Find resources of an app (on jailbroken device)

An app from AppStore has following places where its stuff can be found:

App bundle with executable, resources and extensions/var/containers/Bundle/Application
App working directory/var/mobile/Containers/Data/Application
App Extensions working directory/var/mobile/Containers/Data/PluginKitPlugin
App Groups working directory/var/mobile/Containers/Shared/AppGroup

First one is signed by developer during upload to AppStore, so no one can modify it's contents without re-signing the binary (or breaking codesisning validations). The others are directories for data generated during app lifetime. Each of the directories above has and UUID-named subfolders, where UUID is randomly generated during app installation.
How does the system know which directory belongs to which app then? System service called LaunchServicesdoes.

Caveman methods (1, 2, 3, 4)

Easiest way - run process explorer # ps ax | grep <NAME> on iOS side while the app in interest is launched, which will show binary's localtion per process - whether the process is one of app or of app extension.

List of app groups the app participates in can be found by reading binary's entitlements:# ldid -e <PATH-TO-BINARY>

Each of UUID'd folders contains hidden .com.apple.mobile_container_manager.metadata.plist file which contains either bundle ID or app group ID in MCMMetadataIdentifier field. So a brave reader can enumerate 1-4 directories and every one of subfolders in them, and search for those with bundleID/appGroupID of interest in the hidden plist.

Another way for desperate researcher would be to look for LaunchServices database located in a temporary folder under one of /private/var/containers/Data/System subfolders with a filename similar to com.apple.LaunchServices-231-v2.csstore. Altho I did not find any way to conveniently read contents of that file apart from running LSDTrip which is capable of talking to a responsible lsd launch services daemon on device itself.

Objection and Frida (1, 2)

Task is fully automated by objection framerwork for Frida:

Connect to Frida server on device:$ itnl --lport 2222 --iport 22
Connect objection to the app by correct name:$ objection --gadget="Telegram" explore
Command env will output the directories:

LSDTrip (1, 2, 3, 4)

Utility called LSDTrip by Jonathan Levin gives more complete output. It is open source, but installation instructions in [2] are a little bit outdated - as of iOS 12 entitlements should be as follows:

and a little bit verbose output of # ./lsdtrip.arm64 dump will contain appContainer, dataContainer, groups

and a list of plugin Identifiers, each of which has it's own place in the output down below:

Sources

[1] OWASP Mobile Security Testing Guide

[2] LSDTrip - Take a ride down the LaunchServices.framework rabbithole by Jonathan Levin

Jan 2020, iOS 12.4