Bumped version

Merge pull request #244 from dangaffey/patch-1
Update docker.md
2026-02-16 02:12:46 +00:00 · 2022-02-01 12:46:31 +01:00 · 2022-02-01 11:54:04 +01:00 · 2022-01-31 20:22:54 -05:00 · 2022-01-31 13:05:03 +01:00 · 2022-01-31 12:58:33 +01:00
101 changed files with 940 additions and 376 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -131,3 +131,6 @@ dmypy.json

 # Temporal files
 *~
+
+# IDEA Dev Environment
+.idea
--- a/dev/mvt-android
+++ b/dev/mvt-android
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/dev/mvt-ios
+++ b/dev/mvt-ios
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/docs/docker.md
+++ b/docs/docker.md
@@ -10,6 +10,11 @@ cd mvt
 docker build -t mvt .
 ```

+Optionally, you may need to specify your platform to Docker in order to build successfully (Apple M1)
+```bash
+docker build --platform amd64 -t mvt .
+```
+
 Test if the image was created successfully:

 ```bash
--- a/mvt/init.py
+++ b/mvt/init.py
@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
--- a/mvt/android/init.py
+++ b/mvt/android/init.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/cli.py
+++ b/mvt/android/cli.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -199,6 +199,72 @@ def check_backup(ctx, iocs, output, backup_path, serial):
        run_module(m)


+#==============================================================================
+# Command: check-iocs
+#==============================================================================
+@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
+@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
+              default=[], help=HELP_MSG_IOC)
+@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
+@click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.argument("FOLDER", type=click.Path(exists=True))
+@click.pass_context
+def check_iocs(ctx, iocs, list_modules, module, folder):
+    all_modules = []
+    for entry in BACKUP_MODULES + ADB_MODULES:
+        if entry not in all_modules:
+            all_modules.append(entry)
+
+    if list_modules:
+        log.info("Following is the list of available check-iocs modules:")
+        for iocs_module in all_modules:
+            log.info(" - %s", iocs_module.__name__)
+
+        return
+
+    log.info("Checking stored results against provided indicators...")
+
+    indicators = Indicators(log=log)
+    indicators.load_indicators_files(iocs)
+
+    total_detections = 0
+    for file_name in os.listdir(folder):
+        name_only, ext = os.path.splitext(file_name)
+        file_path = os.path.join(folder, file_name)
+
+        # TODO: Skipping processing of result files that are not json.
+        #       We might want to revisit this eventually.
+        if ext != ".json":
+            continue
+
+        for iocs_module in all_modules:
+            if module and iocs_module.__name__ != module:
+                continue
+
+            if iocs_module().get_slug() != name_only:
+                continue
+
+            log.info("Loading results from \"%s\" with module %s", file_name,
+                     iocs_module.__name__)
+
+            m = iocs_module.from_json(file_path,
+                                      log=logging.getLogger(iocs_module.__module__))
+            if indicators.total_ioc_count > 0:
+                m.indicators = indicators
+                m.indicators.log = m.log
+
+            try:
+                m.check_indicators()
+            except NotImplementedError:
+                continue
+            else:
+                total_detections += len(m.detected)
+
+    if total_detections > 0:
+        log.warning("The check of the results produced %d detections!",
+                    total_detections)
+
+
 #==============================================================================
 # Command: download-iocs
 #==============================================================================
--- a/mvt/android/download_apks.py
+++ b/mvt/android/download_apks.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -57,7 +57,7 @@ class DownloadAPKs(AndroidExtraction):
        :param json_path: Path to the apks.json file to parse.

        """
-        with open(json_path, "r") as handle:
+        with open(json_path, "r", encoding="utf-8") as handle:
            packages = json.load(handle)
            return cls(packages=packages)

@@ -173,7 +173,7 @@ class DownloadAPKs(AndroidExtraction):
    def save_json(self):
        """Save the results to the package.json file."""
        json_path = os.path.join(self.output_folder, "apks.json")
-        with open(json_path, "w") as handle:
+        with open(json_path, "w", encoding="utf-8") as handle:
            json.dump(self.packages, handle, indent=4)

    def run(self):
--- a/mvt/android/lookups/init.py
+++ b/mvt/android/lookups/init.py
@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
--- a/mvt/android/lookups/koodous.py
+++ b/mvt/android/lookups/koodous.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/lookups/virustotal.py
+++ b/mvt/android/lookups/virustotal.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -39,6 +39,10 @@ def get_virustotal_report(hashes):


 def virustotal_lookup(packages):
+    # NOTE: This is temporary, until we resolved the issue.
+    log.error("Unfortunately VirusTotal lookup is disabled until further notice, due to unresolved issues with the API service.")
+    return
+
    log.info("Looking up all extracted files on VirusTotal (www.virustotal.com)")

    unique_hashes = []
--- a/mvt/android/modules/init.py
+++ b/mvt/android/modules/init.py
@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
--- a/mvt/android/modules/adb/init.py
+++ b/mvt/android/modules/adb/init.py
@@ -1,24 +1,27 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

 from .chrome_history import ChromeHistory
 from .dumpsys_accessibility import DumpsysAccessibility
-from .dumpsys_batterystats import DumpsysBatterystats
+from .dumpsys_activities import DumpsysActivities
+from .dumpsys_battery_daily import DumpsysBatteryDaily
+from .dumpsys_battery_history import DumpsysBatteryHistory
+from .dumpsys_dbinfo import DumpsysDBInfo
 from .dumpsys_full import DumpsysFull
-from .dumpsys_packages import DumpsysPackages
-from .dumpsys_procstats import DumpsysProcstats
 from .dumpsys_receivers import DumpsysReceivers
 from .files import Files
+from .getprop import Getprop
 from .logcat import Logcat
 from .packages import Packages
 from .processes import Processes
-from .rootbinaries import RootBinaries
+from .root_binaries import RootBinaries
+from .settings import Settings
 from .sms import SMS
 from .whatsapp import Whatsapp

-ADB_MODULES = [ChromeHistory, SMS, Whatsapp, Processes,
-               DumpsysAccessibility, DumpsysBatterystats, DumpsysProcstats,
-               DumpsysPackages, DumpsysReceivers, DumpsysFull,
-               Packages, RootBinaries, Logcat, Files]
+ADB_MODULES = [ChromeHistory, SMS, Whatsapp, Processes, Getprop, Settings,
+               DumpsysBatteryHistory, DumpsysBatteryDaily, DumpsysReceivers,
+               DumpsysActivities, DumpsysAccessibility, DumpsysDBInfo,
+               DumpsysFull, Packages, RootBinaries, Logcat, Files]
--- a/mvt/android/modules/adb/base.py
+++ b/mvt/android/modules/adb/base.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -15,7 +15,7 @@ from adb_shell.adb_device import AdbDeviceTcp, AdbDeviceUsb
 from adb_shell.auth.keygen import keygen, write_public_keyfile
 from adb_shell.auth.sign_pythonrsa import PythonRSASigner
 from adb_shell.exceptions import (AdbCommandFailureException, DeviceAuthError,
-                                  UsbReadFailedError)
+                                  UsbDeviceNotFoundError, UsbReadFailedError)
 from usb1 import USBErrorAccess, USBErrorBusy

 from mvt.common.module import InsufficientPrivileges, MVTModule
@@ -65,7 +65,11 @@ class AndroidExtraction(MVTModule):
        # If no serial was specified or if the serial does not seem to be
        # a HOST:PORT definition, we use the USB transport.
        if not self.serial or ":" not in self.serial:
-            self.device = AdbDeviceUsb(serial=self.serial)
+            try:
+                self.device = AdbDeviceUsb(serial=self.serial)
+            except UsbDeviceNotFoundError:
+                log.critical("No device found. Make sure it is connected and unlocked.")
+                sys.exit(-1)
        # Otherwise we try to use the TCP transport.
        else:
            addr = self.serial.split(":")
--- a/mvt/android/modules/adb/chrome_history.py
+++ b/mvt/android/modules/adb/chrome_history.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/modules/adb/dumpsys_accessibility.py
+++ b/mvt/android/modules/adb/dumpsys_accessibility.py
@@ -1,11 +1,9 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

-import io
 import logging
-import os

 from .base import AndroidExtraction

@@ -21,13 +19,20 @@ class DumpsysAccessibility(AndroidExtraction):
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

-    def run(self):
-        self._adb_connect()
+    def check_indicators(self):
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue

-        stats = self._adb_command("dumpsys accessibility")
+    @staticmethod
+    def parse_accessibility(output):
+        results = []

        in_services = False
-        for line in stats.split("\n"):
+        for line in output.split("\n"):
            if line.strip().startswith("installed services:"):
                in_services = True
                continue
@@ -41,13 +46,19 @@ class DumpsysAccessibility(AndroidExtraction):
            service = line.split(":")[1].strip()
            log.info("Found installed accessibility service \"%s\"", service)

-        if self.output_folder:
-            acc_path = os.path.join(self.output_folder,
-                                      "dumpsys_accessibility.txt")
-            with io.open(acc_path, "w", encoding="utf-8") as handle:
-                handle.write(stats)
+            results.append({
+                "package": service.split("/")[0],
+                "service": service,
+            })

-            log.info("Records from dumpsys accessibility stored at %s",
-                     acc_path)
+        return results
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys accessibility")
+        self.results = self.parse_accessibility(output)
+
+        self.log.info("Identified a total of %d accessibility services", len(self.results))

        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_activities.py
+++ b/mvt/android/modules/adb/dumpsys_activities.py
@@ -0,0 +1,95 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+class DumpsysActivities(AndroidExtraction):
+    """This module extracts details on receivers for risky activities."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+        self.results = results if results else {}
+
+    def check_indicators(self):
+        for intent, activities in self.results.items():
+            for activity in activities:
+                ioc = self.indicators.check_app_id(activity["package"])
+                if ioc:
+                    activity["matched_indicator"] = ioc
+                    self.detected.append({intent: activity})
+                    continue
+
+    @staticmethod
+    def parse_activity_resolver_table(output):
+        results = {}
+
+        in_activity_resolver_table = False
+        in_non_data_actions = False
+        intent = None
+        for line in output.split("\n"):
+            if line.startswith("Activity Resolver Table:"):
+                in_activity_resolver_table = True
+                continue
+
+            if not in_activity_resolver_table:
+                continue
+
+            if line.startswith("  Non-Data Actions:"):
+                in_non_data_actions = True
+                continue
+
+            if not in_non_data_actions:
+                continue
+
+            # If we hit an empty line, the Non-Data Actions section should be
+            # finished.
+            if line.strip() == "":
+                break
+
+            # We detect the action name.
+            if line.startswith(" " * 6) and not line.startswith(" " * 8) and ":" in line:
+                intent = line.strip().replace(":", "")
+                results[intent] = []
+                continue
+
+            # If we are not in an intent block yet, skip.
+            if not intent:
+                continue
+
+            # If we are in a block but the line does not start with 8 spaces
+            # it means the block ended a new one started, so we reset and
+            # continue.
+            if not line.startswith(" " * 8):
+                intent = None
+                continue
+
+            # If we got this far, we are processing receivers for the
+            # activities we are interested in.
+            activity = line.strip().split(" ")[1]
+            package = activity.split("/")[0]
+
+            results[intent].append({
+                "package": package,
+                "activity": activity,
+            })
+
+        return results
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys package")
+        self.results = self.parse_activity_resolver_table(output)
+
+        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_battery_daily.py
+++ b/mvt/android/modules/adb/dumpsys_battery_daily.py
@@ -0,0 +1,90 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+class DumpsysBatteryDaily(AndroidExtraction):
+    """This module extracts records from battery daily updates."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def serialize(self, record):
+        return {
+            "timestamp": record["from"],
+            "module": self.__class__.__name__,
+            "event": "battery_daily",
+            "data": f"Recorded update of package {record['package']} with vers {record['vers']}"
+        }
+
+    def check_indicators(self):
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue
+
+    @staticmethod
+    def parse_battery_history(output):
+        results = []
+        daily = None
+        daily_updates = []
+        for line in output.split("\n")[1:]:
+            if line.startswith("  Daily from "):
+                timeframe = line[13:].strip()
+                date_from, date_to = timeframe.strip(":").split(" to ", 1)
+                daily = {"from": date_from[0:10], "to": date_to[0:10]}
+
+            if not daily:
+                continue
+
+            if line.strip() == "":
+                results.extend(daily_updates)
+                daily = None
+                daily_updates = []
+                continue
+
+            if not line.strip().startswith("Update "):
+                continue
+
+            line = line.strip().replace("Update ", "")
+            package, vers = line.split(" ", 1)
+            vers_nr = vers.split("=", 1)[1]
+
+            already_seen = False
+            for update in daily_updates:
+                if package == update["package"] and vers_nr == update["vers"]:
+                    already_seen = True
+                    break
+
+            if not already_seen:
+                daily_updates.append({
+                    "action": "update",
+                    "from": daily["from"],
+                    "to": daily["to"],
+                    "package": package,
+                    "vers": vers_nr,
+                })
+
+        return results
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys batterystats --daily")
+        self.results = self.parse_battery_history(output)
+
+        self.log.info("Extracted %d records from battery daily stats", len(self.results))
+
+        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_battery_history.py
+++ b/mvt/android/modules/adb/dumpsys_battery_history.py
@@ -0,0 +1,88 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+class DumpsysBatteryHistory(AndroidExtraction):
+    """This module extracts records from battery history events."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def check_indicators(self):
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue
+
+    @staticmethod
+    def parse_battery_history(output):
+        results = []
+
+        for line in output.split("\n")[1:]:
+            if line.strip() == "":
+                break
+
+            time_elapsed, rest = line.strip().split(" ", 1)
+
+            start = line.find(" 100 ")
+            if start == -1:
+                continue
+
+            line = line[start+5:]
+
+            event = ""
+            if line.startswith("+job"):
+                event = "start_job"
+            elif line.startswith("-job"):
+                event = "end_job"
+            elif line.startswith("+running +wake_lock="):
+                event = "wake"
+            else:
+                continue
+
+            if event in ["start_job", "end_job"]:
+                uid = line[line.find("=")+1:line.find(":")]
+                service = line[line.find(":")+1:].strip('"')
+                package = service.split("/")[0]
+            elif event == "wake":
+                uid = line[line.find("=")+1:line.find(":")]
+                service = line[line.find("*walarm*:")+9:].split(" ")[0].strip('"').strip()
+                if service == "" or "/" not in service:
+                    continue
+
+                package = service.split("/")[0]
+            else:
+                continue
+
+            results.append({
+                "time_elapsed": time_elapsed,
+                "event": event,
+                "uid": uid,
+                "package": package,
+                "service": service,
+            })
+
+        return results
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys batterystats --history")
+        self.results = self.parse_battery_history(output)
+
+        self.log.info("Extracted %d records from battery history", len(self.results))
+
+        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_batterystats.py
+++ b/mvt/android/modules/adb/dumpsys_batterystats.py
@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-import os
-
-from .base import AndroidExtraction
-
-log = logging.getLogger(__name__)
-
-
-class DumpsysBatterystats(AndroidExtraction):
-    """This module extracts stats on battery consumption by processes."""
-
-    def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 serial=None, fast_mode=False, log=None, results=[]):
-        super().__init__(file_path=file_path, base_folder=base_folder,
-                         output_folder=output_folder, fast_mode=fast_mode,
-                         log=log, results=results)
-
-    def run(self):
-        self._adb_connect()
-
-        stats = self._adb_command("dumpsys batterystats")
-        if self.output_folder:
-            stats_path = os.path.join(self.output_folder,
-                                      "dumpsys_batterystats.txt")
-            with open(stats_path, "w") as handle:
-                handle.write(stats)
-
-            log.info("Records from dumpsys batterystats stored at %s",
-                     stats_path)
-
-        history = self._adb_command("dumpsys batterystats --history")
-        if self.output_folder:
-            history_path = os.path.join(self.output_folder,
-                                        "dumpsys_batterystats_history.txt")
-            with open(history_path, "w") as handle:
-                handle.write(history)
-
-            log.info("History records from dumpsys batterystats stored at %s",
-                     history_path)
-
-        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_dbinfo.py
+++ b/mvt/android/modules/adb/dumpsys_dbinfo.py
@@ -0,0 +1,78 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+import re
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+class DumpsysDBInfo(AndroidExtraction):
+    """This module extracts records from battery daily updates."""
+
+    slug = "dumpsys_dbinfo"
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def check_indicators(self):
+        for result in self.results:
+            path = result.get("path", "")
+            for part in path.split("/"):
+                ioc = self.indicators.check_app_id(part)
+                if ioc:
+                    result["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+    @staticmethod
+    def parse_dbinfo(output):
+        results = []
+
+        rxp = re.compile(r'.*\[([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})\].*\[Pid:\((\d+)\)\](\w+).*sql\=\"(.+?)\".*path\=(.*?$)')
+
+        in_operations = False
+        for line in output.split("\n"):
+            if line.strip() == "Most recently executed operations:":
+                in_operations = True
+                continue
+
+            if not in_operations:
+                continue
+
+            if not line.startswith("        "):
+                in_operations = False
+                continue
+
+            matches = rxp.findall(line)
+            if not matches:
+                continue
+
+            match = matches[0]
+            results.append({
+                "isodate": match[0],
+                "pid": match[1],
+                "action": match[2],
+                "sql": match[3],
+                "path": match[4],
+            })
+
+        return results
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys dbinfo")
+        self.results = self.parse_dbinfo(output)
+
+        self.log.info("Extracted a total of %d records from database information",
+                      len(self.results))
+
+        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_full.py
+++ b/mvt/android/modules/adb/dumpsys_full.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -23,14 +23,12 @@ class DumpsysFull(AndroidExtraction):
    def run(self):
        self._adb_connect()

-        stats = self._adb_command("dumpsys")
+        output = self._adb_command("dumpsys")
        if self.output_folder:
-            stats_path = os.path.join(self.output_folder,
-                                      "dumpsys.txt")
-            with open(stats_path, "w") as handle:
-                handle.write(stats)
+            output_path = os.path.join(self.output_folder, "dumpsys.txt")
+            with open(output_path, "w", encoding="utf-8") as handle:
+                handle.write(output)

-            log.info("Full dumpsys output stored at %s",
-                     stats_path)
+            log.info("Full dumpsys output stored at %s", output_path)

        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_packages.py
+++ b/mvt/android/modules/adb/dumpsys_packages.py
@@ -1,37 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-import os
-
-from .base import AndroidExtraction
-
-log = logging.getLogger(__name__)
-
-
-class DumpsysPackages(AndroidExtraction):
-    """This module extracts details on installed packages."""
-
-    def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 serial=None, fast_mode=False, log=None, results=[]):
-        super().__init__(file_path=file_path, base_folder=base_folder,
-                         output_folder=output_folder, fast_mode=fast_mode,
-                         log=log, results=results)
-
-    def run(self):
-        self._adb_connect()
-
-        output = self._adb_command("dumpsys package")
-
-        if self.output_folder:
-            packages_path = os.path.join(self.output_folder,
-                                         "dumpsys_packages.txt")
-            with open(packages_path, "w") as handle:
-                handle.write(output)
-
-            log.info("Records from dumpsys package stored at %s",
-                     packages_path)
-
-        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_procstats.py
+++ b/mvt/android/modules/adb/dumpsys_procstats.py
@@ -1,36 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-import os
-
-from .base import AndroidExtraction
-
-log = logging.getLogger(__name__)
-
-
-class DumpsysProcstats(AndroidExtraction):
-    """This module extracts stats on memory consumption by processes."""
-
-    def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 serial=None, fast_mode=False, log=None, results=[]):
-        super().__init__(file_path=file_path, base_folder=base_folder,
-                         output_folder=output_folder, fast_mode=fast_mode,
-                         log=log, results=results)
-
-    def run(self):
-        self._adb_connect()
-
-        output = self._adb_command("dumpsys procstats")
-        if self.output_folder:
-            procstats_path = os.path.join(self.output_folder,
-                                          "dumpsys_procstats.txt")
-            with open(procstats_path, "w") as handle:
-                handle.write(output)
-
-            log.info("Records from dumpsys procstats stored at %s",
-                     procstats_path)
-
-        self._adb_disconnect()
--- a/mvt/android/modules/adb/dumpsys_receivers.py
+++ b/mvt/android/modules/adb/dumpsys_receivers.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -9,10 +9,11 @@ from .base import AndroidExtraction

 log = logging.getLogger(__name__)

-ACTION_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
-ACTION_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
-ACTION_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
-ACTION_PHONE_STATE = "android.intent.action.PHONE_STATE"
+INTENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
+INTENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
+INTENT_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
+INTENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
+INTENT_NEW_OUTGOING_CALL = "android.intent.action.NEW_OUTGOING_CALL"


 class DumpsysReceivers(AndroidExtraction):
@@ -24,64 +25,93 @@ class DumpsysReceivers(AndroidExtraction):
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

-    def run(self):
-        self._adb_connect()
+        self.results = results if results else {}

-        output = self._adb_command("dumpsys package")
-        if not output:
-            return
+    def check_indicators(self):
+        for intent, receivers in self.results.items():
+            for receiver in receivers:
+                if intent == INTENT_NEW_OUTGOING_SMS:
+                    self.log.info("Found a receiver to intercept outgoing SMS messages: \"%s\"",
+                                  receiver["receiver"])
+                elif intent == INTENT_SMS_RECEIVED:
+                    self.log.info("Found a receiver to intercept incoming SMS messages: \"%s\"",
+                                  receiver["receiver"])
+                elif intent == INTENT_DATA_SMS_RECEIVED:
+                    self.log.info("Found a receiver to intercept incoming data SMS message: \"%s\"",
+                                  receiver["receiver"])
+                elif intent == INTENT_PHONE_STATE:
+                    self.log.info("Found a receiver monitoring telephony state/incoming calls: \"%s\"",
+                                  receiver["receiver"])
+                elif intent == INTENT_NEW_OUTGOING_CALL:
+                    self.log.info("Found a receiver monitoring outgoing calls: \"%s\"",
+                                  receiver["receiver"])

-        activity = None
+            ioc = self.indicators.check_app_id(receiver["package"])
+            if ioc:
+                receiver["matched_indicator"] = ioc
+                self.detected.append({intent: receiver})
+                continue
+
+    @staticmethod
+    def parse_receiver_resolver_table(output):
+        results = {}
+
+        in_receiver_resolver_table = False
+        in_non_data_actions = False
+        intent = None
        for line in output.split("\n"):
-            # Find activity block markers.
-            if line.strip().startswith(ACTION_NEW_OUTGOING_SMS):
-                activity = ACTION_NEW_OUTGOING_SMS
-                continue
-            elif line.strip().startswith(ACTION_SMS_RECEIVED):
-                activity = ACTION_SMS_RECEIVED
-                continue
-            elif line.strip().startswith(ACTION_PHONE_STATE):
-                activity = ACTION_PHONE_STATE
-                continue
-            elif line.strip().startswith(ACTION_DATA_SMS_RECEIVED):
-                activity = ACTION_DATA_SMS_RECEIVED
+            if line.startswith("Receiver Resolver Table:"):
+                in_receiver_resolver_table = True
                continue

-            # If we are not in an activity block yet, skip.
-            if not activity:
+            if not in_receiver_resolver_table:
+                continue
+
+            if line.startswith("  Non-Data Actions:"):
+                in_non_data_actions = True
+                continue
+
+            if not in_non_data_actions:
+                continue
+
+            # If we hit an empty line, the Non-Data Actions section should be
+            # finished.
+            if line.strip() == "":
+                break
+
+            # We detect the action name.
+            if line.startswith(" " * 6) and not line.startswith(" " * 8) and ":" in line:
+                intent = line.strip().replace(":", "")
+                results[intent] = []
+                continue
+
+            # If we are not in an intent block yet, skip.
+            if not intent:
                continue

            # If we are in a block but the line does not start with 8 spaces
            # it means the block ended a new one started, so we reset and
            # continue.
            if not line.startswith(" " * 8):
-                activity = None
+                intent = None
                continue

            # If we got this far, we are processing receivers for the
            # activities we are interested in.
            receiver = line.strip().split(" ")[1]
-            package_name = receiver.split("/")[0]
-            if package_name == "com.google.android.gms":
-                continue
+            package = receiver.split("/")[0]

-            if activity == ACTION_NEW_OUTGOING_SMS:
-                self.log.info("Found a receiver to intercept outgoing SMS messages: \"%s\"",
-                              receiver)
-            elif activity == ACTION_SMS_RECEIVED:
-                self.log.info("Found a receiver to intercept incoming SMS messages: \"%s\"",
-                              receiver)
-            elif activity == ACTION_DATA_SMS_RECEIVED:
-                self.log.info("Found a receiver to intercept incoming data SMS message: \"%s\"",
-                              receiver)
-            elif activity == ACTION_PHONE_STATE:
-                self.log.info("Found a receiver monitoring telephony state: \"%s\"",
-                              receiver)
-
-            self.results.append({
-                "activity": activity,
-                "package_name": package_name,
+            results[intent].append({
+                "package": package,
                "receiver": receiver,
            })

+        return results
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys package")
+        self.results = self.parse_receiver_resolver_table(output)
+
        self._adb_disconnect()
--- a/mvt/android/modules/adb/files.py
+++ b/mvt/android/modules/adb/files.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -22,30 +22,16 @@ class Files(AndroidExtraction):
        super().__init__(file_path=file_path, base_folder=base_folder,
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)
-        self.full_find = None
+        self.full_find = False

-    def find_path(self, file_path):
-        """Checks if Android system supports full find command output"""
-        # Check find command params on first run
-        # Run find command with correct args and parse results.
-
-        # Check that full file printf options are suppported on first run.
-        if self.full_find is None:
-            output = self._adb_command("find '/' -maxdepth 1 -printf '%T@ %m %s %u %g %p\n' 2> /dev/null")
-            if not (output or output.strip().splitlines()):
-                # Full  find command failed to generate output, fallback to basic file arguments
-                self.full_find = False
-            else:
-                self.full_find = True
-
-        found_files = []
-        if self.full_find is True:
-            # Run full file command and collect additonal file information.
+    def find_files(self, file_path):
+        if self.full_find:
            output = self._adb_command(f"find '{file_path}' -printf '%T@ %m %s %u %g %p\n' 2> /dev/null")
+
            for file_line in output.splitlines():
                [unix_timestamp, mode, size, owner, group, full_path] = file_line.rstrip().split(" ", 5)
                mod_time = convert_timestamp_to_iso(datetime.datetime.utcfromtimestamp(int(float(unix_timestamp))))
-                found_files.append({
+                self.results.append({
                    "path": full_path,
                    "modified_time": mod_time,
                    "mode": mode,
@@ -56,14 +42,9 @@ class Files(AndroidExtraction):
                    "group": group,
                })
        else:
-            # Run a basic listing of file paths.
            output = self._adb_command(f"find '{file_path}' 2> /dev/null")
            for file_line in output.splitlines():
-                found_files.append({
-                    "path": file_line.rstrip()
-                })
-
-        return found_files
+                self.results.append({"path": file_line.rstrip()})

    def serialize(self, record):
        if "modified_time" in record:
@@ -85,6 +66,7 @@ class Files(AndroidExtraction):
    def check_indicators(self):
        """Check file list for known suspicious files or suspicious properties"""
        self.check_suspicious()
+
        if not self.indicators:
            return

@@ -95,25 +77,21 @@ class Files(AndroidExtraction):

    def run(self):
        self._adb_connect()
-        found_file_paths = []

-        DATA_PATHS = ["/data/local/tmp/", "/sdcard/", "/tmp/"]
-        for path in DATA_PATHS:
-            file_info = self.find_path(path)
-            found_file_paths.extend(file_info)
+        output = self._adb_command("find '/' -maxdepth 1 -printf '%T@ %m %s %u %g %p\n' 2> /dev/null")
+        if output or output.strip().splitlines():
+            self.full_find = True

-        # Store results
-        self.results.extend(found_file_paths)
-        self.log.info("Found %s files in primary Android data directories.", len(found_file_paths))
+        for data_path in ["/data/local/tmp/", "/sdcard/", "/tmp/"]:
+            self.find_files(data_path)
+
+        self.log.info("Found %s files in primary Android data directories", len(self.results))

        if self.fast_mode:
            self.log.info("Flag --fast was enabled: skipping full file listing")
        else:
-            self.log.info("Flag --fast was not enabled: processing full file listing. "
-                          "This may take a while...")
-            output = self.find_path("/")
-            if output and self.output_folder:
-                self.results.extend(output)
-                log.info("List of visible files stored in files.json")
+            self.log.info("Processing full file listing. This may take a while...")
+            self.find_files("/")
+            self.log.info("Found %s total files", len(self.results))

        self._adb_disconnect()
--- a/mvt/android/modules/adb/getprop.py
+++ b/mvt/android/modules/adb/getprop.py
@@ -0,0 +1,45 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+import re
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+class Getprop(AndroidExtraction):
+    """This module extracts device properties from getprop command."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+        self.results = {} if not results else results
+
+    def run(self):
+        self._adb_connect()
+
+        rxp = re.compile(r"\[(.+?)\]: \[(.+?)\]")
+        out = self._adb_command("getprop")
+        for line in out.splitlines():
+            line = line.strip()
+            if line == "":
+                continue
+
+            matches = re.findall(rxp, line)
+            if not matches or len(matches[0]) != 2:
+                continue
+
+            key = matches[0][0]
+            value = matches[0][1]
+            self.results[key] = value
+
+        self._adb_disconnect()
+
+        self.log.info("Extracted %d Android system properties", len(self.results))
--- a/mvt/android/modules/adb/logcat.py
+++ b/mvt/android/modules/adb/logcat.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -31,7 +31,7 @@ class Logcat(AndroidExtraction):
        if self.output_folder:
            logcat_path = os.path.join(self.output_folder,
                                       "logcat.txt")
-            with open(logcat_path, "w") as handle:
+            with open(logcat_path, "w", encoding="utf-8") as handle:
                handle.write(output)

            log.info("Current logcat logs stored at %s",
@@ -39,7 +39,7 @@ class Logcat(AndroidExtraction):

            logcat_last_path = os.path.join(self.output_folder,
                                            "logcat_last.txt")
-            with open(logcat_last_path, "w") as handle:
+            with open(logcat_last_path, "w", encoding="utf-8") as handle:
                handle.write(last_output)

            log.info("Logcat logs prior to last reboot stored at %s",
--- a/mvt/android/modules/adb/packages.py
+++ b/mvt/android/modules/adb/packages.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -8,6 +8,9 @@ import os

 import pkg_resources

+from mvt.android.lookups.koodous import koodous_lookup
+from mvt.android.lookups.virustotal import virustotal_lookup
+
 from .base import AndroidExtraction

 log = logging.getLogger(__name__)
@@ -42,9 +45,6 @@ class Packages(AndroidExtraction):
        return records

    def check_indicators(self):
-        if not self.indicators:
-            return
-
        root_packages_path = os.path.join("..", "..", "data", "root_packages.txt")
        root_packages_string = pkg_resources.resource_string(__name__, root_packages_path)
        root_packages = root_packages_string.decode("utf-8").split("\n")
@@ -55,16 +55,19 @@ class Packages(AndroidExtraction):
                self.log.warning("Found an installed package related to rooting/jailbreaking: \"%s\"",
                                 result["package_name"])
                self.detected.append(result)
-            if result["package_name"] in self.indicators.ioc_app_ids:
-                self.log.warning("Found a malicious package name: \"%s\"",
-                                 result["package_name"])
+                continue
+
+            ioc = self.indicators.check_app_id(result.get("package_name"))
+            if ioc:
+                result["matched_indicator"] = ioc
                self.detected.append(result)
-                for file in result["files"]:
-                    if file["sha256"] in self.indicators.ioc_files_sha256:
-                        self.log.warning("Found a malicious APK: \"%s\" %s",
-                                         result["package_name"],
-                                         file["sha256"])
-                        self.detected.append(result)
+                continue
+
+            for package_file in result["files"]:
+                ioc = self.indicators.check_file_hash(package_file["sha256"])
+                if ioc:
+                    result["matched_indicator"] = ioc
+                    self.detected.append(result)

    def _get_files_for_package(self, package_name):
        output = self._adb_command(f"pm path {package_name}")
@@ -157,13 +160,19 @@ class Packages(AndroidExtraction):
                    if result["package_name"] == package_name:
                        self.results[i][cmd["field"]] = True

+        packages_to_lookup = []
        for result in self.results:
            if result["system"]:
                continue

+            packages_to_lookup.append(result)
            self.log.info("Found non-system package with name \"%s\" installed by \"%s\" on %s",
                          result["package_name"], result["installer"], result["timestamp"])

+        if not self.fast_mode:
+            virustotal_lookup(packages_to_lookup)
+            koodous_lookup(packages_to_lookup)
+
        self.log.info("Extracted at total of %d installed package names",
                      len(self.results))

--- a/mvt/android/modules/adb/processes.py
+++ b/mvt/android/modules/adb/processes.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/modules/adb/root_binaries.py
+++ b/mvt/android/modules/adb/root_binaries.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/modules/adb/settings.py
+++ b/mvt/android/modules/adb/settings.py
@@ -0,0 +1,105 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+ANDROID_DANGEROUS_SETTINGS = [
+    {
+        "description": "disabled Google Play Services apps verification",
+        "key": "verifier_verify_adb_installs",
+        "safe_value": "1",
+    },
+    {
+        "description": "disabled Google Play Protect",
+        "key": "package_verifier_enable",
+        "safe_value": "1",
+    },
+    {
+        "description": "disabled Google Play Protect",
+        "key": "package_verifier_user_consent",
+        "safe_value": "1",
+    },
+    {
+        "description": "disabled Google Play Protect",
+        "key": "upload_apk_enable",
+        "safe_value": "1",
+    },
+    {
+        "description": "enabled installation of non-market apps",
+        "key": "install_non_market_apps",
+        "safe_value": "0",
+    },
+    {
+        "description": "disabled confirmation of adb apps installation",
+        "key": "adb_install_need_confirm",
+        "safe_value": "1",
+    },
+    {
+        "description": "disabled sharing of security reports",
+        "key": "send_security_reports",
+        "safe_value": "1",
+    },
+    {
+        "description": "disabled sharing of crash logs with manufacturer",
+        "key": "samsung_errorlog_agree",
+        "safe_value": "1",
+    },
+    {
+        "description": "disabled applications errors reports",
+        "key": "send_action_app_error",
+        "safe_value": "1",
+    },
+]
+
+
+class Settings(AndroidExtraction):
+    """This module extracts Android system settings."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+        self.results = {} if not results else results
+
+    def check_indicators(self):
+        for namespace, settings in self.results.items():
+            for key, value in settings.items():
+                for danger in ANDROID_DANGEROUS_SETTINGS:
+                    # Check if one of the dangerous settings is using an unsafe
+                    # value (different than the one specified).
+                    if danger["key"] == key and danger["safe_value"] != value:
+                        self.log.warning("Found suspicious setting \"%s = %s\" (%s)",
+                                         key, value, danger["description"])
+                        break
+
+    def run(self):
+        self._adb_connect()
+
+        for namespace in ["system", "secure", "global"]:
+            out = self._adb_command(f"cmd settings list {namespace}")
+            if not out:
+                continue
+
+            self.results[namespace] = {}
+
+            for line in out.splitlines():
+                line = line.strip()
+                if line == "":
+                    continue
+
+                fields = line.split("=", 1)
+                try:
+                    self.results[namespace][fields[0]] = fields[1]
+                except IndexError:
+                    continue
+
+        self._adb_disconnect()
--- a/mvt/android/modules/adb/sms.py
+++ b/mvt/android/modules/adb/sms.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/modules/adb/whatsapp.py
+++ b/mvt/android/modules/adb/whatsapp.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/modules/backup/init.py
+++ b/mvt/android/modules/backup/init.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/android/modules/backup/sms.py
+++ b/mvt/android/modules/backup/sms.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/common/init.py
+++ b/mvt/common/init.py
@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
--- a/mvt/common/help.py
+++ b/mvt/common/help.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/common/indicators.py
+++ b/mvt/common/indicators.py
@@ -1,9 +1,8 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

-import io
 import json
 import os

@@ -82,7 +81,7 @@ class Indicators:
        ioc_file["file_path"] = file_path
        ioc_file["file_name"] = os.path.basename(file_path)

-        with open(file_path, "r") as handle:
+        with open(file_path, "r", encoding="utf-8") as handle:
            try:
                data = json.load(handle)
            except json.decoder.JSONDecodeError:
@@ -173,8 +172,7 @@ class Indicators:

        :param url: URL to match against domain indicators
        :type url: str
-        :returns: True if the URL matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        # TODO: If the IOC domain contains a subdomain, it is not currently
@@ -246,8 +244,7 @@ class Indicators:

        :param urls: List of URLs to check against domain indicators
        :type urls: list
-        :returns: True if any URL matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        if not urls:
@@ -264,8 +261,7 @@ class Indicators:

        :param process: Process name to check against process indicators
        :type process: str
-        :returns: True if process matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        if not process:
@@ -290,8 +286,7 @@ class Indicators:

        :param processes: List of processes to check against process indicators
        :type processes: list
-        :returns: True if process matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        if not processes:
@@ -307,8 +302,7 @@ class Indicators:

        :param email: Email address to check against email indicators
        :type email: str
-        :returns: True if email address matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        if not email:
@@ -326,8 +320,7 @@ class Indicators:
        :param file_name: File name to check against file
        indicators
        :type file_name: str
-        :returns: True if the file name matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        if not file_name:
@@ -345,8 +338,7 @@ class Indicators:
        :param file_path: File path or file name to check against file
        indicators
        :type file_path: str
-        :returns: True if the file path matched an indicator, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
        if not file_path:
@@ -368,16 +360,53 @@ class Indicators:

        :param profile_uuid: Profile UUID to check against configuration profile indicators
        :type profile_uuid: str
-        :returns: True if the UUID in indicator list, otherwise False
-        :rtype: bool
+        :returns: Indicator details if matched, otherwise None

        """
+        if not profile_uuid:
+            return None
+
        for ioc in self.get_iocs("ios_profile_ids"):
            if profile_uuid in ioc["value"]:
                self.log.warning("Found a known suspicious profile ID \"%s\" matching indicators from \"%s\"",
                                 profile_uuid, ioc["name"])
                return ioc

+    def check_file_hash(self, file_hash):
+        """Check the provided SHA256 file hash against the list of indicators.
+
+        :param file_hash: SHA256 hash to check
+        :type file_hash: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not file_hash:
+            return None
+
+        for ioc in self.get_iocs("files_sha256"):
+            if file_hash.lower() == ioc["value"].lower():
+                self.log.warning("Found a known suspicious file with hash \"%s\" matching indicators from \"%s\"",
+                                 file_hash, ioc["name"])
+                return ioc
+
+    def check_app_id(self, app_id):
+        """Check the provided app identifier (typically an Android package name)
+        against the list of indicators.
+
+        :param app_id: App ID to check against the list of indicators
+        :type app_id: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not app_id:
+            return None
+
+        for ioc in self.get_iocs("app_ids"):
+            if app_id.lower() == ioc["value"].lower():
+                self.log.warning("Found a known suspicious app with ID \"%s\" matching indicators from \"%s\"",
+                                 app_id, ioc["name"])
+                return ioc
+

 def download_indicators_files(log):
    """
@@ -406,7 +435,7 @@ def download_indicators_files(log):
        ioc_path = os.path.join(data_dir, clean_file_name)

        # Write file to disk. This will overwrite any older version of the STIX2 file.
-        with io.open(ioc_path, "w") as f:
+        with open(ioc_path, "w", encoding="utf-8") as f:
            f.write(res.text)

        log.info("Saved indicator file to '%s'", os.path.basename(ioc_path))
--- a/mvt/common/logo.py
+++ b/mvt/common/logo.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/common/module.py
+++ b/mvt/common/module.py
@@ -1,10 +1,9 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

 import csv
-import io
 import os
 import re

@@ -58,7 +57,7 @@ class MVTModule(object):

    @classmethod
    def from_json(cls, json_path, log=None):
-        with open(json_path, "r") as handle:
+        with open(json_path, "r", encoding="utf-8") as handle:
            results = json.load(handle)
            if log:
                log.info("Loaded %d results from \"%s\"",
@@ -91,7 +90,7 @@ class MVTModule(object):
        if self.results:
            results_file_name = f"{name}.json"
            results_json_path = os.path.join(self.output_folder, results_file_name)
-            with io.open(results_json_path, "w", encoding="utf-8") as handle:
+            with open(results_json_path, "w", encoding="utf-8") as handle:
                try:
                    json.dump(self.results, handle, indent=4, default=str)
                except Exception as e:
@@ -101,7 +100,7 @@ class MVTModule(object):
        if self.detected:
            detected_file_name = f"{name}_detected.json"
            detected_json_path = os.path.join(self.output_folder, detected_file_name)
-            with io.open(detected_json_path, "w", encoding="utf-8") as handle:
+            with open(detected_json_path, "w", encoding="utf-8") as handle:
                json.dump(self.detected, handle, indent=4, default=str)

    def serialize(self, record):
@@ -192,7 +191,7 @@ def save_timeline(timeline, timeline_path):
    :param timeline_path: Path to the csv file to store the timeline to

    """
-    with io.open(timeline_path, "a+", encoding="utf-8") as handle:
+    with open(timeline_path, "a+", encoding="utf-8") as handle:
        csvoutput = csv.writer(handle, delimiter=",", quotechar="\"")
        csvoutput.writerow(["UTC Timestamp", "Plugin", "Event", "Description"])
        for event in sorted(timeline, key=lambda x: x["timestamp"] if x["timestamp"] is not None else ""):
--- a/mvt/common/options.py
+++ b/mvt/common/options.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/common/url.py
+++ b/mvt/common/url.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/common/utils.py
+++ b/mvt/common/utils.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/common/version.py
+++ b/mvt/common/version.py
@@ -1,12 +1,12 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

 import requests
 from packaging import version

-MVT_VERSION = "1.4.7"
+MVT_VERSION = "1.4.10"


 def check_for_updates():
--- a/mvt/ios/init.py
+++ b/mvt/ios/init.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/cli.py
+++ b/mvt/ios/cli.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -184,7 +184,7 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):

    if len(timeline_detected) > 0:
        log.warning("The analysis of the backup produced %d detections!",
-                len(timeline_detected))
+                    len(timeline_detected))


 #==============================================================================
@@ -247,6 +247,7 @@ def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
        log.warning("The analysis of the filesystem produced %d detections!",
                    len(timeline_detected))

+
 #==============================================================================
 # Command: check-iocs
 #==============================================================================
--- a/mvt/ios/decrypt.py
+++ b/mvt/ios/decrypt.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -185,7 +185,7 @@ class DecryptBackup:
            return

        try:
-            with open(key_path, 'w') as handle:
+            with open(key_path, 'w', encoding="utf-8") as handle:
                handle.write(self._decryption_key)
        except Exception as e:
            log.exception(e)
--- a/mvt/ios/modules/init.py
+++ b/mvt/ios/modules/init.py
@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
--- a/mvt/ios/modules/backup/init.py
+++ b/mvt/ios/modules/backup/init.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/backup/backup_info.py
+++ b/mvt/ios/modules/backup/backup_info.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/backup/configuration_profiles.py
+++ b/mvt/ios/modules/backup/configuration_profiles.py
@@ -1,6 +1,5 @@
-
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -78,6 +77,9 @@ class ConfigurationProfiles(IOSExtraction):

            if "SignerCerts" in conf_plist:
                conf_plist["SignerCerts"] = [b64encode(x) for x in conf_plist["SignerCerts"]]
+            if "OTAProfileStub" in conf_plist:
+                if "SignerCerts" in conf_plist["OTAProfileStub"]:
+                    conf_plist["OTAProfileStub"]["SignerCerts"] = [b64encode(x) for x in conf_plist["OTAProfileStub"]["SignerCerts"]]
            if "PushTokenDataSentToServerKey" in conf_plist:
                conf_plist["PushTokenDataSentToServerKey"] = b64encode(conf_plist["PushTokenDataSentToServerKey"])
            if "LastPushTokenHash" in conf_plist:
--- a/mvt/ios/modules/backup/manifest.py
+++ b/mvt/ios/modules/backup/manifest.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/backup/profile_events.py
+++ b/mvt/ios/modules/backup/profile_events.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/base.py
+++ b/mvt/ios/modules/base.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/init.py
+++ b/mvt/ios/modules/fs/init.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/analytics.py
+++ b/mvt/ios/modules/fs/analytics.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/cache_files.py
+++ b/mvt/ios/modules/fs/cache_files.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/filesystem.py
+++ b/mvt/ios/modules/fs/filesystem.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/net_netusage.py
+++ b/mvt/ios/modules/fs/net_netusage.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/safari_favicon.py
+++ b/mvt/ios/modules/fs/safari_favicon.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/shutdownlog.py
+++ b/mvt/ios/modules/fs/shutdownlog.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -86,5 +86,5 @@ class ShutdownLog(IOSExtraction):
    def run(self):
        self._find_ios_database(root_paths=SHUTDOWN_LOG_PATH)
        self.log.info("Found shutdown log at path: %s", self.file_path)
-        with open(self.file_path, "r") as handle:
+        with open(self.file_path, "r", encoding="utf-8") as handle:
            self.process_shutdownlog(handle.read())
--- a/mvt/ios/modules/fs/version_history.py
+++ b/mvt/ios/modules/fs/version_history.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -34,7 +34,7 @@ class IOSVersionHistory(IOSExtraction):

    def run(self):
        for found_path in self._get_fs_files_from_patterns(IOS_ANALYTICS_JOURNAL_PATHS):
-            with open(found_path, "r") as analytics_log:
+            with open(found_path, "r", encoding="utf-8") as analytics_log:
                log_line = json.loads(analytics_log.readline().strip())

                timestamp = datetime.datetime.strptime(log_line["timestamp"],
--- a/mvt/ios/modules/fs/webkit_base.py
+++ b/mvt/ios/modules/fs/webkit_base.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/webkit_indexeddb.py
+++ b/mvt/ios/modules/fs/webkit_indexeddb.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/webkit_localstorage.py
+++ b/mvt/ios/modules/fs/webkit_localstorage.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/fs/webkit_safariviewservice.py
+++ b/mvt/ios/modules/fs/webkit_safariviewservice.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/init.py
+++ b/mvt/ios/modules/mixed/init.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/calls.py
+++ b/mvt/ios/modules/mixed/calls.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/chrome_favicon.py
+++ b/mvt/ios/modules/mixed/chrome_favicon.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/chrome_history.py
+++ b/mvt/ios/modules/mixed/chrome_history.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/contacts.py
+++ b/mvt/ios/modules/mixed/contacts.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/firefox_favicon.py
+++ b/mvt/ios/modules/mixed/firefox_favicon.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/firefox_history.py
+++ b/mvt/ios/modules/mixed/firefox_history.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/idstatuscache.py
+++ b/mvt/ios/modules/mixed/idstatuscache.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/interactionc.py
+++ b/mvt/ios/modules/mixed/interactionc.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/locationd.py
+++ b/mvt/ios/modules/mixed/locationd.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/net_datausage.py
+++ b/mvt/ios/modules/mixed/net_datausage.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/osanalytics_addaily.py
+++ b/mvt/ios/modules/mixed/osanalytics_addaily.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/safari_browserstate.py
+++ b/mvt/ios/modules/mixed/safari_browserstate.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -62,6 +62,7 @@ class SafariBrowserState(IOSExtraction):
                        self.detected.append(result)

    def _process_browser_state_db(self, db_path):
+        self._recover_sqlite_db_if_needed(db_path)
        conn = sqlite3.connect(db_path)

        cur = conn.cursor()
@@ -92,8 +93,12 @@ class SafariBrowserState(IOSExtraction):
            if row[4]:
                # Skip a 4 byte header before the plist content.
                session_plist = row[4][4:]
-                session_data = plistlib.load(io.BytesIO(session_plist))
-                session_data = keys_bytes_to_string(session_data)
+                session_data = {}
+                try:
+                    session_data = plistlib.load(io.BytesIO(session_plist))
+                    session_data = keys_bytes_to_string(session_data)
+                except plistlib.InvalidFileException:
+                    pass

                if "SessionHistoryEntries" in session_data.get("SessionHistory", {}):
                    for session_entry in session_data["SessionHistory"].get("SessionHistoryEntries"):
@@ -114,7 +119,6 @@ class SafariBrowserState(IOSExtraction):
            })

    def run(self):
-
        if self.is_backup:
            for backup_file in self._get_backup_files_from_manifest(relative_path=SAFARI_BROWSER_STATE_BACKUP_RELPATH):
                self.file_path = self._get_backup_file_from_id(backup_file["file_id"])
--- a/mvt/ios/modules/mixed/safari_history.py
+++ b/mvt/ios/modules/mixed/safari_history.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/shortcuts.py
+++ b/mvt/ios/modules/mixed/shortcuts.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/sms.py
+++ b/mvt/ios/modules/mixed/sms.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/sms_attachments.py
+++ b/mvt/ios/modules/mixed/sms_attachments.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/mixed/tcc.py
+++ b/mvt/ios/modules/mixed/tcc.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -97,7 +97,6 @@ class TCC(IOSExtraction):
                    FROM access;""")
                db_version = "v1"

-
        for row in cur:
            service = row[0]
            client = row[1]
@@ -113,7 +112,7 @@ class TCC(IOSExtraction):
                if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
                    device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
                    self.log.info("Found client \"%s\" with access %s to %s on %s by %s",
-                                client, auth_value_desc, device, last_modified, auth_reason_desc)
+                                  client, auth_value_desc, device, last_modified, auth_reason_desc)

                self.results.append({
                    "service": service,
@@ -132,7 +131,7 @@ class TCC(IOSExtraction):
                    if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
                        device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
                        self.log.info("Found client \"%s\" with access %s to %s at %s",
-                                    client, allowed_desc, device, last_modified)
+                                      client, allowed_desc, device, last_modified)
                    self.results.append({
                        "service": service,
                        "client": client,
@@ -145,7 +144,7 @@ class TCC(IOSExtraction):
                    if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
                        device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
                        self.log.info("Found client \"%s\" with access %s to %s",
-                                    client, allowed_desc, device)
+                                      client, allowed_desc, device)
                    self.results.append({
                        "service": service,
                        "client": client,
--- a/mvt/ios/modules/mixed/webkit_resource_load_statistics.py
+++ b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -28,7 +28,7 @@ class WebkitResourceLoadStatistics(IOSExtraction):
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

-        self.results = {}
+        self.results = {} if not results else results

    def check_indicators(self):
        if not self.indicators:
--- a/mvt/ios/modules/mixed/webkit_session_resource_log.py
+++ b/mvt/ios/modules/mixed/webkit_session_resource_log.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -35,7 +35,7 @@ class WebkitSessionResourceLog(IOSExtraction):
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

-        self.results = {}
+        self.results = {} if not results else results

    @staticmethod
    def _extract_domains(entries):
--- a/mvt/ios/modules/mixed/whatsapp.py
+++ b/mvt/ios/modules/mixed/whatsapp.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/modules/net_base.py
+++ b/mvt/ios/modules/net_base.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/mvt/ios/versions.py
+++ b/mvt/ios/versions.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -236,6 +236,7 @@ IPHONE_IOS_VERSIONS = [
    {"build": "19B81", "version": "15.1.1"},
    {"build": "19C56", "version": "15.2"},
    {"build": "19C63", "version": "15.2.1"},
+    {"build": "19D50", "version": "15.3"},
 ]


--- a/setup.py
+++ b/setup.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/tests/artifacts/generate_stix.py
+++ b/tests/artifacts/generate_stix.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

@@ -41,7 +41,7 @@ def generate_test_stix_file(file_path):
        res.append(Relationship(i, "indicates", malware))

    bundle = Bundle(objects=res)
-    with open(file_path, "w+") as f:
+    with open(file_path, "w+", encoding="utf-8") as f:
        f.write(bundle.serialize(pretty=True))


--- a/tests/artifacts/ios_backup/3a/3a47b0981ed7c10f3e2800aa66bac96a3b5db28e
+++ b/tests/artifacts/ios_backup/3a/3a47b0981ed7c10f3e2800aa66bac96a3b5db28e
--- a/tests/common/test_indicators.py
+++ b/tests/common/test_indicators.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/tests/ios/test_backup_info.py
+++ b/tests/ios/test_backup_info.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/tests/ios/test_datausage.py
+++ b/tests/ios/test_datausage.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/tests/ios/test_manifest.py
+++ b/tests/ios/test_manifest.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/tests/ios/test_safari_browserstate.py
+++ b/tests/ios/test_safari_browserstate.py
@@ -0,0 +1,36 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+
+from mvt.common.indicators import Indicators
+from mvt.common.module import run_module
+from mvt.ios.modules.mixed.safari_browserstate import SafariBrowserState
+
+from ..utils import get_backup_folder
+
+
+class TestSafariBrowserStateModule:
+    def test_parsing(self):
+        m = SafariBrowserState(base_folder=get_backup_folder(), log=logging, results=[])
+        m.is_backup = True
+        run_module(m)
+        assert m.file_path is not None
+        assert len(m.results) == 1
+        assert len(m.timeline) == 1
+        assert len(m.detected) == 0
+
+    def test_detection(self, indicator_file):
+        m = SafariBrowserState(base_folder=get_backup_folder(), log=logging, results=[])
+        m.is_backup = True
+        ind = Indicators(log=logging)
+        ind.parse_stix2(indicator_file)
+        # Adds a file that exists in the manifest.
+        ind.ioc_files[0]["domains"].append("en.wikipedia.org")
+        m.indicators = ind
+        run_module(m)
+        assert len(m.detected) == 1
+        assert len(m.results) == 1
+        assert m.results[0]["tab_url"] == "https://en.wikipedia.org/wiki/NSO_Group"
--- a/tests/ios/test_tcc.py
+++ b/tests/ios/test_tcc.py
@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021 The MVT Project Authors.
+# Copyright (c) 2021-2022 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Nex	2d00dca5bd	Bumped version	2022-02-01 12:46:31 +01:00
Nex	c8e50eb958	Merge pull request #244 from dangaffey/patch-1 Update docker.md	2022-02-01 11:54:04 +01:00
Dan Gaffey	1f049fc8ba	Update docker.md Had to run an additional Docker flag to get it building on the new M1 chip from Apple. Figured it would be helpful to point that out in the Docs for the less initiated users.	2022-01-31 20:22:54 -05:00
Nex	434738a306	Better regexp formatting	2022-01-31 13:05:03 +01:00
Nex	06cd640c5e	Using static methods	2022-01-31 12:58:33 +01:00
Nex	fb8a7ca104	Enforce consistency in Android modules	2022-01-31 11:30:49 +01:00
Nex	8d15ff58dd	Renamed matched field name to singular	2022-01-30 20:29:09 +01:00
Nex	eb5f07a75d	Updated copyright notice	2022-01-30 20:15:01 +01:00
Nex	ececf1a6b2	Added module to extract db queries	2022-01-30 19:43:09 +01:00
Nex	851cd52602	Ordering and clean-up	2022-01-30 16:41:32 +01:00
Nex	8db04fc991	Added module to parse battery daily stats package updates	2022-01-30 16:02:24 +01:00
Nex	3d0ba56e1f	Fixed parsing of wake events	2022-01-30 15:20:03 +01:00
Nex	c48a4e8f50	Fixed variable name	2022-01-30 04:12:19 +01:00
Nex	001c2998a5	Removed unnecessary newlines	2022-01-30 04:11:46 +01:00
Nex	5e7c5727af	Added check for indicators to dumpsys modules	2022-01-30 04:08:48 +01:00
Nex	883fbaeb88	Parsing records from accessibility and battery history	2022-01-30 03:44:41 +01:00
Nex	6f0012cede	Removed modules which are only duplicated outputs from dumpsys full	2022-01-30 03:39:26 +01:00
Nex	458e80ccbb	Adding module to process battery history	2022-01-30 03:34:16 +01:00
Nex	c8185fdbd8	Small code clean-ups	2022-01-29 15:13:35 +01:00
Nex	67eea3edec	Merge pull request #241 from yallxe/main Make utf-8 as a default for open()	2022-01-29 14:44:16 +01:00
Yallxe	bc86d159b8	Clear 'debugging' things	2022-01-29 12:28:22 +01:00
Yallxe	43b1612dfe	Set utf-8 as an encoding for open() Not every system uses 'utf-8' as a default encoding for opening files in Python. Before you say that there must be a way to set default encoding in one line, no, there is not. At least, I didn't found a way to do this.	2022-01-29 12:18:18 +01:00
Yallxe	156f1084f1	Add IDEA to gitignore	2022-01-29 12:03:00 +01:00
Nex	49e34f6299	Better parsing of dumpsys package and added parsing of Activities too	2022-01-29 03:50:33 +01:00
Nex	d88a66dd54	Fixed typo	2022-01-29 01:13:52 +01:00
Nex	d3ed778ae4	Fixed comment stylling	2022-01-29 01:13:29 +01:00
tek	4c3306c272	Separate receivers parsing in DumpsysReceivers	2022-01-29 01:06:32 +01:00
Nex	1c912f68fe	Bumped version	2022-01-28 22:25:41 +01:00
Nex	10a640d3f7	Temporary disabing VirusTotal lookup because of API issues	2022-01-28 22:25:21 +01:00
Nex	c3acc95e9e	Bumped version	2022-01-28 20:08:14 +01:00
Nex	90d05336da	Added check for additional outgoing call event	2022-01-28 17:21:28 +01:00
Nex	5513e6e9e3	Ordered imports	2022-01-28 16:36:24 +01:00
Nex	38116f8405	Catching device not found exception	2022-01-28 15:47:50 +01:00
Nex	59b069f006	Added lookups for non-system packages on check-adb too	2022-01-28 12:25:50 +01:00
Nex	28e1348aa7	Added check-iocs command to mvt-android	2022-01-27 18:23:19 +01:00
Nex	034338d1f4	Added iOS 15.3	2022-01-27 17:04:48 +01:00
Nex	09d5eabf2f	Changing check logic for Android settings	2022-01-27 15:24:17 +01:00
Nex	a425d6c511	Added missing comma and ordered imports	2022-01-27 14:56:02 +01:00
Nex	f8897a4f8c	Added more dangerous settings	2022-01-27 14:54:31 +01:00
Nex	86eae68bdb	Added Android settings module	2022-01-27 13:33:06 +01:00
Nex	d2bf348b03	Merge branch 'main' of github.com:mvt-project/mvt	2022-01-27 12:51:14 +01:00
Nex	25c6c03075	Added Getprop module and cleaned Files and Packages Android modules	2022-01-27 12:50:37 +01:00
tek	cf88740f6a	Fixes bugs in SafariBrowserState module and add tests	2022-01-26 14:50:34 +01:00
tek	eb4810b0ad	Fixes bug in parsing of configuration profiles	2022-01-25 20:32:27 +01:00