Skip to main content

Filesystem Monitoring

Monitoring the file system is a good way of determining which files the app is writing to or reading from as it is being used. Reviewing the file system activity may point you to files or databases that you can review for sensitive information. Performing this tracing can easily be accomplished using the fsmon utility.

The first thing we will do is launch fsmon specifying the app we want to trace. Then we will launch the app on the device, so that we can gather all file system activity from start to finish.

Note: Make sure that the application is completely killed off.

# As root, on the device:
fsmon -P $BINARY

In some instances, you may only want to capture file system activity while performing a specific task. To do this, you will need to get the process ID of the running app you are testing using the ps -ef command.

To trace the process file system activity:

# As root, on the device:
fsmon -p 1234

(Where 1234 is the process ID you want to monitor)

If you trace only the process ID or the binary name, then you may miss some critical activity. It is recommended that you also trace the /data/data/com.example.app directory as it is in use.

# As root, on the device:
fsmon /data/data/com.example.app/