NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE

Microsoft Azure customers gain access to NowSecure Mobile App Security and Privacy Testing for scalability, reliability, and agility of Azure to drive mobile appdev and shape business strategies.

Read More
Media Announcement
NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE Show More
magnifying glass icon

FileSystem Monitor Tool For iOS and Android

Posted by

Sergi Àlvarez i Capilla

Mobile Security Analyst at NowSecure
Sergi, also known as Pancake, performs mobile security research at NowSecure and is the creator of Radare, an open-source reverse-engineering tool.
FileSystem Monitor Tool For iOS and Android
Research & Threat Intel

When analyzing the behavior of specific applications or services it is useful to understand how the execution directly or indirectly affects the filesystem.

The kernel provides the primitives to monitor those events, but there is not a standard interface. Each operating system uses different methods and retrieves different information.

Because I’ve found the tools lacking, I’ve built an open-source filesystem monitor utility, fsmon, that runs on Linux, Android, iOS and OSX.

On iOS

For example, in iOS and OSX, the /dev/fsevents device provides a stream of messages about which process is performing an action on a specific file path.

This device and protocol is almost the same as the one found in FreeBSD, but it includes some new events. The implementations of this tool that are currently available are broken, missing events, segfaulting, or reporting incorrect information. So I decided to write my own event-loop parser, which works perfectly well on OS X and iOS.

On Linux

In Linux, and therefore Android, the inotify syscall provides access to receive the filesystem events happening on a specific file or directory.

This API lacks useful information such as who (process-id) is performing that action, and it can’t automatically capture events in recursive directories. The Android FileObserver Java APIs are based on inotify, so they are subject to the same limitations.

The Linux developers addressed those limitations by adding a new fanotify syscall in 2.6.37 (shipped in Android 5+). But Android NDK and Java APIs do not provide access to it, so it is necessary to call that syscall by hand.

That API is also not perfect, but at least it fixes some of the limitations from inotify.

fsmon

In order to address all those issues it was necessary to develop a new tool. Which provides the following features to all the supported platforms:

  • Output in JSON
  • Filter by process or appname
  • Follow children
  • Filter events of specific directory
  • Stop monitoring after N seconds
  • Copy (backup accessed files in another directory)

As long as the event streams are asynchronous and non-blocking, there are only a few situations where the process name can’t be grabbed or the file can’t be copied into the backup directory.

But we think it was the right time to release this tool as open source, so everyone can benefit from and enhance it.

You can find the source code in the NowSecure GitHub repository

Enjoy!

Related Content

5 Common OWASP-MASVS Secure Coding Mistakes
Mobile App Privacy Testing Checklist
Checklist
Clothing Company Sews Up Mobile AppSec
Case Study