Back to Details

analyzing-ios-app-security-with-objection

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing iOS App Security with Objection

使用Objection分析iOS应用安全

When to Use

适用场景

Use this skill when:
  • Performing runtime security assessment of iOS applications during authorized penetration tests
  • Inspecting iOS keychain, filesystem, and memory for sensitive data exposure
  • Bypassing client-side security controls (SSL pinning, jailbreak detection) during security testing
  • Evaluating iOS app behavior at runtime without access to source code
Do not use this skill on production devices without explicit authorization -- Objection modifies app runtime behavior and may trigger security monitoring.
在以下场景中使用本技能:
  • 在授权渗透测试中对iOS应用进行运行时安全评估
  • 检查iOS钥匙串、文件系统和内存中的敏感数据泄露情况
  • 在安全测试中绕过客户端安全控制(SSL Pinning、越狱检测)
  • 在无法获取源代码的情况下评估iOS应用的运行时行为
请勿在未经明确授权的生产设备上使用——Objection会修改应用运行时行为,可能触发安全监控。

Prerequisites

前提条件

  • Python 3.10+ with pip
  • Objection installed: 
    pip install objection
  • Frida installed: 
    pip install frida-tools
  • Target iOS device (jailbroken with Frida server, or non-jailbroken with repackaged IPA)
  • For non-jailbroken: 
    objection patchipa
    to inject Frida gadget into IPA
  • macOS recommended for iOS testing (Xcode, ideviceinstaller)
  • USB connection to target device or network Frida server
  • 安装Python 3.10及以上版本并配有pip
  • 安装Objection:
    pip install objection
  • 安装Frida:
    pip install frida-tools
  • 目标iOS设备(已越狱并安装Frida server,或未越狱但使用重打包的IPA)
  • 针对未越狱设备:使用
    objection patchipa
    将Frida gadget注入IPA
  • 推荐使用macOS进行iOS测试(需安装Xcode、ideviceinstaller)
  • 与目标设备的USB连接或网络Frida server

Workflow

工作流程

Step 1: Prepare the Testing Environment

步骤1:准备测试环境

For jailbroken devices:
bash
undefined
针对越狱设备:
bash
undefined

Install Frida server on device via Cydia/Sileo

通过Cydia/Sileo在设备上安装Frida server

SSH to device and start Frida server

SSH连接到设备并启动Frida server

ssh root@<device_ip> "/usr/sbin/frida-server -D"
ssh root@<device_ip> "/usr/sbin/frida-server -D"

Verify Frida connectivity

验证Frida连接性

frida-ps -U # List processes on USB-connected device

**For non-jailbroken devices (authorized testing):**
```bash
frida-ps -U # 列出USB连接设备上的进程

**针对未越狱设备(授权测试):**
```bash

Patch IPA with Frida gadget

用Frida gadget修补IPA

objection patchipa --source target.ipa --codesign-signature "Apple Development: test@example.com"
objection patchipa --source target.ipa --codesign-signature "Apple Development: test@example.com"

Install patched IPA

安装修补后的IPA

ideviceinstaller -i target-patched.ipa
undefined
ideviceinstaller -i target-patched.ipa
undefined

Step 2: Attach Objection to Target App

步骤2:将Objection附加到目标应用

bash
undefined
bash
undefined

Attach to running app by bundle ID

通过Bundle ID附加到运行中的应用

objection --gadget "com.target.app" explore
objection --gadget "com.target.app" explore

Or spawn the app fresh

或者重新启动应用

objection --gadget "com.target.app" explore --startup-command "ios hooking list classes"

Once attached, Objection provides an interactive REPL for runtime exploration.
objection --gadget "com.target.app" explore --startup-command "ios hooking list classes"

附加完成后,Objection会提供一个交互式REPL用于运行时探索。

Step 3: Assess Data Storage Security (MASVS-STORAGE)

步骤3:评估数据存储安全性(MASVS-STORAGE)

bash
undefined
bash
undefined

Dump iOS Keychain items accessible to the app

导出应用可访问的iOS钥匙串项

ios keychain dump
ios keychain dump

List files in app sandbox

列出应用沙箱中的文件

ios plist cat Info.plist env # Show app environment paths
ios plist cat Info.plist env # 显示应用环境路径

Inspect NSUserDefaults for sensitive data

检查NSUserDefaults中的敏感数据

ios nsuserdefaults get
ios nsuserdefaults get

List SQLite databases

列出SQLite数据库

sqlite connect app_data.db sqlite execute query "SELECT * FROM credentials"
sqlite connect app_data.db sqlite execute query "SELECT * FROM credentials"

Check for sensitive data in pasteboard

检查剪贴板中的敏感数据

ios pasteboard monitor
undefined
ios pasteboard monitor
undefined

Step 4: Evaluate Network Security (MASVS-NETWORK)

步骤4:评估网络安全性(MASVS-NETWORK)

bash
undefined
bash
undefined

Disable SSL/TLS certificate pinning

禁用SSL/TLS证书绑定

ios sslpinning disable
ios sslpinning disable

Verify pinning is bypassed by observing traffic in Burp Suite proxy

通过Burp Suite代理观察流量,验证绑定已绕过

Monitor network-related class method calls

监控网络相关类方法调用

ios hooking watch class NSURLSession ios hooking watch class NSURLConnection
undefined
ios hooking watch class NSURLSession ios hooking watch class NSURLConnection
undefined

Step 5: Inspect Authentication and Authorization (MASVS-AUTH)

步骤5:检查认证与授权(MASVS-AUTH)

bash
undefined
bash
undefined

List all Objective-C classes

列出所有Objective-C类

ios hooking list classes
ios hooking list classes

Search for authentication-related classes

搜索与认证相关的类

ios hooking search classes Auth ios hooking search classes Login ios hooking search classes Token
ios hooking search classes Auth ios hooking search classes Login ios hooking search classes Token

Hook authentication methods to observe parameters

Hook认证方法以观察参数

ios hooking watch method "+[AuthManager validateToken:]" --dump-args --dump-return
ios hooking watch method "+[AuthManager validateToken:]" --dump-args --dump-return

Monitor biometric authentication calls

监控生物识别认证调用

ios hooking watch class LAContext
undefined
ios hooking watch class LAContext
undefined

Step 6: Assess Binary Protections (MASVS-RESILIENCE)

步骤6:评估二进制保护机制(MASVS-RESILIENCE)

bash
undefined
bash
undefined

Check jailbreak detection implementation

检查越狱检测实现

ios jailbreak disable
ios jailbreak disable

Simulate jailbreak detection bypass

模拟越狱检测绕过

ios jailbreak simulate
ios jailbreak simulate

List loaded frameworks and libraries

列出已加载的框架和库

memory list modules
memory list modules

Search memory for sensitive strings

在内存中搜索敏感字符串

memory search "password" --string memory search "api_key" --string memory search "Bearer" --string
memory search "password" --string memory search "api_key" --string memory search "Bearer" --string

Dump specific memory regions

导出特定内存区域

memory dump all dump_output/
undefined
memory dump all dump_output/
undefined

Step 7: Review Platform Interaction (MASVS-PLATFORM)

步骤7:检查平台交互(MASVS-PLATFORM)

bash
undefined
bash
undefined

List URL schemes registered by the app

列出应用注册的URL scheme

ios info binary ios bundles list_frameworks
ios info binary ios bundles list_frameworks

Hook URL scheme handlers

Hook URL scheme处理程序

ios hooking watch method "-[AppDelegate application:openURL:options:]" --dump-args
ios hooking watch method "-[AppDelegate application:openURL:options:]" --dump-args

Monitor clipboard access

监控剪贴板访问

ios pasteboard monitor
ios pasteboard monitor

Check for custom keyboard restrictions

检查自定义键盘限制

ios hooking search classes UITextField
undefined
ios hooking search classes UITextField
undefined

Key Concepts

关键概念

TermDefinition
ObjectionRuntime mobile exploration toolkit built on Frida that provides pre-built scripts for common security testing tasks
Frida GadgetShared library injected into app process to enable Frida instrumentation without jailbreak
KeychainiOS secure credential storage system; Objection can dump items accessible to the target app's keychain access group
SSL Pinning BypassRuntime modification of certificate validation logic to allow proxy interception of HTTPS traffic
Method HookingIntercepting Objective-C/Swift method calls at runtime to observe arguments, return values, and modify behavior
术语定义
Objection基于Frida构建的移动运行时探索工具包,提供用于常见安全测试任务的预构建脚本
Frida Gadget注入到应用进程中的共享库,无需越狱即可实现Frida插桩
KeychainiOS安全凭证存储系统;Objection可导出目标应用钥匙串访问组内的项
SSL Pinning Bypass运行时修改证书验证逻辑,允许代理拦截HTTPS流量
Method Hooking在运行时拦截Objective-C/Swift方法调用,以观察参数、返回值并修改行为

Tools & Systems

工具与系统

  • Objection: High-level Frida-powered mobile security exploration toolkit with pre-built commands
  • Frida: Dynamic instrumentation framework providing JavaScript injection into native app processes
  • Frida-tools: CLI utilities for Frida including frida-ps, frida-trace, and frida-discover
  • ideviceinstaller: Cross-platform tool for installing/managing iOS apps via USB
  • Burp Suite: HTTP proxy for intercepting traffic after SSL pinning bypass
  • Objection: 基于Frida的高级移动安全探索工具包,带有预构建命令
  • Frida: 动态插桩框架,支持向原生应用进程注入JavaScript
  • Frida-tools: Frida的CLI实用工具,包括frida-ps、frida-trace和frida-discover
  • ideviceinstaller: 跨平台工具,用于通过USB安装/管理iOS应用
  • Burp Suite: HTTP代理,用于在绕过SSL Pinning后拦截流量

Common Pitfalls

常见陷阱

  • App crashes on attach: Some apps implement Frida detection. Use 
    --startup-command
    to hook anti-Frida checks early in the app lifecycle.
  • Keychain access scope: Objection can only dump keychain items within the app's access group. System keychain items require separate jailbreak-level tools.
  • Swift name mangling: Swift method names are mangled in the runtime. Use 
    ios hooking list classes
    with grep to find demangled names.
  • Non-persistent changes: All Objection modifications are runtime-only and reset on app restart. Document findings immediately.
  • 附加时应用崩溃: 部分应用实现了Frida检测。使用
    --startup-command
    在应用生命周期早期Hook反Frida检查。
  • 钥匙串访问范围: Objection只能导出应用访问组内的钥匙串项。系统钥匙串项需要单独的越狱级工具。
  • Swift名称混淆: Swift方法名在运行时会被混淆。结合grep使用
    ios hooking list classes
    查找解混淆后的名称。
  • 非持久化修改: 所有Objection修改仅在运行时有效,应用重启后会重置。请立即记录发现的问题。