Memory Dump Detection

Protection Module: MemoryDumpDetection

Available For

This protection module is available for iOS 12 and later. It provides runtime detection of memory dumping tools and frameworks used for dynamic analysis and reverse engineering.

Platform	Support	Note
iOS	✓	iOS 12+ required
Architecture	✓	ARM64, ARM64e compatible

How It Works

Memory Dump Detection monitors your application runtime for signs of common dynamic analysis frameworks and memory inspection tools. It detects both the presence of these tools and suspicious runtime behavior patterns.

Detection Techniques

The module employs multiple detection strategies:

Library Scanning: Searches loaded libraries for signatures of Frida (frida-gadget, FridaGadget.dylib) and Cycript framework libraries
Port Monitoring: Attempts to detect Frida's default communication ports (27042, 27043) via TCP connection checks
Named Pipe Detection: Scans for Frida's inter-process communication mechanisms
Thread Anomaly Detection: Monitors for abnormal thread count patterns that indicate injected code
Binary Analysis: Validates binary structure against known tampering signatures

Confidence Metrics:

Known tools (Frida, Cycript): 0.95
Anomalous thread patterns: 0.85-0.92

Default Interval: 60 seconds

JSON Configuration

JSON

{
  "protections": [
    {
      "type": "MemoryDumpDetection",
      "action": "close",
      "intervalMs": 60000
    }
  ]
}

{
  "protections": [
    {
      "type": "MemoryDumpDetection",
      "action": "close",
      "intervalMs": 60000
    }
  ]
}

Code-Based Configuration

Swift

import ByteHideMonitor

BHMMonitor.configure { config in
    config.enableProtection(.memoryDumpDetection, action: .close, intervalMs: 60000)
}

import ByteHideMonitor

BHMMonitor.configure { config in
    config.enableProtection(.memoryDumpDetection, action: .close, intervalMs: 60000)
}

Objective-C

OBJC

#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeMemoryDumpDetection
                      action:BHMActionTypeClose
                  intervalMs:60000];
}];

#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeMemoryDumpDetection
                      action:BHMActionTypeClose
                  intervalMs:60000];
}];

Available Actions

Action	Behavior	Recommended For
Close	Terminate application immediately	Production apps with critical IP
Log	Record incident and continue	Development, analytics
Erase	Securely delete data then terminate	Financial, healthcare apps
Custom	Execute custom handler	Enterprise integrations
None	Detect only, no action	Testing configurations

See Actions for detailed action documentation.

When to Use

Enable Memory Dump Detection if:

Your app handles sensitive user data (credentials, payment information, PII)
You want to prevent reverse engineering and dynamic analysis
You're deploying to production and need comprehensive runtime protection
You need to comply with security standards that require anti-analysis measures
Your app contains proprietary algorithms or business logic worth protecting

Consider using custom actions to integrate with your analytics or security monitoring platform.

Code Examples

Swift - Basic Configuration

Swift

import ByteHideMonitor

class AppDelegate: UIResponder, UIApplicationDelegate {
    func application(
        _ application: UIApplication,
        didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?
    ) -> Bool {
        BHMMonitor.configure { config in
            config.enableProtection(
                .memoryDumpDetection,
                action: .close,
                intervalMs: 60000
            )
        }
        return true
    }
}

import ByteHideMonitor

class AppDelegate: UIResponder, UIApplicationDelegate {
    func application(
        _ application: UIApplication,
        didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?
    ) -> Bool {
        BHMMonitor.configure { config in
            config.enableProtection(
                .memoryDumpDetection,
                action: .close,
                intervalMs: 60000
            )
        }
        return true
    }
}

Swift - Custom Action

Swift

BHMMonitor.configure { config in
    config.registerCustomAction("memory-dump-handler") { context in
        let threatType = context.threatType
        let description = context.threatDescription
        let metadata = context.metadata

        // Log the threat
        print("Memory Dump Detected: \(description)")
        print("Threat Type: \(threatType)")
        print("Confidence: \(metadata?["confidence"] ?? "unknown")")

        // Perform custom response
        if let confidence = metadata?["confidence"] as? Double, confidence > 0.9 {
            // High confidence - take immediate action
            self.securelyTerminateApp()
        } else {
            // Lower confidence - just log for review
            Analytics.logSecurityEvent(threatType: threatType)
        }
    }

    config.enableProtection(
        .memoryDumpDetection,
        customAction: "memory-dump-handler",
        intervalMs: 60000
    )
}

BHMMonitor.configure { config in
    config.registerCustomAction("memory-dump-handler") { context in
        let threatType = context.threatType
        let description = context.threatDescription
        let metadata = context.metadata

        // Log the threat
        print("Memory Dump Detected: \(description)")
        print("Threat Type: \(threatType)")
        print("Confidence: \(metadata?["confidence"] ?? "unknown")")

        // Perform custom response
        if let confidence = metadata?["confidence"] as? Double, confidence > 0.9 {
            // High confidence - take immediate action
            self.securelyTerminateApp()
        } else {
            // Lower confidence - just log for review
            Analytics.logSecurityEvent(threatType: threatType)
        }
    }

    config.enableProtection(
        .memoryDumpDetection,
        customAction: "memory-dump-handler",
        intervalMs: 60000
    )
}

Objective-C

OBJC

#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config registerCustomAction:@"memory-dump-handler" handler:^(BHMThreatContext *context) {
        NSString *threatType = context.threatType;
        NSString *description = context.threatDescription;
        NSDictionary *metadata = context.metadata;

        NSLog(@"Memory Dump Detected: %@", description);
        NSLog(@"Threat Type: %@", threatType);

        if ([metadata[@"confidence"] doubleValue] > 0.9) {
            [self securelyTerminateApp];
        }
    }];

    [config enableProtection:BHMProtectionModuleTypeMemoryDumpDetection
                customAction:@"memory-dump-handler"
                  intervalMs:60000];
}];

#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config registerCustomAction:@"memory-dump-handler" handler:^(BHMThreatContext *context) {
        NSString *threatType = context.threatType;
        NSString *description = context.threatDescription;
        NSDictionary *metadata = context.metadata;

        NSLog(@"Memory Dump Detected: %@", description);
        NSLog(@"Threat Type: %@", threatType);

        if ([metadata[@"confidence"] doubleValue] > 0.9) {
            [self securelyTerminateApp];
        }
    }];

    [config enableProtection:BHMProtectionModuleTypeMemoryDumpDetection
                customAction:@"memory-dump-handler"
                  intervalMs:60000];
}];

Platform Compatibility

Component	iOS 12	iOS 13+	iOS 16+	Notes
Core Detection	✓	✓	✓	Full support across all versions
Frida Detection	✓	✓	✓	Detects both in-app and system-level injection
Port Scanning	✓	✓	✓	Network detection features
Thread Analysis	✓	✓	✓	Runtime thread monitoring

Performance Impact

Memory Dump Detection has minimal performance impact:

CPU Usage: <1% per check cycle
Memory Overhead: ~2-3 MB resident memory
Check Latency: 100-200ms per detection cycle
Background Impact: Negligible when enabled with default 60-second interval

To optimize performance in resource-constrained environments:

Increase intervalMs to 120000 (2 minutes) for less frequent checks
Use .none action for detection-only mode during development
Consider disabling thread anomaly detection if not needed

Threat Detection Details

When a memory dump threat is detected, the threat context includes:

JSON

{
  "moduleType": "MemoryDumpDetection",
  "threatType": "FridaFrameworkDetected",
  "threatDescription": "Frida gadget library detected in loaded modules",
  "detectionResult": {
    "detectedTool": "Frida",
    "detectionMethod": "LibraryScanning",
    "libraryName": "FridaGadget.dylib",
    "confidence": 0.95
  },
  "metadata": {
    "confidence": 0.95,
    "detectedLibraries": ["FridaGadget.dylib"],
    "timestamp": "2024-03-15T10:30:45Z"
  }
}

{
  "moduleType": "MemoryDumpDetection",
  "threatType": "FridaFrameworkDetected",
  "threatDescription": "Frida gadget library detected in loaded modules",
  "detectionResult": {
    "detectedTool": "Frida",
    "detectionMethod": "LibraryScanning",
    "libraryName": "FridaGadget.dylib",
    "confidence": 0.95
  },
  "metadata": {
    "confidence": 0.95,
    "detectedLibraries": ["FridaGadget.dylib"],
    "timestamp": "2024-03-15T10:30:45Z"
  }
}

Available For

How It Works

Detection Techniques

JSON Configuration

Code-Based Configuration

Swift

Objective-C

Available Actions

When to Use

Code Examples

Swift - Basic Configuration

Swift - Custom Action

Objective-C

Platform Compatibility

Performance Impact

Threat Detection Details

Related Protections

Next Steps