Mobile devices and apps such as cloud apps are a potential attack vector in an advanced persistent threat (APT) incident, due to their capability to store sensitive data (e.g. backup of private and personal data in digital repositories) and access sensitive resources (e.g. compromising the device to access an organisational network). These devices and apps are, thus, a rich source of digital evidence. It is vital to be able to identify artefacts of forensic interest transmitted to/from and stored on the devices. However, security mechanisms in mobile platforms and apps can complicate the forensic acquisition of data. In this paper, we present techniques to circumvent security mechanisms and facilitate collection of artefacts from cloud apps. We then demonstrate the utility of the circumvention techniques using 18 popular iOS cloud apps as case studies. Based on the findings, we present the first iOS cloud app security taxonomy that could be used in the investigation of an APT incident. •Circumventing iOS security mechanisms for APT forensic investigations.•Advanced persistent threat forensic investigations.•Techniques to circumvent SSL/TLS on iOS devices.•iOS cloud app security taxonomy.