Filesystem Analysis
How to analyse an iOS filesystem.
Last updated
How to analyse an iOS filesystem.
Last updated
Each app is given a unique 32 char UUID which represents its App directory sandbox location
Each app is also given a unique 36 char Data-UUID which contains all the application data.
The app IPA package can be found at the following location
/private/var/containers/Bundle/Application/UUID/App.app
This application should be reviewed separately using decompilation and other techniques
The Info.plist file is located at the following location (check for hard coded secrets)
/private/var/containers/Bundle/Application/UUID/App.app/Info.plist
All the application data is located at the following location (check for sensitive data storage)
/private/var/mobile/Containers/Data/Application/Data-UUID
Shared data directory (check for sensitive data storage)
/var/mobile/Containers/Shared/AppGroup/<UID>
NSUserDefaults and Cache.db (check for sensitive data storage)
/var/mobile/Containers/Data/Application/UUID/Library/Preferences/
/var/mobile/Containers/Data/Application/UUID/Library/Caches
Screenshot Data - Sensitive details should not get captured in the screenshot
/var/mobile/Containers/Data/Application/UUID/Library/Caches/Snapshots/
If any SQLlite files exist, they should be reviewed:
Application should not backup any sensitive data. Using a mac, do the following:
Get the iOS device UDID
idevice_id -l
Backup the device
idevicebackup2 backup --full -u $(idevice_id -l) ./backup
Browse the backup in MacOS
The application should not disclose anything sensitive to the syslog. Using a mac, do the following:
Get device UDID:
idevice_id -l
Use impactor on macOS with the UDID
./Applications/Impactor.app/Contents/MacOS/Impactor idevicesyslog -u <UDID>
Goto Xcode -> Devices and Simulators -> View device logs to see the logs
Grep the logs for sensitive data files
ios_deploy syslog
Another way is
Can also use .