From 5a1166c416acb4d810f45372b4db17d2c4338683 Mon Sep 17 00:00:00 2001 From: besendorf Date: Fri, 19 Dec 2025 12:44:43 +0100 Subject: [PATCH] Deprecate check-adb and recommend AndroidQF (#723) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Donncha Ó Cearbhaill --- docs/android/adb.md | 14 ++++++++++++++ src/mvt/android/cli.py | 37 +++++++++++++++++++++---------------- src/mvt/common/help.py | 2 +- 3 files changed, 36 insertions(+), 17 deletions(-) diff --git a/docs/android/adb.md b/docs/android/adb.md index d5c0660..fd3d3ef 100644 --- a/docs/android/adb.md +++ b/docs/android/adb.md @@ -16,6 +16,12 @@ Now you can try launching MVT with: mvt-android check-adb --output /path/to/results ``` +!!! warning + The `check-adb` command is deprecated and will be removed in a future release. + Whenever possible, prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and then analyze those acquisitions with MVT. + + Running `mvt-android check-adb` will also emit a runtime deprecation warning advising you to migrate to AndroidQF. + If you have previously started an adb daemon MVT will alert you and require you to kill it with `adb kill-server` and relaunch the command. !!! warning @@ -37,6 +43,14 @@ mvt-android check-adb --serial 192.168.1.20:5555 --output /path/to/results Where `192.168.1.20` is the correct IP address of your device. +!!! warning + The `check-adb` workflow shown above is deprecated. If you can acquire an AndroidQF acquisition from the device (recommended), use the AndroidQF project to create that acquisition: https://github.com/mvt-project/androidqf/ + + AndroidQF acquisitions provide a more stable, reproducible analysis surface and are the preferred workflow going forward. + ## MVT modules requiring root privileges +!!! warning + Deprecated: many `mvt-android check-adb` workflows are deprecated and will be removed in a future release. Whenever possible, prefer acquiring an AndroidQF acquisition using the AndroidQF project (https://github.com/mvt-project/androidqf/). + Of the currently available `mvt-android check-adb` modules a handful require root privileges to function correctly. This is because certain files, such as browser history and SMS messages databases are not accessible with user privileges through adb. These modules are to be considered OPTIONALLY available in case the device was already jailbroken. **Do NOT jailbreak your own device unless you are sure of what you are doing!** Jailbreaking your phone exposes it to considerable security risks! diff --git a/src/mvt/android/cli.py b/src/mvt/android/cli.py index ae225d9..b30d2e5 100644 --- a/src/mvt/android/cli.py +++ b/src/mvt/android/cli.py @@ -9,30 +9,30 @@ import click from mvt.common.cmd_check_iocs import CmdCheckIOCS from mvt.common.help import ( - HELP_MSG_VERSION, - HELP_MSG_OUTPUT, - HELP_MSG_SERIAL, - HELP_MSG_DOWNLOAD_APKS, - HELP_MSG_DOWNLOAD_ALL_APKS, - HELP_MSG_VIRUS_TOTAL, + HELP_MSG_ANDROID_BACKUP_PASSWORD, HELP_MSG_APK_OUTPUT, HELP_MSG_APKS_FROM_FILE, - HELP_MSG_VERBOSE, HELP_MSG_CHECK_ADB, - HELP_MSG_IOC, + HELP_MSG_CHECK_ANDROID_BACKUP, + HELP_MSG_CHECK_ANDROIDQF, + HELP_MSG_CHECK_BUGREPORT, + HELP_MSG_CHECK_IOCS, + HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK, + HELP_MSG_DISABLE_UPDATE_CHECK, + HELP_MSG_DOWNLOAD_ALL_APKS, + HELP_MSG_DOWNLOAD_APKS, HELP_MSG_FAST, + HELP_MSG_HASHES, + HELP_MSG_IOC, HELP_MSG_LIST_MODULES, HELP_MSG_MODULE, HELP_MSG_NONINTERACTIVE, - HELP_MSG_ANDROID_BACKUP_PASSWORD, - HELP_MSG_CHECK_BUGREPORT, - HELP_MSG_CHECK_ANDROID_BACKUP, - HELP_MSG_CHECK_ANDROIDQF, - HELP_MSG_HASHES, - HELP_MSG_CHECK_IOCS, + HELP_MSG_OUTPUT, + HELP_MSG_SERIAL, HELP_MSG_STIX2, - HELP_MSG_DISABLE_UPDATE_CHECK, - HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK, + HELP_MSG_VERBOSE, + HELP_MSG_VERSION, + HELP_MSG_VIRUS_TOTAL, ) from mvt.common.logo import logo from mvt.common.updates import IndicatorsUpdates @@ -201,6 +201,11 @@ def check_adb( cmd.list_modules() return + log.warning( + "DEPRECATION: The 'check-adb' command is deprecated and may be removed in a future release. " + "Prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and analyzing that acquisition with MVT." + ) + log.info("Checking Android device over debug bridge") cmd.run() diff --git a/src/mvt/common/help.py b/src/mvt/common/help.py index 9695e57..c90004e 100644 --- a/src/mvt/common/help.py +++ b/src/mvt/common/help.py @@ -47,7 +47,7 @@ HELP_MSG_APKS_FROM_FILE = ( "Instead of acquiring APKs from a phone, load an existing packages.json file for " "lookups (mainly for debug purposes)" ) -HELP_MSG_CHECK_ADB = "Check an Android device over ADB" +HELP_MSG_CHECK_ADB = "Deprecated: Check an Android device over ADB. Prefer using the external AndroidQF project (https://github.com/mvt-project/androidqf) to acquire AndroidQF images for analysis." HELP_MSG_CHECK_BUGREPORT = "Check an Android Bug Report" HELP_MSG_CHECK_ANDROID_BACKUP = "Check an Android Backup" HELP_MSG_CHECK_ANDROIDQF = "Check data collected with AndroidQF"