Say you need to dump an Android application’s memory, for example, to check whether or not sensitive information is kept in memory longer than it needs to be, this is a usual test case for applications handling highly sensitive information.
Any data that is required by the application needs to be in memory at some point in time, that’s for sure. However, the recommendation is to keep that data in memory only for the time strictly necessary and, when no longer needed, to remove it out of the memory.
For applications handling highly sensitive information this is important because an attacker may be able to access the application’s memory contents via a memory dump, a crash dump or through physical access and, if the data is still in memory, then it may be compromised.
Immutable objects
According to the documentation “an object is considered immutable if its state cannot change after it is constructed“, for instance, if you use a String object to hold sensitive information, that object is immutable; meaning that, if you try to change it’s contents, a new instance of a String object will be created, but the old one will remain unmodified.
In short, immutable objects are kept in memory until a garbage collection is triggered by the system. If you try to empty (or zero out) and immutable object, you are simply creating a new instance of an object, but the initial value remains in memory.
Dumping an application memory
Dumping an application memory will let you inspect the contents of the memory to check if sensitive information is kept for longer than needed. Enter fridump, “an open source memory dumping tool” that leverages the power or frida to dump the memory of an application.
If you want to learn more about frida check out the below article where we discuss how to setup and it’s basic usage for bypassing SSL Pinning on Android applications.
Do note that the frida package is now divided into two different packages, frida-tools and frida. To install it you would do something like shown below:
#pip install frida-tools#pin install fridaRunning frida
To run frida you first need to push the frida-server into de Android device and run the executable within the device as well by means of an adb shell:
#./frida-server &
Back on your workstation you can check the connection to the frida server by using the frida-ps command with the -U options to connect to the already connected usb device:
#frida-ps -U
Using fridump
Once frida is setup, using fridump is quite simple, you just need need to clone or download the github repository here and follow the usage instructions. Let’s first run fridum help to understand what the tool can do:
#python fridump.py --help
Now, if we want to dump the memory of a specific application, we first need to run the application and make sure the sensitive information is put on memory. For this example we are going to use the application shown below, we login with credentials foouser@domain.com and foopassword:
Now we need the name of the application package, we can extract this information from the AndroidManifest.xml configuration file, in this case the package name is com.example.root.mobilesec and we run fridump on this package and use -U to connect to the usb device and -s to get the list of strings:
#python fridump.py -U -s com.example.root.mobilesec
This creates a folder in the current directory called dump and a file named strings.txt which contains all the memory strings, we inspect this file looking for the sensitive information (the password) and see that the data is still in memory:
Hello thanks for great post, I have used Frida and Fridump for Memory Dump & Strings Dump on a mobile device so ,now I have about 500 Files with dump.data format.
but how can I use these files. how can I extract any pdf files from them and save them in my pc?
Hello,
I’m not sure what you mean with “extract any pdf files from them“, usually you would dump the memory of the application and look for sensitive information (such as passwords, credit card numbers, SSNs, etc.) within the dumped files, to do that you can use a tool like grep or your preferred text editor.
Regards,
Cristian
Thank Cristian, actually I dumped an app which has DRM e books and pdf, so I bought this book but I want to have it on my pc for my own use (I don’t wanna sell it or copy it or …) , but this app doesn’t allow me. so now I want to retrieve that e book from this dump.data. is it possible?
i get this error:
“Can’t connect to App. Have you connected the device?”
of course frida server is running on my iphone.
:/
Do you get any output when running “frida-ps -U” after running the server on the device?
Regards,
Cristian
fridump> frida-ps -U
PID Name
—- ———————————
2289 Configurações
2554 Nova Launcher
1757 adbd
2475 android.ext.services
3049 android.process.acore
2510 android.process.media
1834 audioserver
2474 cameraserver
2614 com.android.carrierconfig
2734 com.android.inputmethod.pinyin
2526 com.android.keychain
2851 com.android.launcher3
2608 com.android.managedprovisioning
2669 com.android.onetimeinitializer
2264 com.android.phone
2543 com.android.printspooler
2695 com.android.providers.calendar
2217 com.android.systemui
2794 com.google.android.gms
2496 com.google.android.gms.persistent
3128 com.google.android.gms.ui
3586 com.google.android.gms.unstable
2643 com.google.process.gapps
…………….
—————————————————————————
fridump> python fridump.py -U -v -s com.myapp
______ _ _
| ___| (_) | |
| |_ _ __ _ __| |_ _ _ __ ___ _ __
| _| ‘__| |/ _` | | | | ‘_ ` _ \| ‘_ \
| | | | | | (_| | |_| | | | | | | |_) |
\_| |_| |_|\__,_|\__,_|_| |_| |_| .__/
| |
|_|
Can’t connect to App. Have you connected the device?
DEBUG:device not found
Hi Bruno,
Not sure what this could be, might want to take a look here.
Regards,
Cristian
you must use application name:
1- frida-ps -U
2- find name of you package
3- use the fridump with app name