diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 37ac7f2..786518a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -12,7 +12,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: ['3.10', '3.11', '3.12', '3.13'] + python-version: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - uses: actions/checkout@v4 diff --git a/Makefile b/Makefile index 16bde09..53b9b5c 100644 --- a/Makefile +++ b/Makefile @@ -1,14 +1,9 @@ PWD = $(shell pwd) -autofix: - ruff format . - ruff check --fix . - check: ruff mypy ruff: - ruff format --check . - ruff check -q . + ruff check . mypy: mypy diff --git a/SECURITY.md b/SECURITY.md index 3df1543..f32109a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,4 +2,61 @@ Thank you for your interest in reporting security issues and vulnerabilities! Security research is of utmost importance and we take all reports seriously. If you discover an issue please report it to us right away! -Please DO NOT file a public issue, instead send your report privately to *nex [at] nex [dot] sx*. You can also write PGP-encrypted emails to [this key](https://keybase.io/nex/pgp_keys.asc?fingerprint=05216f3b86848a303c2fe37dd166f1667359d880). +Please DO NOT file a public issue, instead send your report privately to the MVT maintainers at Amnesty International via `security [at] amnesty [dot] tech`. + +You can also write PGP-encrypted emails to key `CFBF9698DCA8EB2A80F48ADEA035A030FA04ED13`. The corresponding PGP public key is lited below. + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGlFPwsBEADQ+d7SeHrFPYv3wPOjWs2oMpp0DPdfIyGbg+iYWOC36FegZhKY ++WeK96GqJWt8wD6kwFUVwQI795WZrjSd1q4a7wR+kj/h7xlRB6ZfVICA6O5DOOm6 +GNMvqy7ESm8g1XZDpb2u1BXmSS9X8f6rjB0e86kYsF1mB5/2USTM63jgDs0GGTkZ +Q1z4Mq4gYyqH32b3gvXkbb68LeQmONUIM3cgmec9q8/pNc1l7fcoLWhOVADRj17Q +plisa/EUf/SYqdtk9w7EHGggNenKNwVM235mkPcMqmE72bTpjT6XCxvZY3ByG5yi +7L+tHJU45ZuXtt62EvX03azxThVfSmH/WbRk8lH8+CW8XMmiWZphG4ydPWqgVKCB +2UOXm+6CQnKA+7Dt1AeK2t5ciATrv9LvwgSxk5WKc3288XFLA6eGMrTdQygYlLjJ ++42RSdK/7fCt/qk4q13oUw8ZTVcCia98uZFi704XuuYTH6NrntIB7j/0oucIS4Y9 +cTWNO5LBerez4v8VI4YHcYESPeIWGFkXhvJzo0VMg1zidBLtiPoGF2JKZGwaK7/p +yY1xALskLp4H+5OY4eB1kf8kl4vGsEK8xA/NNzOiapVmwBXpvVvmXIQJE2k+olNf +sAuyB8+aO1Ws7tFYt3D+olC7iaprOdK7uA4GCgmYYhq6QQPg+cxfczgHfwARAQAB +tD1TZWN1cml0eSBMYWIgYXQgQW1uZXN0eSBJbnRlcm5hdGlvbmFsIDxzZWN1cml0 +eUBhbW5lc3R5LnRlY2g+iQJRBBMBCAA7FiEEz7+WmNyo6yqA9IreoDWgMPoE7RMF +AmlFPwsCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQoDWgMPoE7RNr +2w//a88uP90uSN6lgeIwKsHr1ri27QIBbzCV6hLN/gZBFR2uaiOn/xfFDbnR0Cjo +5nMCJCT1k4nrPbMTlfmWLCD+YKELBzVqWlw4J2SOg3nznPl2JrL8QBKjwts0sF+h +QbRWDsT54wBZnl6ZJJ79eLShNTokBbKnQ7071dMrENr5e2P2sClQXyiIc51ga4FM +fHyhsx+GsrdiZNd2AH8912ljW1GuEi3epTO7KMZprmr37mjpZSUToiV59Yhl1Gbo +2pixkYJqi62DG02/gTpCjq9NH3cEMxcxjh4E7yCA8ggLG6+IN6woIvPIdOsnQ+Yj +d3H4rMNBjPSKoL+bdHILkCnp5HokcbVjNY3QAyOAF4qWhk4GtgpTshwxUmb4Tbay +tWLJC2bzjuUBxLkGzMVFfU3B96sVS4Fi0sBaEMBtHskl2f45X8LJhSq//Lw/2L/8 +34uP/RxDSn+DPvj/yqMpekdCcmeFSTX1A19xkPcc0rVhMRde4VL338R86vzh0gMI +1LySDAhXZyVWzrQ5s3n6N3EvCaHCn3qu7ieyFJifCSR7gZqevCEznMQRVpkMTzUt +rk13Z6NOOb4IlTW7HFoY3omJG8Z5jV4kMIE7n6nb0qpNYQiG+YvjenQ3VrMoISyh +lpS2De8+oOtwrxBVX3+qKWvQqzufeE3416kw2Z+5mxH7bx25Ag0EaUU/CwEQALyZ +b+kwLN1yHObTm2yDBEn5HbCT3H1GremvPNmbAaTnfrjUngoKa8MuWWzbX5ptgmZR +UpYY/ylOYcgGydz58vUNrPlhIZT9UhmiifPgZLEXyd0uFpr/NsbRajHMkK10iEZf +h5bHNobiB7pGCu4Uj9e1cMiIZ4yEaYeyXYUoNHf6ISP39mJhHy6ov5yIpm9q0wzm +tGUQPupxGXmEZlOPr3lxqXQ3Ekdv6cWDY5r/oOq71QJ/HUQ13QUuGFIbhnMbT8zd +zaS6f/v772YKsWPc4NNUhtlf25VnQ4FuUtjCe3p6iYP4OVD8gJm0GvXyvyTuiQbL +CSk/378JiNT7nZzYXxrWchMwvEoMIU55+/UaBc50HI5xvDQ858CX7PYGiimcdsO1 +EkQzhVxRfjlILfWrC2lgt+H5qhTn4Fah250Xe1PnLjXGHVUQnY/f3MFeiWQgf92b +02+MfvOeC5OKttP1z5lcx6RFWCIa1E/u8Nj7YrH9hk0ZBRAnBaeAncDFY8dfX2zX +VMoc0dV16gM7RrZ6i7D3CG3eLLkQlX0jbW9dzTuG/3f098EWB1p8vOfS/RbNCBRX +jqGiqacL/aFF3Ci3nQ4O5tSv1XipbgrUhvXnwm9pxrLPS/45iaO59WN4RRGWLLQ7 +LHmeBxoa9avv0SdBYUL+eBxY46GXb/j5VLzHYhSnABEBAAGJAjYEGAEIACAWIQTP +v5aY3KjrKoD0it6gNaAw+gTtEwUCaUU/CwIbDAAKCRCgNaAw+gTtEyvsEACnyFFD +alOZTrrJTXNnUejuiExLh+qTO3T91p5bte597jpwCZnYGwkxEfffsqqhlY6ftEOf +d5tNWE5isai4v8XCbplWomz4KBpepxcn2b+9o5dSyr1vohEFuCJziZDsta1J2DX5 +IE9U48kTgLDfdIBhuOyHNRkvXRHP2OVLCaiw4d9q+hlrraR8pehHt2BJSxh+QZoe +n0iHvIZCBIUA45zLEGmXFpNTGeEf2dKPp3xOkAXOhAMPptE0V1itkF3R7kEW4aFO +SZo8L3C1aWSz/gQ4/vvW5t1IJxirNMUgTMQFvqEkAwX3fm6GCxlgRSvTTRXdcrS8 +6qyFdH1nkCNsavPahN3N2RGGIlWtODEMTO1Hjy0kZtTYdW+JH9sendliCoJES+yN +DjM125SgdAgrqlSYm/g8n9knWpxZv1QM6jU/sVz1J+l6/ixugL2i+CAL2d6uv4tT +QmXnu7Ei4/2kHBUu3Lf59MNgmLHm6F7AhOWErszSeoJKsp+3yA1oTT/npz67sRzY +VVyxz4NBIollna59a1lz0RhlWzNKqNB27jhylyM4ltdzHB7r4VMAVJyttozmIIOC +35ucYxl5BHLuapaRSaYHdUId1LOccYyaOOFF/PSyCu9dKzXk7zEz2HNcIboWSkAE +8ZDExMYM4WVpVCOj+frdsaBvzItHacRWuijtkw== +=JAXX +-----END PGP PUBLIC KEY BLOCK----- +``` diff --git a/docs/android/adb.md b/docs/android/adb.md index 8e4d070..42bf023 100644 --- a/docs/android/adb.md +++ b/docs/android/adb.md @@ -1,4 +1,28 @@ -# Deprecation of ADB command in MVT +# Check over ADB + +In order to check an Android device over the [Android Debug Bridge (adb)](https://developer.android.com/studio/command-line/adb) you will first need to install [Android SDK Platform Tools](https://developer.android.com/studio/releases/platform-tools). If you have installed [Android Studio](https://developer.android.com/studio/) you should already have access to `adb` and other utilities. + +While many Linux distributions already package Android Platform Tools (for example `android-platform-tools-base` on Debian), it is preferable to install the most recent version from the official website. Packaged versions might be outdated and incompatible with most recent Android handsets. + +Next you will need to enable debugging on the Android device you are testing. [Please follow the official instructions on how to do so.](https://developer.android.com/studio/command-line/adb) + +## Connecting over USB + +The easiest way to check the device is over a USB transport. You will need to have USB debugging enabled and the device plugged into your computer. If everything is configured appropriately you should see your device when launching the command `adb devices`. + +Now you can try launching MVT with: + +```bash +mvt-android check-adb --output /path/to/results +``` + +!!! warning + The `check-adb` command is deprecated and will be removed in a future release. + Whenever possible, prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and then analyze those acquisitions with MVT. + + Running `mvt-android check-adb` will also emit a runtime deprecation warning advising you to migrate to AndroidQF. + +If you have previously started an adb daemon MVT will alert you and require you to kill it with `adb kill-server` and relaunch the command. !!! warning diff --git a/pyproject.toml b/pyproject.toml index c23f83e..6f1a126 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -17,21 +17,21 @@ classifiers = [ "Programming Language :: Python", ] dependencies = [ - "click==8.2.1", + "click==8.3.0", "rich==14.1.0", "tld==0.13.1", - "requests==2.32.4", - "simplejson==3.20.1", + "requests==2.32.5", + "simplejson==3.20.2", "packaging==25.0", "appdirs==1.4.4", "iOSbackup==0.9.925", "adb-shell[usb]==0.4.4", "libusb1==3.3.1", - "cryptography==45.0.6", + "cryptography==46.0.3", "PyYAML>=6.0.2", "pyahocorasick==2.2.0", "betterproto==1.2.5", - "pydantic==2.11.7", + "pydantic==2.12.3", "pydantic-settings==2.10.1", "NSKeyedUnArchiver==1.5.2", "python-dateutil==2.9.0.post0", @@ -80,7 +80,7 @@ packages = "src" addopts = "-ra -q --cov=mvt --cov-report html --junitxml=pytest.xml --cov-report=term-missing:skip-covered" testpaths = ["tests"] -[tool.ruff.lint] +[tool.ruff] select = ["C90", "E", "F", "W"] # flake8 default set ignore = [ "E501", # don't enforce line length violations @@ -95,10 +95,10 @@ ignore = [ # "E203", # whitespace-before-punctuation ] -[tool.ruff.lint.per-file-ignores] +[tool.ruff.per-file-ignores] "__init__.py" = ["F401"] # unused-import -[tool.ruff.lint.mccabe] +[tool.ruff.mccabe] max-complexity = 10 [tool.setuptools] diff --git a/src/mvt/android/modules/bugreport/dumpsys_receivers.py b/src/mvt/android/modules/bugreport/dumpsys_receivers.py index 000d98c..2b4be91 100644 --- a/src/mvt/android/modules/bugreport/dumpsys_receivers.py +++ b/src/mvt/android/modules/bugreport/dumpsys_receivers.py @@ -35,6 +35,20 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule): self.results = results if results else {} + def check_indicators(self) -> None: + for result in self.results: + if self.indicators: + receiver_name = self.results[result][0]["receiver"] + + # return IoC if the stix2 process name a substring of the receiver name + ioc = self.indicators.check_receiver_prefix(receiver_name) + if ioc: + self.results[result][0]["matched_indicator"] = ioc + self.detected.append(result) + continue + + + def run(self) -> None: content = self._get_dumpstate_file() if not content: diff --git a/src/mvt/common/indicators.py b/src/mvt/common/indicators.py index d176688..34aef88 100644 --- a/src/mvt/common/indicators.py +++ b/src/mvt/common/indicators.py @@ -718,9 +718,31 @@ class Indicators: return None - def check_android_property_name( - self, property_name: str - ) -> Optional[IndicatorMatch]: + + def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]: + """Check the provided receiver name against the list of indicators. + An IoC match is detected when a substring of the receiver matches the indicator + :param app_id: App ID to check against the list of indicators + :type app_id: str + :returns: Indicator details if matched, otherwise None + + """ + if not receiver_name: + return None + + for ioc in self.get_iocs("app_ids"): + if ioc["value"].lower() in receiver_name.lower(): + self.log.warning( + 'Found a known suspicious receiver with name "%s" ' + 'matching indicators from "%s"', + receiver_name, + ioc["name"], + ) + return ioc + + return None + + def check_android_property_name(self, property_name: str) -> Optional[dict]: """Check the android property name against the list of indicators. :param property_name: Name of the Android property diff --git a/src/mvt/ios/data/ios_models.json b/src/mvt/ios/data/ios_models.json index 8ceeeba..2503a4e 100644 --- a/src/mvt/ios/data/ios_models.json +++ b/src/mvt/ios/data/ios_models.json @@ -194,5 +194,41 @@ { "identifier": "iPhone16,2", "description": "iPhone 15 Pro Max" + }, + { + "identifier": "iPhone17,1", + "description": "iPhone 16 Pro" + }, + { + "identifier": "iPhone17,2", + "description": "iPhone 16 Pro Max" + }, + { + "identifier": "iPhone17,3", + "description": "iPhone 16" + }, + { + "identifier": "iPhone17,4", + "description": "iPhone 16 Plus" + }, + { + "identifier": "iPhone17,5", + "description": "iPhone 16e" + }, + { + "identifier": "iPhone18,1", + "description": "iPhone 17 Pro" + }, + { + "identifier": "iPhone18,2", + "description": "iPhone 17 Pro Max" + }, + { + "identifier": "iPhone18,3", + "description": "iPhone 17" + }, + { + "identifier": "iPhone18,4", + "description": "iPhone Air" } ] diff --git a/src/mvt/ios/data/ios_versions.json b/src/mvt/ios/data/ios_versions.json index e606084..1ceccf6 100644 --- a/src/mvt/ios/data/ios_versions.json +++ b/src/mvt/ios/data/ios_versions.json @@ -1160,6 +1160,10 @@ "version": "18.7.2", "build": "22H124" }, + { + "version": "18.7.3", + "build": "22H217" + }, { "version": "26", "build": "23A341" @@ -1171,5 +1175,9 @@ { "version": "26.1", "build": "23B85" + }, + { + "version": "26.2", + "build": "23C55" } ] \ No newline at end of file