List all Objection commands used for iOS mobile app penetration testing.
Explore App with Objection
objection -g com.example.app explore # com.example.app is example apps
Run Objection Command at Spawn Apps
# Example command to run "ios hooking search classes jail" on spawn apps
objection -g com.example.app "ios hooking search classes jail"
Basic Jailbreak Detection Bypass
ios jailbreak disable
# Example output:
com.example.app on (iPhone: 15.4.1) [usb] #
(agent) [303462] fileExistsAtPath: check for /Applications/Cydia.app failed with: 0x0, marking it as successful.
(agent) [289052] fileExistsAtPath: check for /Applications/Cydia.app was successful with: 0x1, marking it as failed.
(agent) [289052] fileExistsAtPath: check for /bin/bash was successful with: 0x1, marking it as failed.
(agent) [289052] fopen: check for /bin/bash was successful with: 0x103404f98, marking it as failed.
..................
Basic Enumeration
Local App Paths
env
# Example output:
Name Path
----------------- -------------------------------------------------------------------------------------------
BundlePath /private/var/containers/Bundle/Application/81AD95F9-3DA4-4CEB-BD50-442BD55D1D02/Example.app
CachesDirectory /var/mobile/Containers/Data/Application/9EC4057E-FE48-4B9F-81D3-C0FB75BC2EA3/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/9EC4057E-FE48-4B9F-81D3-C0FB75BC2EA3/Documents
..........
ios hooking list classes
# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios hooking list classes
AAAFoundationSwift.AAFTimedAnalyticsEvent
AAAFoundationSwift.BroadcastMessageSender
AAAFoundationSwift.DependencyRegistry
AAAFoundationSwift.MessageSender
AAAFoundationSwift.OSActivity
AAAFoundationSwift.OSTransaction
AAAFoundationSwift.WeakWrapper
.................
Search for classes
# Search a class that contains a string
ios hooking search classes jailbreak
# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios hooking search classes jailbreak
PodsDummy_DTTJailbreakDetection
DTTJailbreakDetection
PodsDummy_flutter_jailbreak_detection
flutter_jailbreak_detection.SwiftFlutterJailbreakDetectionPlugin
FlutterJailbreakDetectionPlugin
..............
Search for methods
# Search a method that contains a string
ios hooking search methods jail
# Example output:
com.example.app on (iPhone: 15.4.1) [usb] # ios hooking search methods jail
[DTTJailbreakDetection + isJailbroken]
[UIScreen + _shouldDisableJail]
[UIScreen - _unjailedReferenceBoundsForInterfaceOrientation:]
[UIScreen - _unjailedReferenceBoundsInPixels]
..........
List class methods
# List methods of a specific class
ios hooking list class_methods DTTJailbreakDetection
# Example output:
com.example.app on (iPhone: 15.4.1) [usb]
+ isJailbroken
Found 1 methods
Watch class
# Hook all the methods of a class, dump all the initial parameters and returns
ios hooking watch class DTTJailbreakDetection
# Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
ios hooking watch method "*[iRoot isJailBroken]" --dump-args --dump-return --dump-backtrace
Overwrite Return Value
ios hooking set return_value "*[iRoot isJailBroken]" false
Generate Hooking Template
ios hooking generate simple iRoot
Extract Sensitive Information
Dump NSUserDefaults
NSUserDefaults is a simple storage mechanism commonly used for storing small amounts of data or user preferences. However, it's not a secure place to store sensitive information like passwords because it can be accessed easily by other apps or by jailbroken devices.
