A run-time approach for pen-testing iOS applications Part-II (Objection in Action)

A run-time approach for penetration testing of iOS apps Part-I
October 7, 2019
cyber risk questions
5 Security Questions You Must Answer While Briefing the Board on Cyber Risk
November 25, 2019

October 7, 2019

Objection in Action

Once all things go right, we can inject Frida scripts into our target application. Open target application and enter following command in powershell

objection -g YOUR-APPLICATION-NAME explore

You will now have access to application’s file over device’s shell

Test Cases:

> Application exploration:

1. To browse applications file


2. Print current directory

pwd print

3. To browse applications file

cd /folder/path/name

> Sensitive Data Exposure

1. Dump .plist files:

Property List file is a structured binary formatted file which contains the essential configuration of a bundle executable in nested key value pairs. Plist files are used to store the user preferences and the configuration information of an application.

i. Print environment information


ii. Goto document folder

cd /var/mobile/Containers/Data/Application/04256310-C7E7-4A1A-BA98-54D4F98235E2/Documents

iii. Download .plist file

file download Credentials.plist creds.plist

It will get stored in your “C:\Users\USERNAME” path as “creds.plist” name.

iv. To read that downloaded file:

!type creds.plist

2. Dump keychain file of target application:

Keychain is an encrypted container (128 bit AES algorithm) and a centralized SQLite database that holds identities & passwords for multiple applications and network services, with restricted access rights.

ios keychain dump

3. Dump sqlite files:

The SQLite database that comes with iOS does not have a built-in support for encryption. Most of the iOS applications store lots of sensitive data in plain text format in SQLite files.

i. Print environment information


ii. Goto document folder

cd /var/mobile/Containers/Data/Application/04256310-C7E7-4A1A-BA98-54D4F98235E2/Documents

iii. Download .sqlite file

sqlite connect /var/mobile/Containers/Data/Application/04256310-C7E7-4A1A-BA98-54D4F98235E2/Documents/Credentials.sqlite file

4. Memory dump:

i. We will download and save memory dump into json file:

memory list modules --json memory.json

ii. It will list memory modules and store in “memory.json”

iii. To read memory.json

!type memory.json

> SSL pinning disable/bypass:

One of the cool feature of objection is one command ssl pinning bypass. To disable ssl pinning checks for target application run following command:


This will start ssl pinning disable task and will run without interruption. You can kill this process or job with following commands

> Dump cookies stored by target application:

Some of iOS application’s stores user’s session cookies into local storage. This cookies may contain server secrets, oauth tokens, api keys, etc.

ios cookies get

> Job listing and kill:

You can list and enable/kill any running job according to test scenarios.

i. To list out all running jobs:

jobs list

ii. Note job id to be killed

iii. Run following command to kill job

jobs kill JOBID

That’s all for today folks. Happy Hacking!!


Enable Notifications OK No thanks