Skip to main content

Filesystem Monitoring

Monitoring the file system is a good way of determining which files the app is writing to or reading from as it is being used. Reviewing the file system activity may point you to PLIST files or databases that you can review for sensitive information. Performing this tracing can easily be accomplished using the 'fsmon' utility.

The first thing we will do is launch fsmon specifying the app we want to trace. Then we will launch the app on the device, so that we can gather all file system activity from start to finish.

Note: Make sure that the application is completely killed off - double press on the Home button and kill the app.

fsmon -P $BINARY

In some instances, you may only want to capture file system activity while performing a specific task. To do this, you will need to get the process ID of the running app you are testing using the ps -ef command.

To trace the process file system activity:

fsmon -p 1234

(Where 1234 is the process ID you want to monitor)

In many cases, Apple APIs are called from the app which are spawned and handled outside of the parent process ID. If you trace only the process ID or the binary name then you may miss some critical activity. It is recommended that you also trace the BUNDLE and DATA directories of the app as it is in use.

# Bundle Directory
fsmon /private/var/containers/Bundle/Application/${UUID}/AppName.app

# Data Directory
fsmon /private/var/mobile/Containers/Data/Application/${UUID}/