Filesystem Analysis

How to analyse an iOS filesystem.

Basic Checks

Each app is given a unique 32 char UUID which represents its App directory sandbox location

Each app is also given a unique 36 char Data-UUID which contains all the application data.

The app IPA package can be found at the following location
- /private/var/containers/Bundle/Application/UUID/App.app
  - This application should be reviewed separately using decompilation and other techniques
The Info.plist file is located at the following location (check for hard coded secrets)
- /private/var/containers/Bundle/Application/UUID/App.app/Info.plist
All the application data is located at the following location (check for sensitive data storage)
- /private/var/mobile/Containers/Data/Application/Data-UUID
Shared data directory (check for sensitive data storage)
- /var/mobile/Containers/Shared/AppGroup/<UID>
NSUserDefaults and Cache.db (check for sensitive data storage)
- /var/mobile/Containers/Data/Application/UUID/Library/Preferences/
- /var/mobile/Containers/Data/Application/UUID/Library/Caches
Screenshot Data - Sensitive details should not get captured in the screenshot
- /var/mobile/Containers/Data/Application/UUID/Library/Caches/Snapshots/
If any SQLlite files exist, they should be reviewed:
- https://sqlitebrowser.org/

Application should not backup any sensitive data. Using a mac, do the following:

The application should not disclose anything sensitive to the syslog. Using a mac, do the following:

Get device UDID:
- idevice_id -l
Use impactor on macOS with the UDID
- ./Applications/Impactor.app/Contents/MacOS/Impactor idevicesyslog -u <UDID>
Another way is using XCode
- Goto Xcode -> Devices and Simulators -> View device logs to see the logs
- Grep the logs for sensitive data files
Can also use ios_deploy.
- ios_deploy syslog

Last updated 6 months ago