DEV Community

Christopher Coffee
Christopher Coffee

Posted on

Monitor Android’s filesystem with fsmon to detect insecure storage

I’m diving deeper into security and wanted to document my process along the way. First I am going over the process of monitoring an Android device’s filesystem.

Download Android Studio or Android command line tools

You have two options to get the Android developer tools.

If you want to just use Android command line tools, you will also need to install Java.

Alternatively, you can also install Android Studio, which will install everything for you.

Download both below
Download Android Studio & App Tools - Android Developers

Add platform tools to your PATH (optional)

You will also need to add the Android platform-tools to your PATH

export PATH=$PATH:/Users/<computerName>/Library/Android/sdk/platform-tools
Enter fullscreen mode Exit fullscreen mode

The main command we will use is adb. Type adb in your terminal and it should give you the list of commands your path is configured correctly.

You can also go directly to the platform-tools directory and run the command there as a temporary solution. You can also run the following command each time

Enter fullscreen mode Exit fullscreen mode

You can also add this to your shell’s configuration so that it does this automatically. By default, Mac uses zsh, so you can create a file named .zshrc and add the command to the file. Then close and open a new terminal or run the following command if you choose to use the same terminal.

source .zshrc
Enter fullscreen mode Exit fullscreen mode

What should/shouldn't go in .zshenv, .zshrc, .zlogin, .zprofile, .zlogout?

Set up a virtual rooted Android Device

You need a rooted device, luckily emulators have root access by default, so there is no need to root your personal device.

If you installed Android Studio, you can use the AVD manager to create an emulator.
Create and manage virtual devices | Android Studio | Android Developers

If you downloaded the command-line tools you can create an emulator by following the avdmanager Android docs
avdmanager | Android Studio | Android Developers

Another popular alternative is Genymotion.
Android Emulator on the Cloud and cross-platform - Genymotion

Make sure to note the architecture used. Android Studio should show you when you’re creating the device, of course you specify it when using the avdmanager command, but I’m not currently sure on Genymotion.

Download fsmon

Let’s start by downloading fsmon. There are specific versions for Android. Download the one that matches your emulator architecture
Releases · nowsecure/fsmon

Download the Insecure Shop apk

I plan to use this app quite often to demonstrate different vulnerabilities on Android. You can download the APK here:
GitHub - hax0rgb/InsecureShop: An Intentionally designed Vulnerable Android Application built in…

Using ADB

We are only going to use a few adb commands in this article.

  1. Install the Insecure shop apk with the following command

    adb install InsecureShop.apk

    1. Get root Access

    adb root

    1. Push the fsmon to our Android device

    adb push fsmon-and-x86_64 /data/local/tmp
    Files in /data/local/tmp!?

    1. Get shell access to the Android device

    adb shell

Data for Android apps are stored at the following location: /data/data/

We want to monitor /data/data/com.insecureshop

Lets go to /data/local/tmp

cd /data/local/tmp
Enter fullscreen mode Exit fullscreen mode

Now let’s monitor the directory

./fsmon-and-x86_64 /data/data/com.insecureshop/
Enter fullscreen mode Exit fullscreen mode

I haven’t opened the app yet, so I see the following

Now let’s open the app and you will see that it creates the shared preferences directory.

Read more about shared preferences
Save simple data with SharedPreferences | Android Developers

Login with user name shopuser and password !ns3csh0p

You will see that it has modified a lot of data in the directory

Open another terminal and gain shell access to the device again

adb shell
Enter fullscreen mode Exit fullscreen mode

Now let’s go to /data/data/com.insecureshop and inspect the shared preferences file.

cat /data/data/com.insecureshop/shared_prefs/Prefs.xml
Enter fullscreen mode Exit fullscreen mode

You can see that they are saving the password and user name to the file.

Also, note that Google is recommending moving from shared prefs to data store. This file will also be available in the /data/data/ directory of the device.
App Architecture: Data Layer - DataStore - Android Developers

It is best practice to never store sensitive info, even encrypted. Also refer to the **OWASP MASTG ( Mobile Application Security Testing Guide ) **for other best practices.
Android Data Storage - OWASP Mobile Application Security

Top comments (0)