MemCorruption Tool for Detecting Memory Corruption Issues in Android Apps

MemCorruption is a detection tool created by ByteDance's AppHealth team to locate Use‑After‑Free (UAF), Double‑Free (DF), and Heap‑Buffer‑Overflow (HBO) memory corruption issues in Android apps, and it is widely used across ByteDance’s products.

Background : As Android app development increasingly involves native code, more than half of Android vulnerabilities stem from memory corruption, which is hard to reproduce offline and often occurs after the initial crash site, making analysis difficult.

Memory Corruption Types :

UAF (Use‑After‑Free) example:

void HeapUseAfterFree() {
  int *ptr1 = (int*)malloc(4);
  if (ptr1 != NULL) {
    *ptr1 = 0xcccc;
    free(ptr1); // free ptr1
    *ptr1 = 0xabcd; // write after free
  }
}

DF (Double‑Free) example:

void DoubleFree() {
  int *ptr = (int*)malloc(4);
  free(ptr);
  free(ptr);
}

HBO (Heap‑Buffer‑Overflow) example:

void HeapBufferOverflow() {
  char *ptr = (char*)malloc(sizeof(char)*100);
  *(ptr+101) = "aa";
  *(ptr+102) = "bb";
  *(ptr+103) = "cc";
  *(ptr+104) = "dd";
  free(ptr);
}

Tool Status : Existing tools like ASan, HWASAN, Valgrind, and coredumps have high compatibility or performance costs, preventing large‑scale deployment on Android clients.

ByteDance Solution :

Low‑overhead, compatible with Android 5.x–11.

Hook memory allocation functions via a dispatch‑table hook for high efficiency.

Stack unwinding uses frame‑pointer (fp) on Arm64 and libunwind_stack on Arm32.

Dual‑sampling strategy: server‑side user sampling combined with client‑side random allocation sampling to limit memory overhead.

Invisible detection via SIGSEGV handler that restores permissions for managed memory blocks, preventing app crashes.

Workflow includes hooking malloc/free, sampling allocations, recording thread and stack information, and dynamically configuring the tool via cloud‑delivered policies.

Pros :

Easy integration via AAR component.

Configurable via cloud.

Memory overhead limited to 100 KB–8 MB (total 700 KB–8.6 MB).

Cons :

Monitors only heap blocks up to 4 KB.

Cannot detect non‑heap memory issues.

No support for iOS/x86 or Android 4.4‑ and below (future plans).

Online Results & Cases : Deployed in multiple ByteDance apps, detecting over 200 memory‑corruption issues and fixing more than 30. Case studies show how the tool captured UAF and DF problems with detailed abort messages, free/alloc stack traces, and enabled rapid root‑cause analysis.

Conclusion : Memory corruption is unavoidable for C/C++ developers; MemCorruption offers a scalable, low‑impact way to sample and monitor allocations, detect issues without crashing the app, and improve stability across large user bases.