The user password can be found unencrypted in an Sqlite Write-Ahead Log in the applications Data Container on the device:

/var/mobile/Containers/Data/Application/[UUID]/Documents/MyAPPLICATION.sqlite-wal

Based on the frame history in the Write-Ahead Log, the password is inserted temporarily in the ZUSER table in plaintext and later gets overwritten by a bcrypt hashed password, but the WAL journal keeps the original commit until it grows to over 1000 pages (which could take some time, depending on user activity) or the user logs out of the application, which deletes data from the database, but until then the password can be read from this file.

Although mandatory 3rd party application sandboxing prevents applications from directly accessing other applications containers, the contents of that directory can be read by the following methods:

• jailbreaking the device

• connecting the phone to a computer and downloading the applications Documents folder with ios-deploy --download=/Documents --bundle_id com.my.app --to ./myAPP_dumps

Remediation:

Always use the iOS Keychain to store sensitive information such as credentials.

Review the code to find where it sets this plaintext password and remove the offending code.

Downloading iOS Local Storage Directory of Application Package from Device to Local Machine

We use -r for recursively dowloading the whole directory.

  scp -r root@192.168.1.18:/private/var/mobile/Containers/Data/Application/<IDENTIFIER> /home/kali/Downloads