Android hacking: Dumping and analyzing application’s memory 2023
In this article we will learn about Android hacking: Dumping and analyzing application’s memory.
Overview about Android hacking:
In this article, we will discuss how to dump the memory of a specific application using Android Studio’s heap dump feature. We’ll also explore the EclipseMemoryAnalyzer (MAT) to analyze the heap dump we get.
On Android, it is possible to create heap dumps from an application’s heap. We can dump this heap and use it for further analysis using tools like EclipseMemoryAnalyzer. However, these dumps are in binary format and cannot be directly analyzed by EclipseMemoryAnalyzer. We need to convert these files into a standard format that can be analyzed with EclipseMemoryAnalyzer. This can be done using a tool called hprof-conv that comes with the Android SDK.
Let’s begin!
First, let’s take a sample target application, install it on the emulator, and insert some data as shown below.
This sample application uses SharedPreferences to store user-entered data.
Now open Android Studio and go to Tools -> Android -> Android Device Monitor
This will open the Android Device Monitor window. Now select the emulator running your target application and then select the target package. Now click on “Update Heap” and “Dump HPROF File” icons.
Clicking on “Dump HPROF File” icon will launch a window asking you to save the heap dump as shown below.
Now download EclipseMemoryAnalyzer from the following link and run it.
http://www.eclipse.org/mat/downloads.php
Now try to open the hprof file we just got from Android Studio. EclipseMemoryAnalyzer will not be able to analyze it and will throw an error as shown in the image below.
Using the hprof-conv command line tool, we can convert this hprof file into a standard format that MAT can analyze.
As mentioned earlier, the hprof-conv tool comes with the Android SDK and is available internally
and
platform tools
address book.
We can use the following command to convert the hprof file to standard format.
$ hprof-conv
$
Following is the command in our case.
$ hprof-conv com.example.m1_shared.hprof memory.hprof
$
If all goes well, we should be able to open this memory.hprof file with MAT.
Open the file in MAT.
Now, click “Dominator tree” icon to see the dump as shown in the following figure.
As you can see at the top, we have the option to perform regex search. We can search for specific keywords using this search option.
Let’s begin with searching using the package name of our target application, and see if we can find anything interesting.
As you can see in the lower left corner, we can see some objects related to the application, such as bank name, card number, save, username, etc.
At the beginning of this article, we entered some details into the application. Let’s see if anything is available in memory by searching for the keywords we entered.
As we can see in the above figure, we are searching for the keyword “srini.”
Related article:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
