NetSPI Blog

iOS Tutorial – Dumping the Application Heap from Memory

NetSPI
January 5th, 2015

An essential part of pentesting iOS applications is analyzing the runtime of the application. In this blog, I will be covering how to dump the heap from an iOS application. I will also be releasing a little script to run on the iOS device to dump the heap of a specified application for you.

You can download the script from the NetSPI Git Hub. The script basically wraps around GDB, but only dumps the ranges in memory that have “sub-regions”. These sub-regions are usually where I find active credentials, anything that is currently being used in the UI, or instantiated class properties. This technique currently only works for iOS 7 and lower or until there is a working GDB version for iOS 8. You also cannot use the version GDB from the default Cydia repositories. You have to use the fixed version in this repository here: “http://cydia.radare.org” or here is a direct link to the deb package: “http://cydia.radare.org/debs/gdb_1708_iphoneos-arm.deb“. Below are a few screenshots of the process, and how the script works.

First, we launch the application that we want to capture the heap for and log in.

MB_iOS_Dump_1

After we log into the app, we will keep it at the first main screen which in this case is the user’s timeline.

Now we will SSH into the device, so that we can leave the application running without the app being put in the background by iOS.

MB_iOS_Dump_2.png

Above is the output that the script provides during runtime. Here we are giving the binary name that we want the script to dump.

MB_iOS_Dump_3

Above are all the .dmp files that we can now start searching through for the credentials or any other sensitive data. You can usually find encryption keys or passwords from any instantiated classes that use encryption or contain the login process. I personally use a combination of the “strings” command and “xxd” as a hex dumper but you can use any hex editor that works for you.

This technique can be used to determine if the application is not removing sensitive information from memory once the instantiated classes are done with the data. All applications should deallocate spaces in memory that deal with classes and methods that were used to handle sensitive information, otherwise you run the risk of the information sitting available in memory for an attacker to see.

I’ve included the GDB commands that are used in the script:

  • gdb –pid=”<PID>”
  • info mach-regions (look for sub-regions)
  • dump binary memory heap1.dmp <sub-region range from above>

10
Leave a Reply

avatar
6 Comment threads
4 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
7 Comment authors
David SmithManiBenMassimoChris Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest
Notify of
Akshay
Guest
Akshay

I really enjoy reading the blog especially the ios part where I am interested because I am still learning but how do we patch this vulnerability?

Mark Beard
Guest

Stay tuned. I will be doing a part 2 to this blog on parsing the heap dumps and how to do proper memory management in IOS. Thanks!

Chris
Guest
Chris

Please write part 2 of this article! We want to know how to fight this vulnerability 🙂

Ben
Guest
Ben

GREAT post! Thanks, very informative, I have been looking for something like this! can you suggest or would you be able to do a similar post on Android app heap dumping? i haven’t been able to find any really clear sources on it.

Mark Beard
Guest
Massimo
Guest
Massimo

Hi and thanks for this post.

I’m trying to run this script from my MacBook Air with “El Capitan” but it seems not working. The gdb is missing and seems not available for “El capitan”.
Am I missing something? Does anyone test this procedure on “El Capitan”?
I’m tryng to get the memory dump from iphone 6 simulated with iOS simulator.
Thanks,
Massimo

Ben
Guest
Ben

are there any plans of making this technique compatible with newer ios versions?

Mani
Guest
Mani

Thanks for the post. Will it work only on non-jailbroken devices ?

Mani
Guest
Mani

Sorry, Will it work on non-jailbroken devices ?

David Smith
Guest
David Smith

Regards