Finding the Heap of an iPhone Application

Often when doing mobile application assessments it is necessary to check that sensitive data is properly discarded when no longer in use. This data is often found on the heap. While it would be nice to dump core of a running process and strings/grep the dump this is tough on a jailbroken iphone. The gdb from Cydia does not include core dump commands (generate-core-file, gcore).

Building gcore-arm from source is pretty easy with Xcode, however, it runs into trouble when making kernel syscalls on the iphone. Specifically, task_for_pid fails. I'm not sure why but I suspect it's related to some missing entitlements. A concept I don't fully understand just yet. Somehow Cydia's gdb has all the right entitlements. It would be great if there was a gcore package from Cydia.

Anyway, here's a trick for finding the heap when you need to. First, attach to your app running on the phone with

gdb -p [PID]

Set a breakpoint on malloc with

break malloc

Do something with the app so that the malloc breakpoint triggers. Once triggered, run till return with 'finish'. Inspect r0 with 'info reg r0'. The r0 register stores a function's return value on ARM platforms. The return value from malloc is an address somewhere on the heap. To find the base of the heap, use:

info mach-region [RETURNVAL]

This should show the start and end of the region. You can then dump the heap to a file with:

dump binary memory [FILENAME] [STARTADDR] [ENDADDR]