objection
objection copied to clipboard
Provide Official Docker Images
Hi folks!
First off thanks for the fantastic work you are doing here! We recommend objection for @mitmproxy users to bypass certificate pinning^1 and have only received overall great feedback so far once people got it working. 😃 One pain point that has been pointed out to me repeatedly now is that objection patchapk
can be tedious. Installing suitable versions of aapt
, adb
, jarsigner
and apktool
is somewhat painful, in particular on Windows. For example, aapt
in the Wiki points to https://elinux.org/Android_aapt which only points to https://developer.android.com/guide/developing/tools/aapt.html which is a 404. All that is surmountable of course (aapt is in the Android SDK platform tools), but also unnecessarily tedious.
To make this process easier, it would be super nice if there would be an official Docker image that allowed users to just run:
docker run --rm -it -v C:\apks\:/data objection/objection patchapk /data/foo.apk
and get a patched APK file.
This makes complete sense to me. I've long wondered if a container was worth it (for my own use case anyways) given the pains of USB passthrough with Docker on macOS. However, I never considered the pain patching can be in general and how a container could help alleviate that. Thanks!
While not a blocker, patching will change slightly soon. We only need an app to be debuggable now, and no longer need the aggressive process that is currently used involving multiple dependencies. Regardless, a container will be helpful.
Regarding the documentation issues, thanks for pointing that out! It's been a few years now since I wrote that :)
ps. thanks for @mitmproxy! :)
While not a blocker, patching will change slightly soon. We only need an app to be debuggable now, and no longer need the aggressive process that is currently used involving multiple dependencies.
This is fantastic news - are there any details on that yet?
I've long wondered if a container was worth it (for my own use case anyways) given the pains of USB passthrough with Docker on macOS.
FWIW this is a good point -- this really only gets around the dependencies needed for patching. USB passthrough to Docker is nonexistent on Windows AFAIK, so I don't think you can run objection from within docker (at least you would need adb on the host?). You maybe don't want to bother with Docker then if you can simplify the patching instead. Alternatively there's also the option to just bundle the binaries, similar to what apk-mitm
is doing.
I guess my main point is that patching right now is tedious for someone who just wants to try out objection.
This is fantastic news - are there any details on that yet?
It's based on this idea: https://www.nowsecure.com/blog/2020/01/02/how-to-conduct-jailed-testing-with-frida/ where the frida-apk
tool does what you'd need for Android now.
I guess my main point is that patching right now is tedious for someone who just wants to try out objection.
I think there is some merit in it. Frida can listen on a TCP socket (not just usable via USB), so well worth the effort I think.
Hey @leonjza,
Thanks for the pointer - I've had some "fun" with frida-apk (https://github.com/frida/frida-tools/pull/97), which works great now. I've streamlined everything into a simple tool at https://github.com/mitmproxy/android-unpinner, please feel free to copy all the useful stuff into objection. 😃