Reduce Repetition and Free up Time With Mobile File Extracto...

src/mobile-pentesting/ios-pentesting/README.md

@@ -517,6 +517,41 @@ It's common for applications to create their own sqlite database. They may be **
 find ./ -name "*.sqlite" -or -name "*.db"
 ```
 
+### Automated extraction and triage of app storage
+
+When you have **privileged filesystem access** to the test device, it can be useful to automate the repetitive part of the storage review and then spend time on the findings instead of on file conversion and copy/paste work.
+
+- **iOS**: pull the **bundle** and **data** directories over **SSH** from a **jailbroken** device.
+- **Android**: pull the app directories over **ADB** from a **rooted** device. A practical split is:
+  - **`data/`** for the application's private sandbox
+  - **`storage/`** for files exposed to other apps / shared storage
+
+A useful pattern is to stage the extracted files on the workstation and immediately classify them with **`libmagic`**-backed type detection. This lets you generate inventories such as:
+
+- **`plist_files.txt`** for identified plist files
+- **`DB_files.txt`** for identified SQLite databases
+- **`db_extracted_plists/`** for plist blobs carved from SQLite databases
+
+This is specially useful in iOS reviews because many interesting artifacts are **binary plists** or **plists nested inside other containers**. After extraction:
+
+- Convert every plist to **XML** to make manual review and diffing easier.
+- Parse each plist for **embedded / nested plists** and write them next to the parent artifact so hidden configuration or cached tokens aren't missed.
+- Treat SQLite databases as containers too and carve plist blobs out of columns/BLOBs before triage.
+
+The [**Mobile Data Extractor**](https://github.com/Tsynack/Mobile-Data-Extractor) workflow is a good example of this approach. It supports interactive extraction from **jailbroken iOS (SSH)** and **rooted Android (ADB)**, classifies files with `python-magic`/`libmagic`, converts extracted plists to XML, and logs the discovered plist / SQLite paths for follow-up:
+
+```bash
+pip install -r requirements.txt
+python3 mobile_extractor.py
+```
+
+After the pull, add deterministic "quick win" searches over the extracted dataset:
+
+- Search by **extension** to find common secret-bearing artifacts and log the results in **`extension_search.txt`**.
+- Search all extracted files for **case-insensitive plaintext strings** such as `password`, tokens, API keys, account identifiers, or test credentials and log matches in **`string_search.txt`**.
+
+Persisting the search results is useful operationally because it preserves analyst context if the session dies or the review is resumed later.
+
 ### Firebase Real-Time Databases
 
 Developers are enabled to **store and sync data** within a **NoSQL cloud-hosted database** through Firebase Real-Time Databases. Stored in JSON format, the data gets synchronized to all connected clients in real time.
@@ -1237,6 +1272,8 @@ zero-click-messaging-image-parser-chains.md
 - OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C version [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift version
 - [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
 - [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
+- [https://trustedsec.com/blog/reduce-repetition-and-free-up-time-with-mobile-file-extractor](https://trustedsec.com/blog/reduce-repetition-and-free-up-time-with-mobile-file-extractor)
+- [https://github.com/Tsynack/Mobile-Data-Extractor](https://github.com/Tsynack/Mobile-Data-Extractor)
 
 
 {{#include ../../banners/hacktricks-training.md}}