AppOps Permission Operation State
Location
/data/system/appops.xml, /data/system/appops-accesses.xml, and dumpsys appops outputCommon Names
Description
System service state used by AppOpsManager to track sensitive operation decisions and usage, including notification access, background location, exact alarms, clipboard reads, and other app-level operations beyond the basic manifest permission model.
Forensic Value
AppOps state helps identify which apps were allowed to perform sensitive actions that are commonly abused by spyware, stalkerware, or banking trojans. It can show whether an app had notification-listener, accessibility-adjacent, background-location, or overlay-related operational allowances and, on newer releases, whether those operations were actively accessed. This is especially useful when manifest permissions alone are insufficient to explain how an app captured user content or stayed active in the background.
Tools Required
Collection Commands
adb
adb shell dumpsys appops > appops_dump.txt
adb
adb pull /data/system/appops.xml /forensics/output/ 2>/dev/null && adb pull /data/system/appops-accesses.xml /forensics/output/ 2>/dev/null
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.
- •The exact files and operation granularity vary by Android release and OEM. Some AppOps state is easiest to confirm through dumpsys on a live, unlocked device.