Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Basic Checks
  • Backup Check
  • Read the SYSLOG
  1. OFFENSIVE SECURITY
  2. Mobile (iOS/Android)
  3. iOS

Filesystem Analysis

How to analyse an iOS filesystem.

PreviousIPA DecryptionNextStatic Analysis

Last updated 11 months ago

Basic Checks

Each app is given a unique 32 char UUID which represents its App directory sandbox location

Each app is also given a unique 36 char Data-UUID which contains all the application data.

  • The app IPA package can be found at the following location

    • /private/var/containers/Bundle/Application/UUID/App.app

      • This application should be reviewed separately using decompilation and other techniques

  • The Info.plist file is located at the following location (check for hard coded secrets)

    • /private/var/containers/Bundle/Application/UUID/App.app/Info.plist

  • All the application data is located at the following location (check for sensitive data storage)

    • /private/var/mobile/Containers/Data/Application/Data-UUID

  • Shared data directory (check for sensitive data storage)

    • /var/mobile/Containers/Shared/AppGroup/<UID>

  • NSUserDefaults and Cache.db (check for sensitive data storage)

    • /var/mobile/Containers/Data/Application/UUID/Library/Preferences/

    • /var/mobile/Containers/Data/Application/UUID/Library/Caches

  • Screenshot Data - Sensitive details should not get captured in the screenshot

    • /var/mobile/Containers/Data/Application/UUID/Library/Caches/Snapshots/

  • If any SQLlite files exist, they should be reviewed:

Backup Check

Application should not backup any sensitive data. Using a mac, do the following:

  • Get the iOS device UDID

    • idevice_id -l

  • Backup the device

    • idevicebackup2 backup --full -u $(idevice_id -l) ./backup

  • Browse the backup in MacOS

Read the SYSLOG

The application should not disclose anything sensitive to the syslog. Using a mac, do the following:

  • Get device UDID:

    • idevice_id -l

  • Use impactor on macOS with the UDID

    • ./Applications/Impactor.app/Contents/MacOS/Impactor idevicesyslog -u <UDID>

    • Goto Xcode -> Devices and Simulators -> View device logs to see the logs

    • Grep the logs for sensitive data files

    • ios_deploy syslog

Another way is

Can also use .

https://sqlitebrowser.org/
using XCode
ios_deploy