Hi all - wondering what the best way to get hold of install logs for iOS apps on a device - so you're able to see times and dates when apps were downloaded, deleted and potentially reinstalled?Â
Â
Â
"iOS third-party apps can be installed from the Apple App Store, where they are organized based on categories (e.g., Social Networking, Business/Productivity, Navigation & Travel, and so on).
Once an app is installed on an iOS device:
• App Bundle is installed in a subfolder in the /private/var/containers/Bundle folder
• App Data is stored in a subfolder in the /private/var/mobile/Containers/Data/Application/
folder (App Sandbox)
The easiest way to track down an iOS application’s Data folder is to analyze the /private/var/mobile/Library/FrontBoard/applicationstate.db database, as described in a blog post by
Alexis Brignoni2. Some Apps can also store data in other subfolders like theÂ
/private/var/mobile/Containers/Share/AppGroup/ folder."
I copied the entire text from the SANS cheatsheet booklet p. 22 😉
One thing I have to add though: The applicationstate.db/ appstate.db does NOT log uninstall or deletion. You can only see whether or not an app actually was/is installed, including pre-installed stuff on non-vanilla OSes.
You could filter user interaction data regarding a certain app to find out the rest, maybe 'digital wellbeing' logs such actions. You can also figure that out by looking at the data it left - empty or no databases, empty folders, no usage after a certain date/time etc.
Btw, that very db should be the one that is used by cellebrite reader to fill the "installed applications" category so that also only shows the actual installation, nothing more.Â