O'Reilly logo

Hacking and Securing iOS Applications by Jonathan Zdziarski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Commonly Recovered Data

A number of different files can be recovered by scraping the HFS journal. Really, anything that was once live on the filesystem can be recovered; especially smaller files such as property lists, images, and other similar data. Because the HFS journal has a finite size, smaller files are more likely to be recovered than larger ones.

Application Screenshots

When an application suspends into the background, a capture of the screen contents is taken and written to disk. This is done so that when the user returns to the application, the window appears to zoom back into display, as if the application is immediately loaded from the background. In reality, the application takes a brief moment to load back and become active again, and the animation affords the program the time it needs.

Application screenshots are repeatedly taken whenever the application is suspended, and then later deleted or overwritten. This can also happen if a phone call is received or another event causes your application to suspend. Deleted versions of these application screenshots are often found in the HFS journal, leaking the contents of even the most securely encrypted data in your application (see Figure 6-1).

Recovered screenshot of a user’s mail, a useful tool in forensics

Figure 6-1. Recovered screenshot of a user’s mail, a useful tool in forensics

In addition to application screenshot leakage, secure websites are also subject to this common screenshot ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required