changes

This version simply pins the version of python-prompt-toolkit in use as a major update of the library is imminent. (thanks @jonathanslenders)

v1.2.8

changes

• The Android patcher defaulted to not decode resources by default. This has now been inverted, with the flags long name changed to --skip-resources to skip the decoding if needed.

v1.2.7

new

• Add --network-security-config / -N flag to the patchapk command. This flag will add a network security config to the APK as well as the required android:networkSecurityConfig tag to the AndroidManifest.xml's <application> tag. This helps for Android 7+ and the changes to CA certificates that were introduced.
• Add a hook on the verifyChain() method in the com.android.org.conscrypt.TrustManagerImpl class to suppress exceptions that could get thrown if a certificate with a non-trusted CA is presented. This hook is available in the android sslpinning disable command and should take preference over --network-security-config flag in the patchapk command.

fixes

• The patchapk command used to strip all .'s from the resultant APK's name. This should no longer happen.

v1.2.6

fixes

• Fix method matching in the Android class watcher when the method signature contains a throw statement.

other

• Add warnings about running objection on older mobile operating systems. These include Android 4 and lower and iOS 8 and lower.

v1.2.5

fixes

• Fix the Android root simulation Frida script to return values for the methods called.
• Improve the Android APK patcher by adding the -r flag to apktool by default to skip resource decoding.

v1.2.4

new

• Add new --gadget-version flag to the mobile patchers to specify the version of the Frida gadget to use.

v1.2.3

new

• Add the android hooking watch class command to watch all methods within a class.
• Add the --json flag to the ios cookies get command to output cookies as a JSON structure.

fixes

• Fix a bug in the ios ui screenshot command that caused screenshots to fail to write to disk.
• Conditionally check for the code cache dir in the env command to improve Android 4x compatibility.

v1.2.2

new

• Add the zipalign command to the Android APK patcher.

fixes

• Reduce warnings generated by jarsigner by adding the -tsa flag.
• Fix the iOS SSL pinning bypass command by removing the SecTrustEvaluate hook as this was breaking other SSL related calls.

v1.2.1

new

• Add the --quiet flag to the Android and iOS sslpinning disable commands to reduce terminal output during usage.
• Improve the iOS SSL pinning by hooking more functions such as SecTrustEvaluate, -[AFSecurityPolicy setSSLPinningMode:] and -[AFSecurityPolicy setAllowInvalidCertificates:].

fixes

• Add the --ignore-ios10-tls-helper flag to the ios sslpinning disable command as there were some cases where tls_helper_create_peer_trust would break TLS connections in general.

v1.2.0

new

• Add the --enable-debug flag for the Android patcher that will set the android:debuggable property in the resultant AndroidManifest.xml file to true after patching an APK.
• Add the --file-commands / -c flag to the explore command to read objection commands from a file and run them on start up.
• Add the commands history, commands save and commands clear commands to work with the current sessions command history. Saved commands can be loaded using the previously mentioned -c flag.
• Refactor the iOS and Android class method watcher commands to now have flags to toggle the dumping of arguments (--dump-args), stack traces (--dump-backtrace) and return values (--dump-return) to the screen. The older dump_args commands for both platforms have been removed in favour of the new flags.
• Add the ability to tab complete flags.
• Allow for multiple startup commands to be added when starting the REPL by using more than one -s flag.
• Added command arguments to the output of the jobs list command to make it easier to distinguish commands of the same type.

fixes

• Improve the error handling when starting the objection REPL.
• Improve command argument validation, especially in commands where flags are used.