2

Please advise if it is possible to intercept/monitor file I/Os on an Android device. E.g. on stock Linux we may use LSM or syscalls trap.
I hope to log the filenames of all newly created files - to a text file or SMS to another phone.
Appreciate any help to get started. Thank you in advance.

Cheers, Bill

Paul R
  • 208,748
  • 37
  • 389
  • 560
Bill Rothwell
  • 23
  • 1
  • 3

3 Answers3

6

You can use the FileObserver class:

"Monitors files (using inotify) to fire an event after files are accessed or changed by by any process on the device (including this one). FileObserver is an abstract class; subclasses must implement the event handler onEvent(int, String)."

http://developer.android.com/reference/android/os/FileObserver.html

Paulo Henrique Nonaka
  • 794
  • 7
  • 13
  • 1
    Thank you very much. As my requirement is to stop users downloading app to company phones, I guess we can delete disapproved files on detecting the download. It is much cleaner we can deny or block the file write in the first place. Is that possible? – Bill Rothwell Apr 13 '11 at 08:58
  • Well, if the download folder is always the same and the user can not change it, I think it is possible. Sure, after putting the necessary permissions on AndroidManifest.xml. If you are not compiling Android for the phone (and so can change the original code), I think you should try. – Paulo Henrique Nonaka May 20 '11 at 21:06
1

Given that Android kernel supports inotify, you can compile some tools that report filesystem activity using inotify.

Or you can try pyinotify (http://pyinotify.sourceforge.net/)

Shamit Verma
  • 3,839
  • 23
  • 22
  • Many thanks for the positive news. The follow on question is what steps I need to take to intall a kernel module on a retail Android phone, e.g. Samsung or HTC. Presume the user (phone owner) wants to install my tool, do I need the blessings of Samsung/HTC or Google. Sorry if this sounds like a stupid question. May thanks – Bill Rothwell Mar 21 '11 at 17:11
  • That (installation of Kernel module) would not be possible. I think this module is enabled by default in firmwares, but you will have to test that. – Shamit Verma Mar 22 '11 at 03:12
0

The andriod SMS service is provided by another standalone java program and the SMS message may be stored in a SQLlite database. Usually a malware program that call service of the SMS manager to poll contents in it or to send SMS message. Even you intercept all disk io from kernel, it is hardly to know which program trigger this disk IO to the manager. And it is also hard to know an IO activit's intention from inceptted file name or data block.

If you want to try the intercept feature for adacamic purpose, you can try the ptrace function in Android. It is much like ptrace in standard Linux and can intercept every system call requests sending from a process.

Houcheng
  • 2,674
  • 25
  • 32