulation, environment simulation.
- First Seen: July 11, 2017
## MITRE ATT&CK Mapping
objection focuses on post-exploitation and analysis phases, primarily related to discovering application structure and sensitive data on the endpoint.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information: While not directly obfuscating artifacts, techniques like SSL pinning bypass can be seen as evading standard security controls.
- **TA0009 - Collection**
- T1533 - Data from Local System: Inspecting keychain, filesystem artifacts, and shared preferences.
- **TA0011 - Command and Control**
- T1090 - Proxy: While not a primary feature, runtime injection can enable session hijacking or redirection (context depending).
*Note: Specific T-codes are applied based on the *actions* the tool enables on the target, such as viewing data (Collection) or modifying runtime behavior (Defense Evasion).*
## Functionality
### Core Capabilities
- **Runtime Injection:** Utilizes Frida to inject objects into a patched application's runtime and execute code within its security context.
- **Filesystem Interaction:** Allows browsing the filesystem from the application's perspective, including downloading and uploading files where write access is granted (e.g., Documents directory).
- **Data Dumping:** Can dump shared storage artifacts, including `NSUserDefaults`, `NSHTTPCookieStorage`, and `.plist` files in a human-readable format.
- **SQLite Manipulation:** Provides an inline editor for connecting to and querying SQLite databases found on the device (e.g., within the Documents directory).
### Advanced Features
- **SSL Pinning Bypass:** Implements methods similar to SSL-Killswitch2 to hook common validation methods and disable SSL certificate pinning.
- **Keychain Inspection:** Allows the dumping of the application-specific iOS keychain.
- **Dynamic Hooking:** Enables dynamically hooking and watching for method invocations of specific Objective-C classes and methods, optionally dumping method arguments.
- **Environment Simulation:** Capability to simulate a jailbroken environment to test application behavior when elevated privileges are present.
- **Process Exploration:** Ability to dump the current process memory and explore loaded modules and module exports.
- **TouchID Bypass:** Includes functionality to perform iOS TouchID bypasses.
## Indicators of Compromise
Since objection is a runtime analysis tool that uses Frida injection rather than persistent malware, traditional IOCs like file hashes or C2 servers are not inherently generated by the tool itself unless used aggressively for persistent activity. The indicators relate to the *activity* it performs:
- File Hashes: N/A (Tool, not malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Unless used to facilitate subsequent C2 activities)
- Behavioral Indicators:
- Injection of Frida-based dynamic instrumentation code into running application processes.
- Abnormal file access behavior outside standard application sandbox pathways (if escalated).
- Attempts to hook sensitive system APIs (e.g., SSL validation methods).
- Dumping of application-specific keychain data.
## Associated Threat Actors
The article does not associate objection with specific threat actor groups; it is presented as a security research and assessment toolkit developed by SensePost.
## Detection Methods
Detection focuses on identifying the use of Frida or the characteristic behavioral changes objection induces:
- **Signature-based detection:** Signatures for the Frida injection agent deployed within the application memory space.
- **Behavioral detection:** Monitoring for runtime modification attempts or unexpected external connections/data exfiltration originating from an application process (especially on non-jailbroken devices).
- **YARA rules if available:** (None specified in the source document)
## Mitigation Strategies
Mitigation focuses on hardening the application against runtime tampering and data extraction:
- **Prevention Measures:** Implementing robust code hardening and anti-tampering mechanisms.
- **Hardening Recommendations:**
- Implement strong certificate pinning that is resilient against common bypass techniques (e.g., checking pinning implementation against known hook points).
- Employ jailbreak/root detection mechanisms.
- Encrypt sensitive data stored on disk (keychain, user defaults, SQLite databases) using strong, verifiable encryption keys tied to the device hardware where possible.
- Utilize application shielding techniques to detect dynamic code injection (Frida hooks).
## Related Tools/Techniques
- Frida (Underlying technology for runtime instrumentation)
- SSL-Killswitch2 (Methods implemented for SSL pinning bypass)
- Class-dump (Similar functionality for exploring Objective-C structure)