Once Jailbroken, Will iOS Apps Run with Root Privilege

Once jailbroken, will iOS apps run with root privilege?

Not disagreeing with anything H2CO3 said, but to add some further clarification ...

Apps installed in /private/var/mobile/Applications/(†) with Xcode will run with user mobile privileges, even on jailbroken phones.
Even on a jailbroken phone, apps installed to /private/var/mobile/Applications/(†) will be sandboxed almost (‡) like apps on a jailed phone. So, no reading other (normal) apps' data, even if those files are owned by user mobile.
For a good description of the process that apps like Cydia use to run as root, see this answer. Or, just ssh into your phone, and take a look inside /Applications/Cydia.app/ yourself.
If you simply copy/install an app (without doing what H2CO3 suggested) to /Applications/, it won't be sandboxed, but it will still run with mobile (UID=501) privileges:

iPhone5:~ root# cd /Applications

iPhone5:/Applications root# ls -altr ./HelloJB.app/
total 220
-rw-r--r--  1 root wheel   711 Apr  3 20:36 entitlements.xml
-rw-r--r--  1 root wheel   297 Apr  3 20:36 entitlements-daemon.xml
-rw-r--r--  1 root wheel  7972 Apr  3 20:36 embedded.mobileprovision
-rw-r--r--  1 root wheel 58755 Apr  3 20:36 date.zip
-rw-r--r--  1 root wheel   485 Apr  3 20:36 ResourceRules.plist
-rw-r--r--  1 root wheel     8 Apr  3 20:36 PkgInfo
-rw-r--r--  1 root wheel  1226 Apr  3 20:36 Info.plist
-rw-r--r--  1 root wheel 10960 Apr  3 20:36 Icon\@2x.png
-rw-r--r--  1 root wheel  8328 Apr  3 20:36 Icon.png
-rw-r--r--  1 root wheel   451 Apr  3 20:36 HelloJB.plist
-rwxr-xr-x  1 root wheel 61088 Apr  3 20:36 HelloJB*
-rwxr-xr-x  1 root wheel 42688 Apr  3 20:36 HelloDaemon*
drwxr-xr-x  2 root wheel   136 Apr  3 20:36 en.lproj/
drwxr-xr-x  2 root wheel   102 Apr  3 20:36 _CodeSignature/
drwxr-xr-x  4 root wheel   544 Apr  3 20:36 ./
drwxrwxr-x 54 root admin  1904 Apr  5 02:14 ../

iPhone5:/Applications root# ps -Aef | grep HelloJB
  501  9412     1   0   0:00.00 ??         0:00.33 /Applications/HelloJB.app/HelloJB

iPhone5:/Applications root# grep mobile /etc/passwd
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh

(‡) Here's a good discussion, with input from Saurik, about how different jailbreaks may affect the sandbox. Long story short: it depends.

(†) Update: in recent versions of iOS, the location of 3rd-party apps has been moved to /var/mobile/Containers, and later to /var/containers/, but the same basic sandbox issues remain.

How to gain root privileges for iOS app?

What step 4 is telling you:

Open the original executable file and delete its contents (the contents are now stored in the previously copied and renamed binary).

is simply that you have moved the executable file for your app to a new filename, and you should replace it with a script with the name of the original executable.

Example

If you build an app named HelloWorld, Xcode will create a HelloWorld.app directory, with a file named HelloWorld inside it, which is executable.
The answer you link to suggests basically renaming the executable to something like MobileHelloWorld.
Once you've done that, create a new file in the HelloWorld.app directory called HelloWorld, and edit it with a text editor to give it this content:

#!/bin/bash
dir=$(dirname "$0")
exec "${dir}"/MobileHelloWorld "$@"

That script will then be run when you tap the app's icon, because in the app's Info.plist file, the name of the executable is

    <key>CFBundleExecutable</key>
    <string>HelloWorld</string>

and HelloWorld is now a shell script, which invokes MobileHelloWorld, the renamed binary executable file.

Gaining root permissions on iOS for NSFileManager (Jailbreak)

It is true, the app has to run as root to access non mobile directories. After discussing this with Optimo and Saurik I finally found the right way to get root privileges.

In the main() function add setuid(0); and setgid(0);
Build the app normally.
Create a copy of the executable file in the app bundle.
Open the original executable file and replace its content with this script:
```
#!/bin/bash
dir=$(dirname "$0")
exec "${dir}"/COPIED_EXECUTABLE_NAME "$@"
```
Directly launching a root app fails on iOS. Therefore we replace the app's main executable with a script that launches the root executable.
In terminal, navigate to the app bundle.
chmod 0775 the original executable file and chmod 6775 the copied executable file.
Copy the app bundle to /Applications to a device. Restart SpringBoard and you should be good to go. If the app doesn't launch then repeat step 5 & 6 on the device.

iOS: Access to root directory in a jailbroken iPhone

I answered here in a similar question How to get inbox all SMS on iphonse sdk?

It is possible if you have a jailbroken device. You may use jailcoder to fake code signing and then move your app to /Applications folder. This way you can access to any database in your iOS device jailbroken.

How to get Root privileges developing iPhone app using Xcode

3 . Create a copy of the executable file in the app bundle.

When you build a project in Xcode, it will produce an output directory. This varies by machine, so you'll have to search your filesystem. However, if your app is named HelloWorld, normally, you'd have a directory named HelloWorld.app. This is what the answer is referring to as the app bundle. From the command line (or using your Mac's Finder), go inside HelloWorld.app and make a copy of the HelloWorld executable file. Normally, I name the copy MobileHelloWorld.

4 . Open the original executable file and replace its content with this script:

#!/bin/bash

dir=$(dirname "$0")

exec "${dir}"/COPIED_EXECUTABLE_NAME "$@"

Directly launching a root app fails on iOS. Therefore we replace the app's main
executable with a script that launches the root executable.

I guess I would have described this step differently. You can delete the file. Create a new script with the same filename (HelloWorld) and edit it to include the lines above, starting with #!/bin/bash. Of course, COPIED_EXECUTABLE_NAME would be replaced with MobileHelloWorld in my example.

So, iOS will launch your script directly, instead of your executable. However, your script will then launch your executable and because of the permissions you've given those files, your running executable will have root privileges.

5 . In terminal, navigate to the app bundle.

You're probably already in this "bundle" directory. (HelloWorld.app)

6 . chmod 0775 the original executable file and chmod 6775 the copied executable file.

Issue the chmod command so that the HelloWorld file has 775 permissions (rwxrwxr-x). The MobileHelloWorld file should then have 6775 permissions (rwsrwsr-x).

7 . Copy the app bundle to /Applications to a device. Restart SpringBoard
and you should be good to go. If the app doesn't launch then repeat step 5 & 6
on the device.

Using whatever tool you like (I just use scp since my device is jailbroken with openssh installed), copy the entire HelloWorld.app folder to the iOS device. So, you would have a folder named: /Applications/HelloWorld.app/ which contains the bash script, the copied/renamed executable, and any other bundle resources (.png files, .xib files, etc.) your app contains.

Example

If you have a jailbroken device, install openssh and ssh into the phone, then check out how the Cydia app itself accomplishes this. You can view the /Applications/Cydia.app/Cydia script file, which launches the MobileCydia executable with root privileges.

Another Way

Actually, if you only want to access /var/mobile/Library, that doesn't require root access. That directory is owned by the mobile user, so root isn't necessary. What is necessary is escaping the normal iOS 3rd-party app sandbox. To do that, simply copy your HelloWorld.app folder and its contents to the /Applications/ folder on your device. Apps installed there, as opposed to /var/mobile/Applications won't have such tight sandbox restrictions.

So, none of that copying of the executable, inserting a bash script, are necessary. Steps 3 through 6 can be skipped.

Hope that helps. Sorry for my snarky comment.

Once Jailbroken, Will iOS Apps Run with Root Privilege