Full Report
In this post I want to share two things. First, a quick primer on how you would you go about navigating the source code when contributing to objection, and secondly an application specific proxy feature I added to it. Introduction While on holiday I wanted to look into a certain mobile application that dealt with medical information. I was mostly interested in the data that was sent and received by the application so this meant proxying the traffic into Burp. I did not have a test device with me, so I had to use my personal device. This being my personal device meant that once I had the proxy set, certain applications would cease to function normally (especially those with SSL pinning) as Burp was in the middle.
Analysis Summary
# Tool/Technique: Objection (with Application-Specific Proxy Implementation)
## Overview
This summary details the capabilities of the **objection** framework, focusing on the process of contributing to its source code and the implementation of a new feature: **application-specific proxy settings** on Android. Objection is a runtime mobile exploration toolkit that utilizes Frida for dynamic instrumentation. This specific feature allows security researchers to proxy traffic for only the targeted mobile application while leaving other applications unaffected, circumventing issues like SSL pinning blocking other apps.
## Technical Details
- Type: Tool (Framework Extension/Feature)
- Platform: Android (primarily discussed for the proxy feature, but Objection supports iOS as well)
- Capabilities: Runtime code injection, dynamic instrumentation via Frida, command-line interface (CLI)/REPL, agent communication, and application-specific network proxy configuration.
- First Seen: The application-specific proxy feature was added in Objection version 1.10.0 (post: published January 29, 2021).
## MITRE ATT&CK Mapping
The core functionality of Objection and the addition of tooling capabilities map generally to discovery and defense evasion techniques in mobile contexts.
- **TA0005 - Defense Evasion**
- **T1421 - Traffic Manipulation** (Relevant to proxying and intercepting traffic)
- **TA0004 - Privilege Escalation** (Objection is often used to escalate privileges through hooking/modification)
- **TA0011 - Command and Control** (The ability to intercept and inspect traffic is a precursor to C2 interaction analysis)
## Functionality
### Core Capabilities (Objection Framework)
- **Runtime Manipulation:** Uses a Frida agent injected into a running application process to execute arbitrary instrumentation code (written in TypeScript/JavaScript).
- **CLI/REPL Interaction:** Provides a user interface to interact with the injected agent commands.
- **Code Glue/Architecture:** Involves mapping Python CLI commands to compiled TypeScript/ES6 agent functions using Python's `__getattr__` magic method to translate snake_case CLI calls to camelCase agent exports.
### Advanced Features (Application Specific Proxy)
- **Application Isolation:** Configures network proxy settings programmatically within the target Java application using Frida, ensuring only that application's traffic is routed through the proxy (e.g., Burp Suite).
- **Bypass SSL Pinning:** The underlying context implies the ability to handle or bypass SSL pinning, as the frustration of setting up the proxy led to this feature (reference made to the `android sslpinning disable` command).
- **Dynamic Configuration:** Proxy settings can be set dynamically during runtime, requiring correct timing, typically before network initialization frameworks like OkHTTP are started.
## Indicators of Compromise
Since the context describes the addition of a security *tool feature* rather than malware, traditional IOCs are not applicable. The indicators relate to the *use* of the tool:
- File Hashes: N/A (Tool usage)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Network traffic attempting to route through researcher-controlled proxy servers (e.g., Burp Suite instances) originating only from the target application process.
- Behavioral Indicators: Execution of the `objection` CLI tool, injection of the Frida agent into a mobile application process, and utilization of the `android proxy set <ip:port>` command.
## Associated Threat Actors
Objection is a publicly available, widely used tool. It is utilized across the spectrum:
- **Security Researchers/Pentesters:** For authorized testing and analysis of mobile applications.
- **Malicious Actors (Potentially):** As a powerful runtime analysis tool, its capabilities could be leveraged by threat actors during the exploitation or post-compromise phases of mobile attacks, potentially to inspect application data flows or inject unauthorized commands if access is gained.
## Detection Methods
Detection focuses on identifying the runtime injection and activity of Objection/Frida.
- **Signature-based detection:** Detecting the signature of the Objection Frida agent script when it is injected or operating within the application memory space.
- **Behavioral detection:** Monitoring for unexpected calls to system APIs related to network configuration and hooking/instrumentation frameworks (Frida/Objection runtime instrumentation patterns).
- **YARA rules:** Could be written to detect patterns associated with actively injected Frida code or the loading of the compiled Objection agent bytecode.
## Mitigation Strategies
Mitigation focuses on hardening the application against runtime manipulation and instrumentation.
- **Prevention measures:** Implementing strong integrity checks to detect unauthorized runtime modification.
- **Hardening recommendations:** Employing robust anti-tampering and anti-debugging techniques to detect the presence of instrumentation tools like Frida or Objection (e.g., hooking detection, certificate pinning validation that resists direct hooking).
## Related Tools/Techniques
- **Objection:** The primary framework discussed.
- **Frida:** The underlying dynamic instrumentation toolkit upon which Objection is built.
- **Burp Suite:** The typical target proxy server used in conjunction with this feature for traffic interception.
- **SSL Pinning Bypass:** The feature is used in contexts where defeating certificate pinning is required to facilitate traffic interception.