For the longest time a big struggle with doing mobile application assessments on iOS has been monitoring applications as they drop files to the file system. There were definitely ways to do this but they involved taking snapshots of the application directory with tools like macrobber. This is less than adequate because some of these apps drop unencrypted files with sensitive data but later delete them as part of a functions cleanup. A realtime solution was needed.
Recently Jonathan Levin published a book entitled “Mac OS X and iOS Internals: To the Apples Core” which is a stellar reference for anyone doing iOS application auditing.
In the book he releases some C code to call Apples FSEvents API in iOS. To install and use the code you must 1st have some way to move it to your jailbroken device:
- If you dont have it already, from Cydia, get wget
- wget http://www.newosxbook.com/files/filemon.iOS
- chmod +x filemon.iOS
Once the compiled binary is there:
This will start you up! Click the below image to see the beautiful output:
The low level C code is also available from the books companion website:
Using this technique and using breakpoints in GDB for your app, you can now grab those elusive files that you might have missed before. Plus we can now automate, through shell scripting, the finding of of all kinds of M1 Insecure data storage vulns!