I have a phenomenon here on an iPad 1. It was running 4.3.2 and a jailbreak was applied to it. Later it has been updated to 4.3.5 which it is still running.
I wrote a little test app to see if I can detect a jailbroken device. The tests I use are:
The idea is: on a device that is not jailbroken, access will fail in both cases as the app cannot reach out of its sandbox. If either test returns YES, I assume a jailbreak. I tested this on a couple of unbroken devices and neither can be accessed. I also tested on a jailbroken iPhone 3GS and both can be accessed.
The I tried the iPad 1 with 4.3.5 and there is no Cydia installed, so the 2nd check obviously failed but the first one passed! fileExists returns YES for "/private/var/lib/apt"! How is that possible? Can anybody explain?
I can't completely explain this but I've come across similar results.
I used to have a jailbroken iPod on iOS 3 and updated it to iOS 4, after jailbreaking again my settings in Cydia were still present. When installing a new firmware iTunes still shows ~500Mb of other data, so I'm assuming not everything gets overwritten / deleted during the update.