In my ongoing hunting for new(ish) research to blog about I recently came across a database on iOS that I couldn't find much info on in the wider community. As briefly touched on from Mattia (read his blog here) the storeUser.db contains details on app installs and purchases from the app store. From the full file system extraction the database lives at path:
private\var\mobile\Library\Caches\com.apple.appstored\storeUser.db*
I have seen variations of the amount of tables from across different iOS versions but generally the two tables of interest are:
- current_apps - A list of the current apps installed on the phone, including versioning history
- purchase_history_apps - A list of purchased apps from the app store, TBD if these have to be installed locally to show here
Current Apps
Here we get generalized information regarding the apps that are installed on the device, including bundle ID's, name, timestamp of installation, app version (including entries for multiple versions of the same app).
Figure 1: current_apps table query from Josh Hickman's iOS 17 image
We do get a deletion date column but I have not seen that with any data in all my test images so far.
If we focus on the GETTR app, we can see that the install date aligns nicely with Josh's image creation documentation (his date is local vs. UTC in the DB).
Figure 2: GETTR info from Josh's image creation documentation
Having historical versioning of app installs can be helpful in possibly tracing how long the device had been utilizing a specific app and tracking down times when a specific version might have been used if there is a need to test/recreate scenarios.
Purchase History Apps
In this table we get more information about apps that were purchased from the Apple App Store. While this might not mean they were directly installed on the device they can be associated with an ender user account.
There is a column for a flag if the app was hidden from the Springboard which seems to suggest this might be a list of apps on the device itself, but I know there are times when you're setting up a new device they don't always download and have an iCloud download icon next to it. My understanding is that family shared apps would show here too.
Figure 3: purchase_history_apps query from Josh's iOS 17 image
Parsers have been added to the latest iLEAPP codebase, please test it out and let me know!
