Monitor Androids Filesystem with fsmon to detect insecure storage
Monitor Android’s filesystem with fsmon to detect insecure storage
I’m diving deeper into security and wanted to document my process along the way. First I am going over the process of monitoring an Android device’s filesystem.
Download Android Studio or Android command line tools
You have two options to get the Android developer tools.
If you want to just use Android command line tools, you will also need to install Java.
Alternatively, you can also install Android Studio, which will install everything for you.
Download both below Download Android Studio & App Tools - Android Developers
Add platform tools to your PATH (optional)
You will also need to add the Android platform-tools to your PATH
export PATH=$PATH:/Users/<computerName>/Library/Android/sdk/platform-tools
The main command we will use is adb. Type adb in your terminal and it should give you the list of commands your path is configured correctly.
You can also go directly to the platform-tools directory and run the command there as a temporary solution. You can also run the following command each time
/Users/<computerName>/Library/Android/sdk/platform-tools/adb
You can also add this to your shell’s configuration so that it does this automatically. By default, Mac uses zsh, so you can create a file named .zshrc and add the command to the file. Then close and open a new terminal or run the following command if you choose to use the same terminal.
source .zshrc
What should/shouldn't go in .zshenv, .zshrc, .zlogin, .zprofile, .zlogout?
Set up a virtual rooted Android Device
You need a rooted device, luckily emulators have root access by default, so there is no need to root your personal device.
If you installed Android Studio, you can use the AVD manager to create an emulator. Create and manage virtual devices | Android Studio | Android Developers
If you downloaded the command-line tools you can create an emulator by following the avdmanager Android docs avdmanager | Android Studio | Android Developers
Another popular alternative is Genymotion. Android Emulator on the Cloud and cross-platform - Genymotion
Make sure to note the architecture used. Android Studio should show you when you’re creating the device, of course you specify it when using the avdmanager command, but I’m not currently sure on Genymotion.
Download fsmon
Let’s start by downloading fsmon. There are specific versions for Android. Download the one that matches your emulator architecture Releases · nowsecure/fsmon
Download the Insecure Shop apk
I plan to use this app quite often to demonstrate different vulnerabilities on Android. You can download the APK here: GitHub - hax0rgb/InsecureShop: An Intentionally designed Vulnerable Android Application built in…
Using ADB
We are only going to use a few adb commands in this article.
-
Install the Insecure shop apk with the following command
adb install InsecureShop.apk
-
Get root Access
adb root
-
Push the fsmon to our Android device
adb push fsmon-and-x86_64 /data/local/tmp Files in /data/local/tmp!?
-
Get shell access to the Android device
adb shell
Data for Android apps are stored at the following location: /data/data/<package name>
We want to monitor /data/data/com.insecureshop
Lets go to /data/local/tmp
cd /data/local/tmp
Now let’s monitor the directory
./fsmon-and-x86_64 /data/data/com.insecureshop/
I haven’t opened the app yet, so I see the following
Now let’s open the app and you will see that it creates the shared preferences directory.
Read more about shared preferences Save simple data with SharedPreferences | Android Developers
Login with user name shopuser and password !ns3csh0p
You will see that it has modified a lot of data in the directory
Open another terminal and gain shell access to the device again
adb shell
Now let’s go to /data/data/com.insecureshop and inspect the shared preferences file.
cat /data/data/com.insecureshop/shared_prefs/Prefs.xml
You can see that they are saving the password and user name to the file.
Also, note that Google is recommending moving from shared prefs to data store. This file will also be available in the /data/data/<package name> directory of the device. App Architecture: Data Layer - DataStore - Android Developers
It is best practice to never store sensitive info, even encrypted. Also refer to the **OWASP MASTG ( Mobile Application Security Testing Guide ) **for other best practices. Android Data Storage - OWASP Mobile Application Security