Dumping and analyzing Android application memory.

Here we will see how to dump the memory for an Android application using the Android Device Monitor, after the memory is dumped, it is converted to a standard format using the hprof_conv tool that comes with the Android SDK, once converted, the dump of memory can be viewed and analyzed by a profiling tool, in this case we will be using the Eclipse Memory Analyzer Tool (mat).


While developing your application, dumping and analyzing it’s memory can help you troubleshoot memory-related issues like leaks, garbage collection, duplicated strings, etc. From a security point of view, we dump and analyze the memory of an application looking for sensitive data that may stay in the memory longer that it should and thus exposed to a possible attacker with physical access to the device or a malicious application acting on behalf of the attacker.


How long should sensitive information remain in memory?

As with any other sensitive information, whenever you put sensitive information into an Android application memory, it should be there the least time possible, meaning that you put it there only when it is needed and remove it as soon as it not. The more time you keep sensitive information in memory, the wider the attack window becomes, this is what security should be concerned with for sensitive information that must be handled at application level, for instance passwords entered by users, other sensitive information should be handled at server level.


What’s recommended for Java?

If you must handle sensitive information on the application, you wound thing that putting it into a String is the right way to go, however, String objects are immutable and make it difficult to remove then from the memory, this feature make Strings unsuitable for storing sensitive information. Instead, Java recommends to use an array of chars (char[]) to hold sensitive information, you can see an example here.


Getting the memory dump

To analyze an Android’s application memory, we need to first dump it’s memory while it is running, to do this we can use the Android Device Monitor, which you can start through the Android Studio’s Tools menu (Tools > Android > Android Device Monitor). Before using this tool, make sure your Android Virtual or Physical Device is running and accessible through adb:

android-virtual-device

Now, go ahead and open the Android Device Monitor, you would see you device listed as well as all the applications running on the device at the moment:

android-device-monitor

Now, you go back to the Android Virtual Device and run the target application, you will see a new package name in the list of applications, this is the one we will be dumping it’s memory:

adm-app-list

At this point you can go ahead and interact with the application, whenever you want to get a memory dump of the application target, select it and click on the “Update Heap” button, after that, click the button right next to it “Dump HPROF file”:

update-heap-dump-hprof-file

Save the hprof file in your workstation:

save-hprof-file-dump

Converting the dump file with hprof_conv

Open a terminal and head to wherever your Android SDK files are, we want to go to the Platform Tools folder and use the hprof converter tool, which converts the dumped memory file into a standard format that can be understood by our memory analyzer tool.

hprof-conv-tool

Analyzing the converted dump file with mat

Once the file is converted, we need to download the Eclipse Memory Analyzer tool, you fan find it here: http://www.eclipse.org/mat/downloads.php, once downloaded, start the tool with ./MemoryAnalyzer:

mat-open-dump

Head to Open Heap Dump and navigate to the previously converted memory dump file, you will be prompted to chose one of the common reports (Leaks, Components or Re-open), go ahead and select “Leak Suspect Report” to automatically check the heap dump for leak suspects:

mat-getting-started

You’ll get detailed information about possible memory leaks, however, what we want to do is to explore the objects in the memory for any sensitive information, for this we can go ahead and click on the “Open Dominator Tree for entire heap” button open-dominator-tree

mat-overview

You’ll get a tree data structure with all the objects found in the memory dump, you can go ahead and search for any string or regular expression. Here we search for the string “securitygrind” and find all the objects in the memory dump containing it:

mat-analysis

Conclusion

Sensitive information should be kept in memory the least time possible, minimizing the attack window is what concerns security in this matters. To easily clear sensitive information from the memory, Java recommends to use an array of chars (char[]) instead of an String to hold said information.

Leave a Reply

Your email address will not be published. Required fields are marked *