One of the best ways to develop secure Android applications is to engage in penetration (pen) testing, in effect trying to break into your application just as an attacker might do. This is the fifth in a series of posts on pen testing Android applications. In the first, we set up the testing environment and captured traffic. In the second, we discussed some tools and proxy techniques—Drozer, Apktool, and a “man in the middle” proxy—that come in handy during a security review of Android applications. In the third, we looked at reviewing Android’s manifest file. In the fourth, we covered the process to successfully modify the source code.
In this article, we will focus on capturing and analyzing the heap dump.
Android applications should not leak information such as passwords, social security numbers, or credit card numbers in the form of long-lived references or objects in memory. Data leakage via these references is a common occurrence and is categorized in the Open Web Application Security Project list Mobile Top 10 2016-M2-Insecure Data Storage.
While performing a pen test we must analyze the heap to identify and flag any sensitive information-leakage issues.
A heap dump is basically a snapshot of all the objects. We need to focus on the following:
- Long-lived references
- Caches holding objects
- Objects holding references
Obtaining the heap dump
Open the Android Device Monitor using the command “monitor” from the tools directory of the Android software development kit (SDK). Next select the application package, click “Dump HPROF file,” and save the file. (HPROF stands for heap/CPU profiling.)
This heap dump is not identical to the one obtained from the Java HPROF tool. This needs to be converted into Java SE HPROF format, which you can accomplish using the HPROF-conv utility located in the platform tools directory of the Android SDK.
Converting the HPROF file
Use this command to make the conversion:
HPROF-conf <input file> <output file>
Analyzing the heap dump
You can employ the Eclipse Memory Analyzer, for example, to analyze the heap dump.
- Open the converted HPROF file using the memory analyzer.
- Click on “open dominator tree for entire heap” and search for the application package, for example, com.mwr.example.Sieve.
- Search the objects for any sensitive information entered in the application.
We entered password Test@1234123 in the sieve application and found the same in clear text among the objects in the heap dump.
Your best practice is to nullify objects that contain any sensitive information.