Welcome to my 8th blog post on “iOS Application Security Testing Series”. You can find Part 7 here. In this article, we will look at analyzing the memory contents of an iOS application using Fridump which uses Frida framework, an excellent framework if you don’t know you should give it a look! We used it with Objection (part 4 of the series here ) powered also by Frida.
In the past doing application security assessments, I have come across several instances where the access controls are not implemented correctly, and the decryption keys and credentials was preloaded in memory and not appropriately disposed of after use. It is simple to recover keys or secrets that are statically protected within the application but are less protected at runtime.
A useful technique in testing is the ability to search the memory space of a process for a specified sequence of bytes. An example would be instantiated view controllers and their properties.
Every iOS device has a dedicated AES-256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient. On A9 or later A-series processors, the flash storage subsystem is on an isolated bus that is only granted access to memory containing user data through the DMA crypto engine but when a new file is created on an iOS device, it’s assigned a class by the app that creates it. Each class uses different policies to determine when the data is accessible.
For example, NSFileProtectionCompleteUntilFirstUserAuthentication class behaves in the same way as Complete Protection class, except that the decrypted class key isn’t removed from memory when the device is locked.
Using Fridump – iOS Example
The following are the main flags that can be used with Fridump:
fridump [-h] [-o dir] [-u] [-v] [-r] [-s] [--max-size bytes] process
To use Fridump you need to have Frida installed on your environment and Frida-server on the device you are trying to dump the memory from. The easiest way to install Frida on your python is using pip: pip install Frida-tools. In my past forensics work, I came across another stack of tools which does similar things, called Radare, which you should check out as it’s pretty cool.
As an example, I will be using the Damn Vulnerable iOS Application (DVIA). On one of the areas of the application, we are requested to find some specific values stored in the memory of the device. The main way of doing this is through Cycript, so now let me show you another way.
We run Fridump against the app as follows: fridump -u -s -r DVIA
I normally use the -s flag with the U to retrieve the names of all processes, which will create a strings.txt file in the output directory, along with all the memory dump files. Opening the strings.txt file, we can easily search for any secret values or keys that may be in the application.
So if while using Fridump you see the application crashing and restarting, try to use different values of max-size(the –max-size flag can be used to set any number of bytes that the maximum size of a chunk will be, replacing the default 20MB value. You may have to go as low as 1MB at a time, to ensure that the application will not crash.
Conclusion
In this article, we looked at analyzing the memory contents of an iOS application and, what you should be interested as a tester in an application mem dump and what tools to aid you.
References
I am trying to use a non jail break device. I added the FridaGadget.dylib to XCode project of the app I want to inspect with fridump. When I run fridump.py It will start gathering the memory contents but half way through it just crashes the app running on XCode and stays stale. Any tips?