gitwtfhub

wtf is objection?

sensepost/objection — explained in plain English

Analysis updated 2026-06-24

9,096PythonAudience · developerComplexity · 3/5LicenseSetup · moderate

TL;DR

A runtime security testing toolkit for iOS and Android apps that works without jailbreaking your device, letting you inspect network traffic, file storage, and memory of running apps.

Mindmap

mindmap
  root((objection))
    What it does
      Runtime inspection
      SSL bypass
      Keychain dump
      Memory exploration
    How it works
      Built on Frida
      No jailbreak needed
      Code injection
    Use cases
      Penetration testing
      App security review
      File storage audit
    Setup
      pip install
      Frida required
      iOS or Android device

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Intercept and inspect encrypted HTTPS traffic from a mobile app during a security assessment.

REASON 2

Dump saved credentials from an iOS app's Keychain without jailbreaking the device.

REASON 3

Browse and extract files from an Android app's private storage at runtime.

REASON 4

Inspect live objects in an app's memory to find sensitive data exposures.

What's in the stack?

PythonFrida

How it stacks up

sensepost/objectionsaulpw/visidatalmeszinc/azurlaneautoscript
Stars9,0969,0849,109
LanguagePythonPythonPython
Setup difficultymoderateeasymoderate
Complexity3/52/53/5
Audiencedeveloperdatageneral

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Requires Frida installed on both your computer and the target device, the device must have the Frida server binary running.

Free to use and share, but any software you distribute that includes this code must also be open-source under the same GPL v3 terms.

Wtf does this do

objection is a security testing toolkit for mobile apps on iOS and Android. It is built for people who need to examine how a mobile application behaves at runtime, meaning while it is actually running on a device, rather than just reading its code. The notable aspect is that you do not need to jailbreak an iPhone or root an Android device to use it. The toolkit runs on top of a technology called Frida, which lets you inject code into a running process and observe or change its behavior. Through objection you can browse and interact with the app's private file storage, intercept and bypass SSL certificate checks (a common technique used to inspect encrypted network traffic during security assessments), dump saved credentials from the iOS Keychain, and inspect objects that are currently alive in the app's memory. Other capabilities listed include patching memory, exploring the heap (the area of memory where the app stores objects while running), and a range of additional features documented in the project wiki. The tool is aimed at security professionals doing mobile penetration testing, though it can also be used by developers who want to understand what their app exposes at runtime. Installation is a single pip command. The project is licensed under the GNU General Public License version 3. The README is short and points to the project wiki for full feature documentation and screenshots.

Yoink these prompts

Prompt 1
I'm using objection to test an iOS app. Show me how to attach to a running process and bypass SSL certificate pinning so I can see its HTTPS traffic.
Prompt 2
Using objection on Android, how do I list and download files from an app's private data directory without rooting the device?
Prompt 3
I want to dump all credentials stored in an iOS app's Keychain using objection. Write the commands I need.
Prompt 4
How do I use objection to explore live Objective-C objects in memory on a running iOS app?

Frequently asked questions

wtf is objection?

A runtime security testing toolkit for iOS and Android apps that works without jailbreaking your device, letting you inspect network traffic, file storage, and memory of running apps.

What language is objection written in?

Mainly Python. The stack also includes Python, Frida.

What license does objection use?

Free to use and share, but any software you distribute that includes this code must also be open-source under the same GPL v3 terms.

How hard is objection to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is objection for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.