objection icon indicating copy to clipboard operation
objection copied to clipboard
verified publisher icon sensepost

`objection explore --startup-command "ios sslpinning disable"` race condition

Open SmartArray opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe. Currently, as soon as objection connects to the Frida server, lldb/gdb will cause the app to continue with the execution. Apparently, there is no way to prevent this behavior.

Describe the solution you'd like The app should not run until the hooks are installed properly. Preferably objection could also have a flag --pause that doesn't tell Frida to run the app, to give it some time to initialize... it will continue its execution after entering the command run or proceed-launch. I feel like this might be impossible to fix as some requests are threaded, maybe. On the other hand, it could be possible because threads are launched after the initialization of the main thread.

Describe alternatives you've considered Using breakpoints in gdb/lldb but of course they will pause Frida.Framework's execution too.

Additional context Some apps do a web request very quickly, which will cause severe issues if SSL pinning is not disabled using hooks. In some cases the app will not continue with the launch. That race condition is nasty, as it sometimes takes 10-20 runs until the hooks are added before the HTTP request being executed.

I have good knowledge in Typescript and Python. Maybe someone can point me to the connect procedure or is at least ready to discuss this feature with me.

SmartArray avatar Apr 21 '23 13:04 SmartArray

I don't know why objection does not pause the execution. Maybe it's an issue on my end. --no-pause is not useful if it already does that behavior by default.

However, a workaround for me was to patch an IPA with a custom FridaGadget.config and a custom Frida script. That script ran immediately without an issue and helped me to do an "early instrumentation"

SmartArray avatar Apr 24 '23 08:04 SmartArray

This is a known issue, though with regards to the --no-pause flag, that is only applicable for when using frida server and spawning the application with objection as far as I know - in which case the application is paused by default. Currently the best approach for early instrumentation is frida directly unfortunately, but there are (and have been for a while) some thinking in the works for improving this.

In terms of the logic for the script injection, you can look here: https://github.com/sensepost/objection/blob/master/objection/utils/agent.py#L237 Please post if you have an idea for improving this logic.

IPMegladon avatar Jul 10 '24 16:07 IPMegladon