Objection

notes

This release has a significant change in how iOS applications are patched. Most importantly, after some help over at nowsecure/node-applesign113, we realised we needed to set the bundle id and add the entitlement cloning flag. By default objection will now parse the bundleid from your `.mobileprovision` file automatically, but if you need to set it to something else, you can use the new `-b` flag on the `patchipa` command.

fixes
- Correctly parse `apktool` versions, even if build from source. (https://github.com/sensepost/objection/commit/554c6c660b2e68627ff845301cdd664836eef9ee) (via #449) (thanks No-Cellist-7780)
- Improve support for patching iOS applications using a free developer account. (https://github.com/sensepost/objection/commit/bb33bce3ca9c36482951081e3d3721645f963124)

other
- Bump agent dependencies (https://github.com/sensepost/objection/commit/23ba6b09dab9ef6c4d2e18812e17b8b92e97197a)
- Formatting fixes (https://github.com/sensepost/objection/commit/7724481889cb8873f3bf94ad63f8c8ab23ad7618)

[Code Diff Since v1.10.1](https://github.com/sensepost/objection/compare/1.9.6%E2%80%A61.11.0)

fixes
- Don't crash the agent if no matches were found when using the `memory search` command (https://github.com/sensepost/objection/commit/24582bb9fd1c83155436d6d0b8719cfecbd68028)
- Handle keychain entries that have the `kSecAttrSynchronizable` flag set (https://github.com/sensepost/objection/commit/8560d7586310145568b4b4f1dfa71c84e3b005a8) (thanks jpstotz)

other
- Bump agent dependencies (https://github.com/sensepost/objection/commit/1af959f49478ac679fd78ae8d87389745bf32f0d)

[Code Diff Since v1.10.0](https://github.com/sensepost/objection/compare/1.9.6%E2%80%A61.10.1)

fixes
- Fix import check for `objc_release` indicating that ARC is enabled (https://github.com/sensepost/objection/commit/3b8cc593162a1f8aba0b83843105d1e9958e880c)

[Code Diff Since v1.10.0](https://github.com/sensepost/objection/compare/1.9.6%E2%80%A61.10.1)

new
- Add the `android hooking list class_loaders` command to list the available class loaders (https://github.com/sensepost/objection/commit/b0710ed221ceaf73bc380800d2d7c7dcc1944a14)
- Add the `objection signapk` command to sign multiple apk's using the objection certificate. **NOTE**: This commit also changes the internal signer used from `jarsigner` to `apksigner` (available in the Kali repo) (https://github.com/sensepost/objection/commit/724019a486d410b0b5d83e6d765158b1972b26a8) (via #375) (thanks mtschirs)
- Add wildcard class name support for Android method hooking (https://github.com/sensepost/objection/commit/0dee9d68638a2b32dfdcba45526012ce532d7a1f) (via #383) (thanks bet4it)
- Add the ability to specify an already decoded `AndroidManifest` to the `patchapk` command such that `--skip-resources` could still be used under certain conditions (https://github.com/sensepost/objection/commit/93700023499e471b43585957c079fdef8b21496b) (via #407) (thanks agreenbhm)
- Improve the iOS biometrics bypass hook by also hooking `evaluateAccessControl`. (https://github.com/sensepost/objection/commit/2977c8a03a1111c352606352d9b68c12a5e4f7df) (via #411) (thanks jnovak-praetorian)
- Add a new `ios monitor crypto` command to monitor `CommonCrypto` usage in real time. (https://github.com/sensepost/objection/commit/746d08d6bfa5d314c5efe89ff3335135b8dea139) (via #430) (thanks gagnonca)
- Add a new `android proxy set` command to set the proxy server used by a specific Android app and not the whole OS. (https://github.com/sensepost/objection/commit/91d131174a3141176a0e6e3c783be72651cb88c3) (via #439) (thanks GOAT-FARM3R)
- Add a new `android deoptimize` command to disable all optimizations, forcing the android VM to execute via the interpreter. This could help with some missed hooks (https://github.com/sensepost/objection/commit/a34359165fff68fa219473e83208f8ee0816b9a0)

fixes
- Improve error handling when the remote Frida version does not match the local version (https://github.com/sensepost/objection/commit/6b7baf8b0610643b701bcbf00e6f1b1e9edae113)
- Silence errors that may have occurred while checking for updates (https://github.com/sensepost/objection/commit/925d2bc83e04e8bcb196e46894ca7acbe9b33bb8)
- Improve the `sqlite connect` command to also download SQLite specific temp files if they are available (https://github.com/sensepost/objection/commit/772154f12e146fa6f79f41d0d54e4a5994b3227f) (via #392) (thanks mame82)
- Revert an older `JSON.stringify` patch to properly display hooked arguments for Android hooks again (https://github.com/sensepost/objection/commit/675a88f174acb8619abced5c6058717e7d326d3b) (via #414) (thanks ido77778)

other
- Update agent dependencies (https://github.com/sensepost/objection/commit/7a727a08f0779d2d5dc7713579965781a6f9f653)
- Update agent dependencies (https://github.com/sensepost/objection/commit/618c08759a52241a8d2336c681bcccfbf97e07ba)
- Target `es2020` for the agent. This makes Frida 14+ a requirement for QuickJS (https://github.com/sensepost/objection/commit/1e79aa336f10a80c8e474257e037b6abfd47e51f)
- Major Frida agent dependency bump to latest versions (https://github.com/sensepost/objection/commit/d5642c3fa13284e8b71138cb707253cbdccc78e3)
- Reduce the length of generated job ids (https://github.com/sensepost/objection/commit/dc104f8e80687d875bb958aebb640d51434fb9b8)
- Add warnings about loaded classes when hooking (https://github.com/sensepost/objection/commit/8abb553a1d7cc78384e127d7d24799ec177b001a) (via #403) (thanks TheDauntless)


[Code Diff Since v1.9.6](https://github.com/sensepost/objection/compare/1.9.6%E2%80%A61.10.0)

new
- The `pwd` command will now do the same as `pwd print`, fixing 395 (https://github.com/sensepost/objection/commit/b550b9449ec8c5048b232bf0cf1323210b711b2b)
- Plugins can now extend the HTTP API by returning a Flask Blueprint in the `http_api` method of the plugin itself. An example plugin that does this is included [here](https://github.com/sensepost/objection/blob/master/plugins/api/__init__.py), and will be exposed when specifying the `-a` flag to the `explore` command. (https://github.com/sensepost/objection/commit/a2d988bf8114e27101b27aec461705038e0bb87c)
- Add new hooks to the iOS jailbreak bypass module for calls to `fopen` and `-[UIApplication canOpenURL:]`. Thanks haxxinen (390)

fixes
- Major update checker refactor. The update checker will now only fire once a day, and will store version information in `~/.objection/version_info`. This commit also fixed 386 (https://github.com/sensepost/objection/commit/bca97762497783e8cc5929b4dd4c32427316d4c9)

other
- Bump agent dependencies (https://github.com/sensepost/objection/commit/4fd28182f7171ca820c11794965a89b81506d6d0)
- Bump lodash version (https://github.com/sensepost/objection/commit/9e99a012ccc176a76c1b50ef5febe675226f81de)
- Bump agent dependencies (https://github.com/sensepost/objection/commit/76848d803d262fbd6a7764440d1d6018e1db3af9)

[Code Diff Since v1.9.5](https://github.com/sensepost/objection/compare/1.9.5%E2%80%A61.9.6)

fixes
- Fix exceptions thrown when version checking. Thanks MarshalX (382)
- Refactor (and fix) Android Heap interaction features to better survive future Frida upgrades :D (https://github.com/sensepost/objection/commit/e46044509a407e115d1e01dc149b381d016475ed)

other
- Bump agent dependencies (https://github.com/sensepost/objection/commit/45dd99a75750e397dffb63817e83a881d5704a6c)
- Bump agent dependencies (https://github.com/sensepost/objection/commit/9605949dca750c1e4eb04179d83eac7c8ae1ad83)
- Bump agent dependencies (https://github.com/sensepost/objection/commit/10c7f57794ab5c6464eecbcb8ee1b921c4d6c7a2)
- Bump `types/frida-gum` (https://github.com/sensepost/objection/commit/a3c3ba8d222484f880506cd0be24b25223321fa6)
- Bump frida-objc-bridge version (https://github.com/sensepost/objection/commit/c897944f12883e63faa87fe4cc805ab8ceb55dc6)

[Code Diff Since v1.9.4](https://github.com/sensepost/objection/compare/1.9.4%E2%80%A61.9.5)