# Filesystem Analysis ## Basic Checks Each app is given a unique 32 char UUID which represents its App directory sandbox location Each app is also given a unique 36 char Data-UUID which contains all the application data. * The app IPA package can be found at the following location * `/private/var/containers/Bundle/Application/UUID/App.app` * This application should be reviewed separately using decompilation and other techniques * The Info.plist file is located at the following location (check for hard coded secrets) * `/private/var/containers/Bundle/Application/UUID/App.app/Info.plist` * All the application data is located at the following location (check for sensitive data storage) * `/private/var/mobile/Containers/Data/Application/Data-UUID` * Shared data directory (check for sensitive data storage) * `/var/mobile/Containers/Shared/AppGroup/` * NSUserDefaults and Cache.db (check for sensitive data storage) * `/var/mobile/Containers/Data/Application/UUID/Library/Preferences/` * `/var/mobile/Containers/Data/Application/UUID/Library/Caches` * Screenshot Data - Sensitive details should not get captured in the screenshot * `/var/mobile/Containers/Data/Application/UUID/Library/Caches/Snapshots/` * If any SQLlite files exist, they should be reviewed: * ## Backup Check Application should not backup any sensitive data. Using a mac, do the following: * Get the iOS device UDID * `idevice_id -l` * Backup the device * `idevicebackup2 backup --full -u $(idevice_id -l) ./backup` * Browse the backup in MacOS ## Read the SYSLOG The application should not disclose anything sensitive to the syslog. Using a mac, do the following: * Get device UDID: * `idevice_id -l` * Use impactor on macOS with the UDID * `./Applications/Impactor.app/Contents/MacOS/Impactor idevicesyslog -u ` * Another way is [using XCode](https://developer.apple.com/documentation/os/logging/viewing_log_messages) * Goto Xcode -> Devices and Simulators -> View device logs to see the logs * Grep the logs for sensitive data files * Can also use [ios\_deploy](https://github.com/ios-control/ios-deploy). * *`ios_deploy syslog`* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.pentestlist.com/offensive-security/mobile-ios-android/ios/filesystem-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.