Mark release 2.4.5 (#436)

Co-authored-by: DonnchaC <DonnchaC@users.noreply.github.com>

.github/workflows/add-issue-to-project.yml

@@ -0,0 +1,19 @@
+name: Add issue to project
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.5.0
+        with:
+          # You can target a project in a different organization
+          # to the issue
+          project-url: https://github.com/orgs/mvt-project/projects/1
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

.github/workflows/python-package.yml

@@ -42,7 +42,9 @@ jobs:
     - name: Test with pytest and coverage
       run: pytest --junitxml=pytest.xml --cov-report=term-missing:skip-covered --cov=mvt tests/ | tee pytest-coverage.txt
     - name: Pytest coverage comment
+      continue-on-error: true # Workflows running on a fork can't post comments
       uses: MishaKav/pytest-coverage-comment@main
+      if: github.event_name == 'pull_request'
       with:
         pytest-coverage-path: ./pytest-coverage.txt
-        junitxml-path: ./pytest.xml
+        junitxml-path: ./pytest.xml

.github/workflows/ruff.yml

@@ -16,4 +16,4 @@ jobs:
           pip install --user ruff
       - name: ruff
         run: |
-          ruff --format=github .
+          ruff check --output-format github .

.github/workflows/scripts/update-ios-releases.py

@@ -35,13 +35,20 @@ def parse_latest_ios_versions(rss_feed_text):
             print("Could not parse iOS build:", title)
             continue
 
+        # Handle iOS beta releases
         release_info = build_match.groupdict()
-        if release_info["beta"]:
+        release_beta = release_info.pop("beta")
+        if release_beta:
             print("Skipping beta release:", title)
             continue
 
-        release_info.pop("beta")
-        latest_ios_versions.append(release_info)
+        # Some iOS releases have multiple build number for different hardware models.
+        # We will split these into separate entries and record each build number.
+        build_list = release_info.pop("build")
+        build_variants = build_list.split(" | ")
+        for build_number in build_variants:
+            release_info["build"] = build_number
+            latest_ios_versions.append(release_info)
 
     return latest_ios_versions
 

.readthedocs.yaml

@@ -5,11 +5,15 @@
 # Required
 version: 2
 
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.11"
+
 mkdocs:
   configuration: mkdocs.yml
 
 # Optionally set the version of Python and requirements required to build your docs
 python:
-   version: 3.7
    install:
    - requirements: docs/requirements.txt

Dockerfile

@@ -57,12 +57,12 @@ RUN git clone https://github.com/libimobiledevice/libplist \
 
 # Installing MVT
 # --------------
-RUN pip3 install mvt
+RUN pip3 install git+https://github.com/mvt-project/mvt.git@main
 
 # Installing ABE
 # --------------
 RUN mkdir /opt/abe \
-  && wget https://github.com/nelenkov/android-backup-extractor/releases/download/20210709062403-4c55371/abe.jar -O /opt/abe/abe.jar \
+  && wget https://github.com/nelenkov/android-backup-extractor/releases/download/master-20221109063121-8fdfc5e/abe.jar -O /opt/abe/abe.jar \
 # Create alias for abe
   && echo 'alias abe="java -jar /opt/abe/abe.jar"' >> ~/.bashrc
 

README.md

@@ -11,7 +11,7 @@
 
 Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
 
-It has been developed and released by the [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) in July 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project/) along with [a technical forensic methodology](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/). It continues to be maintained by Amnesty International and other contributors.
+It has been developed and released by the [Amnesty International Security Lab](https://securitylab.amnesty.org) in July 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project/) along with [a technical forensic methodology](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/). It continues to be maintained by Amnesty International and other contributors.
 
 > **Note**
 > MVT is a forensic research tool intended for technologists and investigators. It requires understanding digital forensics and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek reputable expert assistance.
@@ -32,7 +32,7 @@ More information about using indicators of compromise with MVT is available in t
 
 ## Installation
 
-MVT can be installed from sources or from [PyPi](https://pypi.org/project/mvt/) (you will need some dependencies, check the [documentation](https://docs.mvt.re/en/latest/install/)):
+MVT can be installed from sources or from [PyPI](https://pypi.org/project/mvt/) (you will need some dependencies, check the [documentation](https://docs.mvt.re/en/latest/install/)):
 
 ```
 pip3 install mvt

docs/index.md

@@ -6,7 +6,7 @@
 
 Mobile Verification Toolkit (MVT) is a tool to facilitate the [consensual forensic analysis](introduction.md#consensual-forensics) of Android and iOS devices, for the purpose of identifying traces of compromise.
 
-It has been developed and released by the [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) in July 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project/) along with [a technical forensic methodology](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/). It continues to be maintained by Amnesty International and other contributors.
+It has been developed and released by the [Amnesty International Security Lab](https://securitylab.amnesty.org) in July 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project/) along with [a technical forensic methodology](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/). It continues to be maintained by Amnesty International and other contributors.
 
 
 In this documentation you will find instructions on how to install and run the `mvt-ios` and `mvt-android` commands, and guidance on how to interpret the extracted results.

docs/install.md

@@ -42,13 +42,13 @@ It is recommended to try installing and running MVT from [Windows Subsystem Linu
 
 ## Installing MVT
 
-If you haven't done so, you can add this to your `.bashrc` or `.zshrc` file in order to add locally installed Pypi binaries to your `$PATH`:
+If you haven't done so, you can add this to your `.bashrc` or `.zshrc` file in order to add locally installed PyPI binaries to your `$PATH`:
 
 ```bash
 export PATH=$PATH:~/.local/bin
 ```
 
-Then you can install MVT directly from [pypi](https://pypi.org/project/mvt/)
+Then you can install MVT directly from [PyPI](https://pypi.org/project/mvt/)
 
 ```bash
 pip3 install mvt

docs/introduction.md

@@ -21,7 +21,7 @@ MVT supports using [indicators of compromise (IOCs)](https://github.com/mvt-proj
 
     Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
 
-    Such support is available to civil society through [Amnesty International's Security Lab](https://www.amnesty.org/en/tech/) or [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
+    Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/contact-us/) or [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
 
 More information about using indicators of compromise with MVT is available in the [documentation](iocs.md).
 

docs/ios/backup/itunes.md

@@ -10,7 +10,7 @@ To do that:
 4. If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
 5. Start the backup and wait for it to finish (this may take up to 30 minutes).
 
-![](../../../img/macos-backup.jpg)
+![](../../img/macos-backup.jpg)
 _Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
 
 Once the backup is done, find its location and copy it to a place where it can be analyzed by MVT. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On macOS, the backup is stored in `~/Library/Application Support/MobileSync/`.
@@ -25,13 +25,13 @@ On more recent MacOS versions, this feature is included in Finder. To do a backu
 4. In the General tab, select `Back up all the data on your iPhone to this Mac` from the options under the Backups section.
 5. Check the box that says `Encrypt local backup`. If it is your first time selecting this option, you may need to enter a password to encrypt the backup.
 
-![](../../../img/macos-backup2.png)
+![](../../img/macos-backup2.png)
 _Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
 
 6. Click `Back Up Now` to start the back-up process.
 7. The encrypted backup for your iPhone should now start. Once the process finishes, you can check the backup by opening `Finder`, clicking on the `General` tab, then click on `Manage Backups`. Now you should see a list of your backups like the image below:
 
-![](../../../img/macos-backups.png)
+![](../../img/macos-backups.png)
 _Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
 
 If your backup has a lock next to it like in the image above, then the backup is encrypted. You should also see the date and time when the encrypted backup was created. The backup files are stored in `~/Library/Application Support/MobileSync/`.

docs/ios/records.md

@@ -142,6 +142,16 @@ If indicators are provided through the command-line, they are checked against th
 
 ---
 
+### `global_preferences.json`
+
+!!! info "Availability"
+    Backup: :material-check:
+    Full filesystem dump: :material-check:
+
+This JSON file is created by mvt-ios' `GlobalPreferences` module. The module extracts records from a Plist file located at */private/var/mobile/Library/Preferences/.GlobalPreferences.plist*, which contains a system preferences including if Lockdown Mode is enabled.
+
+---
+
 ### `id_status_cache.json`
 
 !!! info "Availability"

mvt/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/android/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/artifacts/__init__.py

@@ -0,0 +1,4 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/

mvt/android/artifacts/artifact.py

@@ -1,9 +1,36 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
+
 from mvt.common.artifact import Artifact
 
 
 class AndroidArtifact(Artifact):
-    pass
+    @staticmethod
+    def extract_dumpsys_section(dumpsys: str, separator: str) -> str:
+        """
+        Extract a section from a full dumpsys file.
+
+        :param dumpsys: content of the full dumpsys file (string)
+        :param separator: content of the first line separator (string)
+        :return: section extracted (string)
+        """
+        lines = []
+        in_section = False
+        for line in dumpsys.splitlines():
+            if line.strip() == separator:
+                in_section = True
+                continue
+
+            if not in_section:
+                continue
+
+            if line.strip().startswith(
+                "------------------------------------------------------------------------------"
+            ):
+                break
+
+            lines.append(line)
+
+        return "\n".join(lines)

mvt/android/artifacts/dumpsys_accessibility.py

@@ -0,0 +1,47 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from .artifact import AndroidArtifact
+
+
+class DumpsysAccessibilityArtifact(AndroidArtifact):
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package_name"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue
+
+    def parse(self, content: str) -> None:
+        """
+        Parse the Dumpsys Accessibility section/
+        Adds results to self.results (List[Dict[str, str]])
+
+        :param content: content of the accessibility section (string)
+        """
+        in_services = False
+        for line in content.splitlines():
+            if line.strip().startswith("installed services:"):
+                in_services = True
+                continue
+
+            if not in_services:
+                continue
+
+            if line.strip() == "}":
+                break
+
+            service = line.split(":")[1].strip()
+
+            self.results.append(
+                {
+                    "package_name": service.split("/")[0],
+                    "service": service,
+                }
+            )

mvt/android/artifacts/dumpsys_appops.py

@@ -0,0 +1,150 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from datetime import datetime
+from typing import Any, Dict, List, Union
+
+from mvt.common.utils import convert_datetime_to_iso
+
+from .artifact import AndroidArtifact
+
+
+class DumpsysAppopsArtifact(AndroidArtifact):
+    """
+    Parser for dumpsys app ops info
+    """
+
+    def serialize(self, record: dict) -> Union[dict, list]:
+        records = []
+        for perm in record["permissions"]:
+            if "entries" not in perm:
+                continue
+
+            for entry in perm["entries"]:
+                if "timestamp" in entry:
+                    records.append(
+                        {
+                            "timestamp": entry["timestamp"],
+                            "module": self.__class__.__name__,
+                            "event": entry["access"],
+                            "data": f"{record['package_name']} access to "
+                            f"{perm['name']}: {entry['access']}",
+                        }
+                    )
+
+        return records
+
+    def check_indicators(self) -> None:
+        for result in self.results:
+            if self.indicators:
+                ioc = self.indicators.check_app_id(result.get("package_name"))
+                if ioc:
+                    result["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+            for perm in result["permissions"]:
+                if (
+                    perm["name"] == "REQUEST_INSTALL_PACKAGES"
+                    and perm["access"] == "allow"
+                ):
+                    self.log.info(
+                        "Package %s with REQUEST_INSTALL_PACKAGES " "permission",
+                        result["package_name"],
+                    )
+
+    def parse(self, output: str) -> None:
+        self.results: List[Dict[str, Any]] = []
+        perm = {}
+        package = {}
+        entry = {}
+        uid = None
+        in_packages = False
+
+        for line in output.splitlines():
+            if line.startswith("  Uid 0:"):
+                in_packages = True
+
+            if not in_packages:
+                continue
+
+            if line.startswith("  Uid "):
+                uid = line[6:-1]
+                if entry:
+                    perm["entries"].append(entry)
+                    entry = {}
+                if package:
+                    if perm:
+                        package["permissions"].append(perm)
+
+                    perm = {}
+                    self.results.append(package)
+                package = {}
+                continue
+
+            if line.startswith("    Package "):
+                if entry:
+                    perm["entries"].append(entry)
+                    entry = {}
+
+                if package:
+                    if perm:
+                        package["permissions"].append(perm)
+
+                    perm = {}
+                    self.results.append(package)
+
+                package = {
+                    "package_name": line[12:-1],
+                    "permissions": [],
+                    "uid": uid,
+                }
+                continue
+
+            if package and line.startswith("      ") and line[6] != " ":
+                if entry:
+                    perm["entries"].append(entry)
+                    entry = {}
+                if perm:
+                    package["permissions"].append(perm)
+                    perm = {}
+
+                perm["name"] = line.split()[0]
+                perm["entries"] = []
+                if len(line.split()) > 1:
+                    perm["access"] = line.split()[1][1:-2]
+
+                continue
+
+            if line.startswith("          "):
+                # Permission entry like:
+                # Reject: [fg-s]2021-05-19 22:02:52.054 (-314d1h25m2s33ms)
+                if entry:
+                    perm["entries"].append(entry)
+                    entry = {}
+
+                entry["access"] = line.split(":")[0].strip()
+                entry["type"] = line[line.find("[") + 1 : line.find("]")]
+
+                try:
+                    entry["timestamp"] = convert_datetime_to_iso(
+                        datetime.strptime(
+                            line[line.find("]") + 1 : line.find("(")].strip(),
+                            "%Y-%m-%d %H:%M:%S.%f",
+                        )
+                    )
+                except ValueError:
+                    # Invalid date format
+                    pass
+
+            if line.strip() == "":
+                break
+
+        if entry:
+            perm["entries"].append(entry)
+        if perm:
+            package["permissions"].append(perm)
+        if package:
+            self.results.append(package)

mvt/android/artifacts/dumpsys_battery_daily.py

@@ -0,0 +1,78 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from typing import Union
+
+from .artifact import AndroidArtifact
+
+
+class DumpsysBatteryDailyArtifact(AndroidArtifact):
+    """
+    Parser for dumpsys dattery daily updates.
+    """
+
+    def serialize(self, record: dict) -> Union[dict, list]:
+        return {
+            "timestamp": record["from"],
+            "module": self.__class__.__name__,
+            "event": "battery_daily",
+            "data": f"Recorded update of package {record['package_name']} "
+            f"with vers {record['vers']}",
+        }
+
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package_name"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue
+
+    def parse(self, output: str) -> None:
+        daily = None
+        daily_updates = []
+        for line in output.splitlines():
+            if line.startswith("  Daily from "):
+                if len(daily_updates) > 0:
+                    self.results.extend(daily_updates)
+                    daily_updates = []
+
+                timeframe = line[13:].strip()
+                date_from, date_to = timeframe.strip(":").split(" to ", 1)
+                daily = {"from": date_from[0:10], "to": date_to[0:10]}
+                continue
+
+            if not daily:
+                continue
+
+            if not line.strip().startswith("Update "):
+                continue
+
+            line = line.strip().replace("Update ", "")
+            package_name, vers = line.split(" ", 1)
+            vers_nr = vers.split("=", 1)[1]
+
+            already_seen = False
+            for update in daily_updates:
+                if package_name == update["package_name"] and vers_nr == update["vers"]:
+                    already_seen = True
+                    break
+
+            if not already_seen:
+                daily_updates.append(
+                    {
+                        "action": "update",
+                        "from": daily["from"],
+                        "to": daily["to"],
+                        "package_name": package_name,
+                        "vers": vers_nr,
+                    }
+                )
+
+        if len(daily_updates) > 0:
+            self.results.extend(daily_updates)

mvt/android/artifacts/dumpsys_battery_history.py

@@ -0,0 +1,78 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from .artifact import AndroidArtifact
+
+
+class DumpsysBatteryHistoryArtifact(AndroidArtifact):
+    """
+    Parser for dumpsys dattery history events.
+    """
+
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package_name"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue
+
+    def parse(self, data: str) -> None:
+        for line in data.splitlines():
+            if line.startswith("Battery History "):
+                continue
+
+            if line.strip() == "":
+                break
+
+            time_elapsed = line.strip().split(" ", 1)[0]
+
+            event = ""
+            if line.find("+job") > 0:
+                event = "start_job"
+                uid = line[line.find("+job") + 5 : line.find(":")]
+                service = line[line.find(":") + 1 :].strip('"')
+                package_name = service.split("/")[0]
+            elif line.find("-job") > 0:
+                event = "end_job"
+                uid = line[line.find("-job") + 5 : line.find(":")]
+                service = line[line.find(":") + 1 :].strip('"')
+                package_name = service.split("/")[0]
+            elif line.find("+running +wake_lock=") > 0:
+                uid = line[line.find("+running +wake_lock=") + 21 : line.find(":")]
+                event = "wake"
+                service = (
+                    line[line.find("*walarm*:") + 9 :].split(" ")[0].strip('"').strip()
+                )
+                if service == "" or "/" not in service:
+                    continue
+
+                package_name = service.split("/")[0]
+            elif (line.find("+top=") > 0) or (line.find("-top") > 0):
+                if line.find("+top=") > 0:
+                    event = "start_top"
+                    top_pos = line.find("+top=")
+                else:
+                    event = "end_top"
+                    top_pos = line.find("-top=")
+                colon_pos = top_pos + line[top_pos:].find(":")
+                uid = line[top_pos + 5 : colon_pos]
+                service = ""
+                package_name = line[colon_pos + 1 :].strip('"')
+            else:
+                continue
+
+            self.results.append(
+                {
+                    "time_elapsed": time_elapsed,
+                    "event": event,
+                    "uid": uid,
+                    "package_name": package_name,
+                    "service": service,
+                }
+            )

mvt/android/artifacts/dumpsys_dbinfo.py

@@ -0,0 +1,83 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import re
+
+from .artifact import AndroidArtifact
+
+
+class DumpsysDBInfoArtifact(AndroidArtifact):
+    """
+    Parser for dumpsys DBInfo service
+    """
+
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            path = result.get("path", "")
+            for part in path.split("/"):
+                ioc = self.indicators.check_app_id(part)
+                if ioc:
+                    result["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+    def parse(self, output: str) -> None:
+        rxp = re.compile(
+            r".*\[([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})\].*\[Pid:\((\d+)\)\](\w+).*sql\=\"(.+?)\""
+        )  # pylint: disable=line-too-long
+        rxp_no_pid = re.compile(
+            r".*\[([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})\][ ]{1}(\w+).*sql\=\"(.+?)\""
+        )  # pylint: disable=line-too-long
+
+        pool = None
+        in_operations = False
+        for line in output.splitlines():
+            if line.startswith("Connection pool for "):
+                pool = line.replace("Connection pool for ", "").rstrip(":")
+
+            if not pool:
+                continue
+
+            if line.strip() == "Most recently executed operations:":
+                in_operations = True
+                continue
+
+            if not in_operations:
+                continue
+
+            if not line.startswith("        "):
+                in_operations = False
+                pool = None
+                continue
+
+            matches = rxp.findall(line)
+            if not matches:
+                matches = rxp_no_pid.findall(line)
+                if not matches:
+                    continue
+
+                match = matches[0]
+                self.results.append(
+                    {
+                        "isodate": match[0],
+                        "action": match[1],
+                        "sql": match[2],
+                        "path": pool,
+                    }
+                )
+            else:
+                match = matches[0]
+                self.results.append(
+                    {
+                        "isodate": match[0],
+                        "pid": match[1],
+                        "action": match[2],
+                        "sql": match[3],
+                        "path": pool,
+                    }
+                )

mvt/android/artifacts/dumpsys_package_activities.py

@@ -0,0 +1,84 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from .artifact import AndroidArtifact
+
+
+class DumpsysPackageActivitiesArtifact(AndroidArtifact):
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for activity in self.results:
+            ioc = self.indicators.check_app_id(activity["package_name"])
+            if ioc:
+                activity["matched_indicator"] = ioc
+                self.detected.append(activity)
+                continue
+
+    def parse(self, content: str):
+        """
+        Parse the Dumpsys Package section for activities
+        Adds results to self.results
+
+        :param content: content of the package section (string)
+        """
+        self.results = []
+
+        in_activity_resolver_table = False
+        in_non_data_actions = False
+        intent = None
+        for line in content.splitlines():
+            if line.startswith("Activity Resolver Table:"):
+                in_activity_resolver_table = True
+                continue
+
+            if not in_activity_resolver_table:
+                continue
+
+            if line.startswith("  Non-Data Actions:"):
+                in_non_data_actions = True
+                continue
+
+            if not in_non_data_actions:
+                continue
+
+            # If we hit an empty line, the Non-Data Actions section should be
+            # finished.
+            if line.strip() == "":
+                break
+
+            # We detect the action name.
+            if (
+                line.startswith(" " * 6)
+                and not line.startswith(" " * 8)
+                and ":" in line
+            ):
+                intent = line.strip().replace(":", "")
+                continue
+
+            # If we are not in an intent block yet, skip.
+            if not intent:
+                continue
+
+            # If we are in a block but the line does not start with 8 spaces
+            # it means the block ended a new one started, so we reset and
+            # continue.
+            if not line.startswith(" " * 8):
+                intent = None
+                continue
+
+            # If we got this far, we are processing receivers for the
+            # activities we are interested in.
+            activity = line.strip().split(" ")[1]
+            package_name = activity.split("/")[0]
+
+            self.results.append(
+                {
+                    "intent": intent,
+                    "package_name": package_name,
+                    "activity": activity,
+                }
+            )

mvt/android/artifacts/dumpsys_receivers.py

@@ -0,0 +1,116 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from .artifact import AndroidArtifact
+
+INTENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
+INTENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
+INTENT_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
+INTENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
+INTENT_NEW_OUTGOING_CALL = "android.intent.action.NEW_OUTGOING_CALL"
+
+
+class DumpsysReceiversArtifact(AndroidArtifact):
+    """
+    Parser for dumpsys receivers in the package section
+    """
+
+    def check_indicators(self) -> None:
+        for intent, receivers in self.results.items():
+            for receiver in receivers:
+                if intent == INTENT_NEW_OUTGOING_SMS:
+                    self.log.info(
+                        'Found a receiver to intercept outgoing SMS messages: "%s"',
+                        receiver["receiver"],
+                    )
+                elif intent == INTENT_SMS_RECEIVED:
+                    self.log.info(
+                        'Found a receiver to intercept incoming SMS messages: "%s"',
+                        receiver["receiver"],
+                    )
+                elif intent == INTENT_DATA_SMS_RECEIVED:
+                    self.log.info(
+                        'Found a receiver to intercept incoming data SMS message: "%s"',
+                        receiver["receiver"],
+                    )
+                elif intent == INTENT_PHONE_STATE:
+                    self.log.info(
+                        "Found a receiver monitoring "
+                        'telephony state/incoming calls: "%s"',
+                        receiver["receiver"],
+                    )
+                elif intent == INTENT_NEW_OUTGOING_CALL:
+                    self.log.info(
+                        'Found a receiver monitoring outgoing calls: "%s"',
+                        receiver["receiver"],
+                    )
+
+                if not self.indicators:
+                    continue
+
+                ioc = self.indicators.check_app_id(receiver["package_name"])
+                if ioc:
+                    receiver["matched_indicator"] = ioc
+                    self.detected.append({intent: receiver})
+                    continue
+
+    def parse(self, output: str) -> None:
+        self.results = {}
+
+        in_receiver_resolver_table = False
+        in_non_data_actions = False
+        intent = None
+        for line in output.splitlines():
+            if line.startswith("Receiver Resolver Table:"):
+                in_receiver_resolver_table = True
+                continue
+
+            if not in_receiver_resolver_table:
+                continue
+
+            if line.startswith("  Non-Data Actions:"):
+                in_non_data_actions = True
+                continue
+
+            if not in_non_data_actions:
+                continue
+
+            # If we hit an empty line, the Non-Data Actions section should be
+            # finished.
+            if line.strip() == "":
+                break
+
+            # We detect the action name.
+            if (
+                line.startswith(" " * 6)
+                and not line.startswith(" " * 8)
+                and ":" in line
+            ):
+                intent = line.strip().replace(":", "")
+                self.results[intent] = []
+                continue
+
+            # If we are not in an intent block yet, skip.
+            if not intent:
+                continue
+
+            # If we are in a block but the line does not start with 8 spaces
+            # it means the block ended a new one started, so we reset and
+            # continue.
+            if not line.startswith(" " * 8):
+                intent = None
+                continue
+
+            # If we got this far, we are processing receivers for the
+            # activities we are interested in.
+            receiver = line.strip().split(" ")[1]
+            package_name = receiver.split("/")[0]
+
+            self.results[intent].append(
+                {
+                    "package_name": package_name,
+                    "receiver": receiver,
+                }
+            )

mvt/android/artifacts/getprop.py

@@ -1,7 +1,8 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
+
 import re
 from typing import Dict, List
 

mvt/android/artifacts/processes.py

@@ -1,7 +1,8 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
+
 from .artifact import AndroidArtifact
 
 

mvt/android/artifacts/settings.py

@@ -1,7 +1,8 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
+
 from .artifact import AndroidArtifact
 
 ANDROID_DANGEROUS_SETTINGS = [

mvt/android/cli.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_check_adb.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_check_androidqf.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_check_backup.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_check_bugreport.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_download_apks.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/android/modules/adb/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/chrome_history.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_accessibility.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_accessibility
+from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
 
 from .base import AndroidExtraction
 
 
-class DumpsysAccessibility(AndroidExtraction):
+class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidExtraction):
     """This module extracts stats on accessibility."""
 
     def __init__(
@@ -32,23 +32,12 @@ class DumpsysAccessibility(AndroidExtraction):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-                continue
-
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("dumpsys accessibility")
         self._adb_disconnect()
 
-        self.results = parse_dumpsys_accessibility(output)
+        self.parse(output)
 
         for result in self.results:
             self.log.info(

mvt/android/modules/adb/dumpsys_activities.py

@@ -1,17 +1,19 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_activity_resolver_table
+from mvt.android.artifacts.dumpsys_package_activities import (
+    DumpsysPackageActivitiesArtifact,
+)
 
 from .base import AndroidExtraction
 
 
-class DumpsysActivities(AndroidExtraction):
+class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidExtraction):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -32,25 +34,12 @@ class DumpsysActivities(AndroidExtraction):
             results=results,
         )
 
-        self.results = results if results else {}
-
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for intent, activities in self.results.items():
-            for activity in activities:
-                ioc = self.indicators.check_app_id(activity["package_name"])
-                if ioc:
-                    activity["matched_indicator"] = ioc
-                    self.detected.append({intent: activity})
-                    continue
+        self.results = results if results else []
 
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("dumpsys package")
         self._adb_disconnect()
+        self.parse(output)
 
-        self.results = parse_dumpsys_activity_resolver_table(output)
-
-        self.log.info("Extracted activities for %d intents", len(self.results))
+        self.log.info("Extracted %d package activities", len(self.results))

mvt/android/modules/adb/dumpsys_appops.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import Optional
 
-from mvt.android.parsers.dumpsys import parse_dumpsys_appops
+from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
 
 from .base import AndroidExtraction
 
 
-class DumpsysAppOps(AndroidExtraction):
+class DumpsysAppOps(DumpsysAppopsArtifact, AndroidExtraction):
     """This module extracts records from App-op Manager."""
 
     slug = "dumpsys_appops"
@@ -34,51 +34,12 @@ class DumpsysAppOps(AndroidExtraction):
             results=results,
         )
 
-    def serialize(self, record: dict) -> Union[dict, list]:
-        records = []
-        for perm in record["permissions"]:
-            if "entries" not in perm:
-                continue
-
-            for entry in perm["entries"]:
-                if "timestamp" in entry:
-                    records.append(
-                        {
-                            "timestamp": entry["timestamp"],
-                            "module": self.__class__.__name__,
-                            "event": entry["access"],
-                            "data": f"{record['package_name']} access to "
-                            f"{perm['name']}: {entry['access']}",
-                        }
-                    )
-
-        return records
-
-    def check_indicators(self) -> None:
-        for result in self.results:
-            if self.indicators:
-                ioc = self.indicators.check_app_id(result.get("package_name"))
-                if ioc:
-                    result["matched_indicator"] = ioc
-                    self.detected.append(result)
-                    continue
-
-            for perm in result["permissions"]:
-                if (
-                    perm["name"] == "REQUEST_INSTALL_PACKAGES"
-                    and perm["access"] == "allow"
-                ):
-                    self.log.info(
-                        "Package %s with REQUEST_INSTALL_PACKAGES " "permission",
-                        result["package_name"],
-                    )
-
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("dumpsys appops")
         self._adb_disconnect()
 
-        self.results = parse_dumpsys_appops(output)
+        self.parse(output)
 
         self.log.info(
             "Extracted a total of %d records from app-ops manager", len(self.results)

mvt/android/modules/adb/dumpsys_battery_daily.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_battery_daily
+from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
 
 from .base import AndroidExtraction
 
 
-class DumpsysBatteryDaily(AndroidExtraction):
+class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidExtraction):
     """This module extracts records from battery daily updates."""
 
     def __init__(
@@ -32,32 +32,12 @@ class DumpsysBatteryDaily(AndroidExtraction):
             results=results,
         )
 
-    def serialize(self, record: dict) -> Union[dict, list]:
-        return {
-            "timestamp": record["from"],
-            "module": self.__class__.__name__,
-            "event": "battery_daily",
-            "data": f"Recorded update of package {record['package_name']} "
-            f"with vers {record['vers']}",
-        }
-
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-                continue
-
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("dumpsys batterystats --daily")
         self._adb_disconnect()
 
-        self.results = parse_dumpsys_battery_daily(output)
+        self.parse(output)
 
         self.log.info(
             "Extracted %d records from battery daily stats", len(self.results)

mvt/android/modules/adb/dumpsys_battery_history.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_battery_history
+from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
 
 from .base import AndroidExtraction
 
 
-class DumpsysBatteryHistory(AndroidExtraction):
+class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidExtraction):
     """This module extracts records from battery history events."""
 
     def __init__(
@@ -32,22 +32,11 @@ class DumpsysBatteryHistory(AndroidExtraction):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-                continue
-
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("dumpsys batterystats --history")
         self._adb_disconnect()
 
-        self.results = parse_dumpsys_battery_history(output)
+        self.parse(output)
 
         self.log.info("Extracted %d records from battery history", len(self.results))

mvt/android/modules/adb/dumpsys_dbinfo.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_dbinfo
+from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
 
 from .base import AndroidExtraction
 
 
-class DumpsysDBInfo(AndroidExtraction):
+class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidExtraction):
     """This module extracts records from battery daily updates."""
 
     slug = "dumpsys_dbinfo"
@@ -34,25 +34,12 @@ class DumpsysDBInfo(AndroidExtraction):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            path = result.get("path", "")
-            for part in path.split("/"):
-                ioc = self.indicators.check_app_id(part)
-                if ioc:
-                    result["matched_indicator"] = ioc
-                    self.detected.append(result)
-                    continue
-
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("dumpsys dbinfo")
         self._adb_disconnect()
 
-        self.results = parse_dumpsys_dbinfo(output)
+        self.parse(output)
 
         self.log.info(
             "Extracted a total of %d records from database information",

mvt/android/modules/adb/dumpsys_full.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_receivers.py

@@ -1,23 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_receiver_resolver_table
+from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
 
 from .base import AndroidExtraction
 
-INTENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
-INTENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
-INTENT_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
-INTENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
-INTENT_NEW_OUTGOING_CALL = "android.intent.action.NEW_OUTGOING_CALL"
 
-
-class DumpsysReceivers(AndroidExtraction):
+class DumpsysReceivers(DumpsysReceiversArtifact, AndroidExtraction):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -40,49 +34,11 @@ class DumpsysReceivers(AndroidExtraction):
 
         self.results = results if results else {}
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for intent, receivers in self.results.items():
-            for receiver in receivers:
-                if intent == INTENT_NEW_OUTGOING_SMS:
-                    self.log.info(
-                        'Found a receiver to intercept outgoing SMS messages: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_SMS_RECEIVED:
-                    self.log.info(
-                        'Found a receiver to intercept incoming SMS messages: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_DATA_SMS_RECEIVED:
-                    self.log.info(
-                        'Found a receiver to intercept incoming data SMS message: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_PHONE_STATE:
-                    self.log.info(
-                        "Found a receiver monitoring "
-                        'telephony state/incoming calls: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_NEW_OUTGOING_CALL:
-                    self.log.info(
-                        'Found a receiver monitoring outgoing calls: "%s"',
-                        receiver["receiver"],
-                    )
-
-                ioc = self.indicators.check_app_id(receiver["package_name"])
-                if ioc:
-                    receiver["matched_indicator"] = ioc
-                    self.detected.append({intent: receiver})
-                    continue
-
     def run(self) -> None:
         self._adb_connect()
 
         output = self._adb_command("dumpsys package")
-        self.results = parse_dumpsys_receiver_resolver_table(output)
+        self.parse(output)
 
         self._adb_disconnect()
+        self.log.info("Extracted receivers for %d intents", len(self.results))

mvt/android/modules/adb/files.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/logcat.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/packages.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -105,6 +105,7 @@ class Packages(AndroidExtraction):
             log=log,
             results=results,
         )
+        self._user_needed = False
 
     def serialize(self, record: dict) -> Union[dict, list]:
         records = []
@@ -236,7 +237,10 @@ class Packages(AndroidExtraction):
         return parse_dumpsys_package_for_details("\n".join(lines))
 
     def _get_files_for_package(self, package_name: str) -> list:
-        output = self._adb_command(f"pm path {package_name}")
+        command = f"pm path {package_name}"
+        if self._user_needed:
+            command += " --user 0"
+        output = self._adb_command(command)
         output = output.strip().replace("package:", "")
         if not output:
             return []
@@ -270,6 +274,9 @@ class Packages(AndroidExtraction):
         self._adb_connect()
 
         packages = self._adb_command("pm list packages -u -i -f")
+        if "java.lang.SecurityException" in packages or packages.strip() == "":
+            self._user_needed = True
+            packages = self._adb_command("pm list packages -u -i -f --user 0")
 
         for line in packages.splitlines():
             line = line.strip()
@@ -310,7 +317,10 @@ class Packages(AndroidExtraction):
             {"field": "third_party", "arg": "-3"},
         ]
         for cmd in cmds:
-            output = self._adb_command(f"pm list packages {cmd['arg']}")
+            command = f"pm list packages {cmd['arg']}"
+            if self._user_needed:
+                command += " --user 0"
+            output = self._adb_command(command)
             for line in output.splitlines():
                 line = line.strip()
                 if not line.startswith("package:"):

mvt/android/modules/adb/processes.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/root_binaries.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/selinux_status.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/settings.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/sms.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/whatsapp.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/__init__.py

@@ -1,11 +1,14 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 from .dumpsys_accessibility import DumpsysAccessibility
 from .dumpsys_activities import DumpsysActivities
 from .dumpsys_appops import DumpsysAppops
+from .dumpsys_battery_daily import DumpsysBatteryDaily
+from .dumpsys_battery_history import DumpsysBatteryHistory
+from .dumpsys_dbinfo import DumpsysDBInfo
 from .dumpsys_packages import DumpsysPackages
 from .dumpsys_receivers import DumpsysReceivers
 from .getprop import Getprop
@@ -18,6 +21,9 @@ ANDROIDQF_MODULES = [
     DumpsysReceivers,
     DumpsysAccessibility,
     DumpsysAppops,
+    DumpsysDBInfo,
+    DumpsysBatteryDaily,
+    DumpsysBatteryHistory,
     Processes,
     Getprop,
     Settings,

mvt/android/modules/androidqf/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/dumpsys_accessibility.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_accessibility
+from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
 
 from .base import AndroidQFModule
 
 
-class DumpsysAccessibility(AndroidQFModule):
+class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidQFModule):
     """This module analyse dumpsys accessbility"""
 
     def __init__(
@@ -32,40 +32,14 @@ class DumpsysAccessibility(AndroidQFModule):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-
     def run(self) -> None:
         dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
         if not dumpsys_file:
             return
 
-        lines = []
-        in_accessibility = False
-        data = self._get_file_content(dumpsys_file[0])
-        for line in data.decode("utf-8").split("\n"):
-            if line.strip().startswith("DUMP OF SERVICE accessibility:"):
-                in_accessibility = True
-                continue
-
-            if not in_accessibility:
-                continue
-
-            if line.strip().startswith(
-                "-------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line.rstrip())
-
-        self.results = parse_dumpsys_accessibility("\n".join(lines))
+        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
+        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE accessibility:")
+        self.parse(content)
 
         for result in self.results:
             self.log.info(

mvt/android/modules/androidqf/dumpsys_activities.py

@@ -1,17 +1,19 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_activity_resolver_table
+from mvt.android.artifacts.dumpsys_package_activities import (
+    DumpsysPackageActivitiesArtifact,
+)
 
 from .base import AndroidQFModule
 
 
-class DumpsysActivities(AndroidQFModule):
+class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidQFModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -32,42 +34,17 @@ class DumpsysActivities(AndroidQFModule):
             results=results,
         )
 
-        self.results = results if results else {}
-
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for intent, activities in self.results.items():
-            for activity in activities:
-                ioc = self.indicators.check_app_id(activity["package_name"])
-                if ioc:
-                    activity["matched_indicator"] = ioc
-                    self.detected.append({intent: activity})
+        self.results = results if results else []
 
     def run(self) -> None:
         dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
         if not dumpsys_file:
             return
 
-        lines = []
-        in_package = False
-        data = self._get_file_content(dumpsys_file[0])
-        for line in data.decode("utf-8").split("\n"):
-            if line.strip() == "DUMP OF SERVICE package:":
-                in_package = True
-                continue
+        # Get data and extract the dumpsys section
+        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
+        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE package:")
+        # Parse it
+        self.parse(content)
 
-            if not in_package:
-                continue
-
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line.rstrip())
-
-        self.results = parse_dumpsys_activity_resolver_table("\n".join(lines))
-
-        self.log.info("Extracted activities for %d intents", len(self.results))
+        self.log.info("Extracted %d package activities", len(self.results))

mvt/android/modules/androidqf/dumpsys_appops.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_appops
+from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
 
 from .base import AndroidQFModule
 
 
-class DumpsysAppops(AndroidQFModule):
+class DumpsysAppops(DumpsysAppopsArtifact, AndroidQFModule):
     def __init__(
         self,
         file_path: Optional[str] = None,
@@ -30,65 +30,17 @@ class DumpsysAppops(AndroidQFModule):
             results=results,
         )
 
-    def serialize(self, record: dict) -> Union[dict, list]:
-        records = []
-        for perm in record["permissions"]:
-            if "entries" not in perm:
-                continue
-
-            for entry in perm["entries"]:
-                if "timestamp" in entry:
-                    records.append(
-                        {
-                            "timestamp": entry["timestamp"],
-                            "module": self.__class__.__name__,
-                            "event": entry["access"],
-                            "data": f"{record['package_name']} access to "
-                            f"{perm['name']} : {entry['access']}",
-                        }
-                    )
-
-        return records
-
-    def check_indicators(self) -> None:
-        for result in self.results:
-            if self.indicators:
-                ioc = self.indicators.check_app_id(result.get("package_name"))
-                if ioc:
-                    result["matched_indicator"] = ioc
-                    self.detected.append(result)
-                    continue
-
-            for perm in result["permissions"]:
-                if (
-                    perm["name"] == "REQUEST_INSTALL_PACKAGES"
-                    and perm["access"] == "allow"
-                ):
-                    self.log.info(
-                        "Package %s with REQUEST_INSTALL_PACKAGES permission",
-                        result["package_name"],
-                    )
-
     def run(self) -> None:
         dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
         if not dumpsys_file:
             return
 
-        lines = []
-        in_package = False
+        # Extract section
         data = self._get_file_content(dumpsys_file[0])
-        for line in data.decode("utf-8").split("\n"):
-            if line.startswith("DUMP OF SERVICE appops:"):
-                in_package = True
-                continue
+        section = self.extract_dumpsys_section(
+            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE appops:"
+        )
 
-            if in_package:
-                if line.startswith(
-                    "-------------------------------------------------------------------------------"
-                ):  # pylint: disable=line-too-long
-                    break
-
-                lines.append(line.rstrip())
-
-        self.results = parse_dumpsys_appops("\n".join(lines))
+        # Parse it
+        self.parse(section)
         self.log.info("Identified %d applications in AppOps Manager", len(self.results))

mvt/android/modules/androidqf/dumpsys_battery_daily.py

@@ -0,0 +1,46 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from typing import Optional
+
+from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
+
+from .base import AndroidQFModule
+
+
+class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidQFModule):
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        module_options: Optional[dict] = None,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None,
+    ) -> None:
+        super().__init__(
+            file_path=file_path,
+            target_path=target_path,
+            results_path=results_path,
+            module_options=module_options,
+            log=log,
+            results=results,
+        )
+
+    def run(self) -> None:
+        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
+        if not dumpsys_file:
+            return
+
+        # Extract section
+        data = self._get_file_content(dumpsys_file[0])
+        section = self.extract_dumpsys_section(
+            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
+        )
+
+        # Parse it
+        self.parse(section)
+        self.log.info("Extracted a total of %d battery daily stats", len(self.results))

mvt/android/modules/androidqf/dumpsys_battery_history.py

@@ -0,0 +1,46 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from typing import Optional
+
+from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
+
+from .base import AndroidQFModule
+
+
+class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidQFModule):
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        module_options: Optional[dict] = None,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None,
+    ) -> None:
+        super().__init__(
+            file_path=file_path,
+            target_path=target_path,
+            results_path=results_path,
+            module_options=module_options,
+            log=log,
+            results=results,
+        )
+
+    def run(self) -> None:
+        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
+        if not dumpsys_file:
+            return
+
+        # Extract section
+        data = self._get_file_content(dumpsys_file[0])
+        section = self.extract_dumpsys_section(
+            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
+        )
+
+        # Parse it
+        self.parse(section)
+        self.log.info("Extracted a total of %d battery daily stats", len(self.results))

mvt/android/modules/androidqf/dumpsys_dbinfo.py

@@ -0,0 +1,46 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from typing import Optional
+
+from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
+
+from .base import AndroidQFModule
+
+
+class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidQFModule):
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        module_options: Optional[dict] = None,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None,
+    ) -> None:
+        super().__init__(
+            file_path=file_path,
+            target_path=target_path,
+            results_path=results_path,
+            module_options=module_options,
+            log=log,
+            results=results,
+        )
+
+    def run(self) -> None:
+        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
+        if not dumpsys_file:
+            return
+
+        # Extract dumpsys DBInfo section
+        data = self._get_file_content(dumpsys_file[0])
+        section = self.extract_dumpsys_section(
+            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE dbinfo:"
+        )
+
+        # Parse it
+        self.parse(section)
+        self.log.info("Identified %d DB Info entries", len(self.results))

mvt/android/modules/androidqf/dumpsys_packages.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/dumpsys_receivers.py

@@ -1,24 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Any, Dict, List, Optional, Union
 
-from mvt.android.modules.adb.dumpsys_receivers import (
-    INTENT_DATA_SMS_RECEIVED,
-    INTENT_NEW_OUTGOING_CALL,
-    INTENT_NEW_OUTGOING_SMS,
-    INTENT_PHONE_STATE,
-    INTENT_SMS_RECEIVED,
-)
-from mvt.android.parsers import parse_dumpsys_receiver_resolver_table
+from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
 
 from .base import AndroidQFModule
 
 
-class DumpsysReceivers(AndroidQFModule):
+class DumpsysReceivers(DumpsysReceiversArtifact, AndroidQFModule):
     """This module analyse dumpsys receivers"""
 
     def __init__(
@@ -41,67 +34,16 @@ class DumpsysReceivers(AndroidQFModule):
 
         self.results = results if results else {}
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for intent, receivers in self.results.items():
-            for receiver in receivers:
-                if intent == INTENT_NEW_OUTGOING_SMS:
-                    self.log.info(
-                        'Found a receiver to intercept outgoing SMS messages: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_SMS_RECEIVED:
-                    self.log.info(
-                        'Found a receiver to intercept incoming SMS messages: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_DATA_SMS_RECEIVED:
-                    self.log.info(
-                        'Found a receiver to intercept incoming data SMS message: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_PHONE_STATE:
-                    self.log.info(
-                        "Found a receiver monitoring "
-                        'telephony state/incoming calls: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_NEW_OUTGOING_CALL:
-                    self.log.info(
-                        'Found a receiver monitoring outgoing calls: "%s"',
-                        receiver["receiver"],
-                    )
-
-                ioc = self.indicators.check_app_id(receiver["package_name"])
-                if ioc:
-                    receiver["matched_indicator"] = ioc
-                    self.detected.append({intent: receiver})
-
     def run(self) -> None:
         dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
         if not dumpsys_file:
             return
-
-        in_receivers = False
-        lines = []
         data = self._get_file_content(dumpsys_file[0])
-        for line in data.decode("utf-8").split("\n"):
-            if line.strip() == "DUMP OF SERVICE package:":
-                in_receivers = True
-                continue
 
-            if not in_receivers:
-                continue
+        dumpsys_section = self.extract_dumpsys_section(
+            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE package:"
+        )
 
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line.rstrip())
-
-        self.results = parse_dumpsys_receiver_resolver_table("\n".join(lines))
+        self.parse(dumpsys_section)
 
         self.log.info("Extracted receivers for %d intents", len(self.results))

mvt/android/modules/androidqf/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/processes.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/settings.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/sms.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1
 

mvt/android/modules/backup/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/backup/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/backup/helpers.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/backup/sms.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/accessibility.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_accessibility
+from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
 
 from .base import BugReportModule
 
 
-class Accessibility(BugReportModule):
+class Accessibility(DumpsysAccessibilityArtifact, BugReportModule):
     """This module extracts stats on accessibility."""
 
     def __init__(
@@ -32,44 +32,21 @@ class Accessibility(BugReportModule):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-                continue
-
     def run(self) -> None:
-        content = self._get_dumpstate_file()
-        if not content:
+        full_dumpsys = self._get_dumpstate_file()
+        if not full_dumpsys:
             self.log.error(
                 "Unable to find dumpstate file. "
                 "Did you provide a valid bug report archive?"
             )
             return
 
-        lines = []
-        in_accessibility = False
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip() == "DUMP OF SERVICE accessibility:":
-                in_accessibility = True
-                continue
+        content = self.extract_dumpsys_section(
+            full_dumpsys.decode("utf-8", errors="ignore"),
+            "DUMP OF SERVICE accessibility:",
+        )
+        self.parse(content)
 
-            if not in_accessibility:
-                continue
-
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_accessibility("\n".join(lines))
         for result in self.results:
             self.log.info(
                 'Found installed accessibility service "%s"', result.get("service")

mvt/android/modules/bugreport/activities.py

@@ -1,17 +1,19 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_activity_resolver_table
+from mvt.android.artifacts.dumpsys_package_activities import (
+    DumpsysPackageActivitiesArtifact,
+)
 
 from .base import BugReportModule
 
 
-class Activities(BugReportModule):
+class Activities(DumpsysPackageActivitiesArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -32,19 +34,7 @@ class Activities(BugReportModule):
             results=results,
         )
 
-        self.results = results if results else {}
-
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for intent, activities in self.results.items():
-            for activity in activities:
-                ioc = self.indicators.check_app_id(activity["package_name"])
-                if ioc:
-                    activity["matched_indicator"] = ioc
-                    self.detected.append({intent: activity})
-                    continue
+        self.results = results if results else []
 
     def run(self) -> None:
         content = self._get_dumpstate_file()
@@ -55,23 +45,12 @@ class Activities(BugReportModule):
             )
             return
 
-        lines = []
-        in_package = False
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip() == "DUMP OF SERVICE package:":
-                in_package = True
-                continue
+        # Extract package section
+        section = self.extract_dumpsys_section(
+            content.decode("utf-8", errors="ignore"), "DUMP OF SERVICE package:"
+        )
 
-            if not in_package:
-                continue
+        # Parse
+        self.parse(section)
 
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_activity_resolver_table("\n".join(lines))
-
-        self.log.info("Extracted activities for %d intents", len(self.results))
+        self.log.info("Extracted %d package activities", len(self.results))

mvt/android/modules/bugreport/appops.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_appops
+from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
 
 from .base import BugReportModule
 
 
-class Appops(BugReportModule):
+class Appops(DumpsysAppopsArtifact, BugReportModule):
     """This module extracts information on package from App-Ops Manager."""
 
     def __init__(
@@ -32,45 +32,6 @@ class Appops(BugReportModule):
             results=results,
         )
 
-    def serialize(self, record: dict) -> Union[dict, list]:
-        records = []
-        for perm in record["permissions"]:
-            if "entries" not in perm:
-                continue
-
-            for entry in perm["entries"]:
-                if "timestamp" in entry:
-                    records.append(
-                        {
-                            "timestamp": entry["timestamp"],
-                            "module": self.__class__.__name__,
-                            "event": entry["access"],
-                            "data": f"{record['package_name']} access to "
-                            f"{perm['name']}: {entry['access']}",
-                        }
-                    )
-
-        return records
-
-    def check_indicators(self) -> None:
-        for result in self.results:
-            if self.indicators:
-                ioc = self.indicators.check_app_id(result.get("package_name"))
-                if ioc:
-                    result["matched_indicator"] = ioc
-                    self.detected.append(result)
-                    continue
-
-            for perm in result["permissions"]:
-                if (
-                    perm["name"] == "REQUEST_INSTALL_PACKAGES"
-                    and perm["access"] == "allow"
-                ):
-                    self.log.info(
-                        "Package %s with REQUEST_INSTALL_PACKAGES permission",
-                        result["package_name"],
-                    )
-
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:
@@ -80,24 +41,10 @@ class Appops(BugReportModule):
             )
             return
 
-        lines = []
-        in_appops = False
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip() == "DUMP OF SERVICE appops:":
-                in_appops = True
-                continue
-
-            if not in_appops:
-                continue
-
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_appops("\n".join(lines))
+        section = self.extract_dumpsys_section(
+            content.decode("utf-8", errors="replace"), "DUMP OF SERVICE appops:"
+        )
+        self.parse(section)
 
         self.log.info(
             "Identified a total of %d packages in App-Ops Manager", len(self.results)

mvt/android/modules/bugreport/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # See the file 'LICENSE' for usage and copying permissions, or find a copy at
 #   https://github.com/mvt-project/mvt/blob/main/LICENSE
 

mvt/android/modules/bugreport/battery_daily.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_battery_daily
+from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
 
 from .base import BugReportModule
 
 
-class BatteryDaily(BugReportModule):
+class BatteryDaily(DumpsysBatteryDailyArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     def __init__(
@@ -32,26 +32,6 @@ class BatteryDaily(BugReportModule):
             results=results,
         )
 
-    def serialize(self, record: dict) -> Union[dict, list]:
-        return {
-            "timestamp": record["from"],
-            "module": self.__class__.__name__,
-            "event": "battery_daily",
-            "data": f"Recorded update of package {record['package_name']} "
-            f"with vers {record['vers']}",
-        }
-
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-                continue
-
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:
@@ -61,30 +41,9 @@ class BatteryDaily(BugReportModule):
             )
             return
 
-        lines = []
-        in_batterystats = False
-        in_daily = False
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip() == "DUMP OF SERVICE batterystats:":
-                in_batterystats = True
-                continue
-
-            if not in_batterystats:
-                continue
-
-            if line.strip() == "Daily stats:":
-                lines.append(line)
-                in_daily = True
-                continue
-
-            if not in_daily:
-                continue
-
-            if line.strip() == "":
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_battery_daily("\n".join(lines))
+        dumpsys_section = self.extract_dumpsys_section(
+            content.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
+        )
+        self.parse(dumpsys_section)
 
         self.log.info("Extracted a total of %d battery daily stats", len(self.results))

mvt/android/modules/bugreport/battery_history.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_battery_history
+from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
 
 from .base import BugReportModule
 
 
-class BatteryHistory(BugReportModule):
+class BatteryHistory(DumpsysBatteryHistoryArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     def __init__(
@@ -32,17 +32,6 @@ class BatteryHistory(BugReportModule):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            ioc = self.indicators.check_app_id(result["package_name"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-                continue
-
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:
@@ -52,23 +41,10 @@ class BatteryHistory(BugReportModule):
             )
             return
 
-        lines = []
-        in_history = False
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip().startswith("Battery History "):
-                lines.append(line)
-                in_history = True
-                continue
-
-            if not in_history:
-                continue
-
-            if line.strip() == "":
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_battery_history("\n".join(lines))
+        dumpsys_section = self.extract_dumpsys_section(
+            content.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
+        )
+        self.parse(dumpsys_section)
 
         self.log.info(
             "Extracted a total of %d battery history records", len(self.results)

mvt/android/modules/bugreport/dbinfo.py

@@ -1,17 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_dbinfo
+from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
 
 from .base import BugReportModule
 
 
-class DBInfo(BugReportModule):
+class DBInfo(DumpsysDBInfoArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     slug = "dbinfo"
@@ -34,47 +34,20 @@ class DBInfo(BugReportModule):
             results=results,
         )
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for result in self.results:
-            path = result.get("path", "")
-            for part in path.split("/"):
-                ioc = self.indicators.check_app_id(part)
-                if ioc:
-                    result["matched_indicator"] = ioc
-                    self.detected.append(result)
-                    continue
-
     def run(self) -> None:
-        content = self._get_dumpstate_file()
-        if not content:
+        data = self._get_dumpstate_file()
+        if not data:
             self.log.error(
                 "Unable to find dumpstate file. "
                 "Did you provide a valid bug report archive?"
             )
             return
 
-        in_dbinfo = False
-        lines = []
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip() == "DUMP OF SERVICE dbinfo:":
-                in_dbinfo = True
-                continue
-
-            if not in_dbinfo:
-                continue
-
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_dbinfo("\n".join(lines))
+        section = self.extract_dumpsys_section(
+            data.decode("utf-8", errors="ignore"), "DUMP OF SERVICE dbinfo:"
+        )
 
+        self.parse(section)
         self.log.info(
             "Extracted a total of %d database connection pool records",
             len(self.results),

mvt/android/modules/bugreport/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/packages.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/receivers.py

@@ -1,23 +1,17 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 from typing import Optional
 
-from mvt.android.parsers import parse_dumpsys_receiver_resolver_table
+from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
 
 from .base import BugReportModule
 
-INTENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
-INTENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
-INTENT_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
-INTENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
-INTENT_NEW_OUTGOING_CALL = "android.intent.action.NEW_OUTGOING_CALL"
 
-
-class Receivers(BugReportModule):
+class Receivers(DumpsysReceiversArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -40,45 +34,6 @@ class Receivers(BugReportModule):
 
         self.results = results if results else {}
 
-    def check_indicators(self) -> None:
-        if not self.indicators:
-            return
-
-        for intent, receivers in self.results.items():
-            for receiver in receivers:
-                if intent == INTENT_NEW_OUTGOING_SMS:
-                    self.log.info(
-                        'Found a receiver to intercept outgoing SMS messages: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_SMS_RECEIVED:
-                    self.log.info(
-                        'Found a receiver to intercept incoming SMS messages: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_DATA_SMS_RECEIVED:
-                    self.log.info(
-                        'Found a receiver to intercept incoming data SMS message: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_PHONE_STATE:
-                    self.log.info(
-                        "Found a receiver monitoring "
-                        'telephony state/incoming calls: "%s"',
-                        receiver["receiver"],
-                    )
-                elif intent == INTENT_NEW_OUTGOING_CALL:
-                    self.log.info(
-                        'Found a receiver monitoring outgoing calls: "%s"',
-                        receiver["receiver"],
-                    )
-
-                ioc = self.indicators.check_app_id(receiver["package_name"])
-                if ioc:
-                    receiver["matched_indicator"] = ioc
-                    self.detected.append({intent: receiver})
-                    continue
-
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:
@@ -88,23 +43,9 @@ class Receivers(BugReportModule):
             )
             return
 
-        in_receivers = False
-        lines = []
-        for line in content.decode(errors="ignore").splitlines():
-            if line.strip() == "DUMP OF SERVICE package:":
-                in_receivers = True
-                continue
-
-            if not in_receivers:
-                continue
-
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):  # pylint: disable=line-too-long
-                break
-
-            lines.append(line)
-
-        self.results = parse_dumpsys_receiver_resolver_table("\n".join(lines))
+        dumpsys_section = self.extract_dumpsys_section(
+            content.decode("utf-8", errors="replace"), "DUMP OF SERVICE package:"
+        )
 
+        self.parse(dumpsys_section)
         self.log.info("Extracted receivers for %d intents", len(self.results))

mvt/android/parsers/__init__.py

@@ -1,14 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
-
-from .dumpsys import (
-    parse_dumpsys_accessibility,
-    parse_dumpsys_activity_resolver_table,
-    parse_dumpsys_appops,
-    parse_dumpsys_battery_daily,
-    parse_dumpsys_battery_history,
-    parse_dumpsys_dbinfo,
-    parse_dumpsys_receiver_resolver_table,
-)

mvt/android/parsers/backup.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/parsers/dumpsys.py

@@ -1,424 +1,11 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import re
-from datetime import datetime
 from typing import Any, Dict, List
 
-from mvt.common.utils import convert_datetime_to_iso
-
-
-def parse_dumpsys_accessibility(output: str) -> List[Dict[str, str]]:
-    results = []
-
-    in_services = False
-    for line in output.splitlines():
-        if line.strip().startswith("installed services:"):
-            in_services = True
-            continue
-
-        if not in_services:
-            continue
-
-        if line.strip() == "}":
-            break
-
-        service = line.split(":")[1].strip()
-
-        results.append(
-            {
-                "package_name": service.split("/")[0],
-                "service": service,
-            }
-        )
-
-    return results
-
-
-def parse_dumpsys_activity_resolver_table(output: str) -> Dict[str, Any]:
-    results = {}
-
-    in_activity_resolver_table = False
-    in_non_data_actions = False
-    intent = None
-    for line in output.splitlines():
-        if line.startswith("Activity Resolver Table:"):
-            in_activity_resolver_table = True
-            continue
-
-        if not in_activity_resolver_table:
-            continue
-
-        if line.startswith("  Non-Data Actions:"):
-            in_non_data_actions = True
-            continue
-
-        if not in_non_data_actions:
-            continue
-
-        # If we hit an empty line, the Non-Data Actions section should be
-        # finished.
-        if line.strip() == "":
-            break
-
-        # We detect the action name.
-        if line.startswith(" " * 6) and not line.startswith(" " * 8) and ":" in line:
-            intent = line.strip().replace(":", "")
-            results[intent] = []
-            continue
-
-        # If we are not in an intent block yet, skip.
-        if not intent:
-            continue
-
-        # If we are in a block but the line does not start with 8 spaces
-        # it means the block ended a new one started, so we reset and
-        # continue.
-        if not line.startswith(" " * 8):
-            intent = None
-            continue
-
-        # If we got this far, we are processing receivers for the
-        # activities we are interested in.
-        activity = line.strip().split(" ")[1]
-        package_name = activity.split("/")[0]
-
-        results[intent].append(
-            {
-                "package_name": package_name,
-                "activity": activity,
-            }
-        )
-
-    return results
-
-
-def parse_dumpsys_battery_daily(output: str) -> list:
-    results = []
-    daily = None
-    daily_updates = []
-    for line in output.splitlines():
-        if line.startswith("  Daily from "):
-            if len(daily_updates) > 0:
-                results.extend(daily_updates)
-                daily_updates = []
-
-            timeframe = line[13:].strip()
-            date_from, date_to = timeframe.strip(":").split(" to ", 1)
-            daily = {"from": date_from[0:10], "to": date_to[0:10]}
-            continue
-
-        if not daily:
-            continue
-
-        if not line.strip().startswith("Update "):
-            continue
-
-        line = line.strip().replace("Update ", "")
-        package_name, vers = line.split(" ", 1)
-        vers_nr = vers.split("=", 1)[1]
-
-        already_seen = False
-        for update in daily_updates:
-            if package_name == update["package_name"] and vers_nr == update["vers"]:
-                already_seen = True
-                break
-
-        if not already_seen:
-            daily_updates.append(
-                {
-                    "action": "update",
-                    "from": daily["from"],
-                    "to": daily["to"],
-                    "package_name": package_name,
-                    "vers": vers_nr,
-                }
-            )
-
-    if len(daily_updates) > 0:
-        results.extend(daily_updates)
-
-    return results
-
-
-def parse_dumpsys_battery_history(output: str) -> List[Dict[str, Any]]:
-    results = []
-
-    for line in output.splitlines():
-        if line.startswith("Battery History "):
-            continue
-
-        if line.strip() == "":
-            break
-
-        time_elapsed = line.strip().split(" ", 1)[0]
-
-        event = ""
-        if line.find("+job") > 0:
-            event = "start_job"
-            uid = line[line.find("+job") + 5 : line.find(":")]
-            service = line[line.find(":") + 1 :].strip('"')
-            package_name = service.split("/")[0]
-        elif line.find("-job") > 0:
-            event = "end_job"
-            uid = line[line.find("-job") + 5 : line.find(":")]
-            service = line[line.find(":") + 1 :].strip('"')
-            package_name = service.split("/")[0]
-        elif line.find("+running +wake_lock=") > 0:
-            uid = line[line.find("+running +wake_lock=") + 21 : line.find(":")]
-            event = "wake"
-            service = (
-                line[line.find("*walarm*:") + 9 :].split(" ")[0].strip('"').strip()
-            )
-            if service == "" or "/" not in service:
-                continue
-
-            package_name = service.split("/")[0]
-        elif (line.find("+top=") > 0) or (line.find("-top") > 0):
-            if line.find("+top=") > 0:
-                event = "start_top"
-                top_pos = line.find("+top=")
-            else:
-                event = "end_top"
-                top_pos = line.find("-top=")
-            colon_pos = top_pos + line[top_pos:].find(":")
-            uid = line[top_pos + 5 : colon_pos]
-            service = ""
-            package_name = line[colon_pos + 1 :].strip('"')
-        else:
-            continue
-
-        results.append(
-            {
-                "time_elapsed": time_elapsed,
-                "event": event,
-                "uid": uid,
-                "package_name": package_name,
-                "service": service,
-            }
-        )
-
-    return results
-
-
-def parse_dumpsys_dbinfo(output: str) -> List[Dict[str, Any]]:
-    results = []
-
-    rxp = re.compile(
-        r".*\[([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})\].*\[Pid:\((\d+)\)\](\w+).*sql\=\"(.+?)\""
-    )  # pylint: disable=line-too-long
-    rxp_no_pid = re.compile(
-        r".*\[([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})\][ ]{1}(\w+).*sql\=\"(.+?)\""
-    )  # pylint: disable=line-too-long
-
-    pool = None
-    in_operations = False
-    for line in output.splitlines():
-        if line.startswith("Connection pool for "):
-            pool = line.replace("Connection pool for ", "").rstrip(":")
-
-        if not pool:
-            continue
-
-        if line.strip() == "Most recently executed operations:":
-            in_operations = True
-            continue
-
-        if not in_operations:
-            continue
-
-        if not line.startswith("        "):
-            in_operations = False
-            pool = None
-            continue
-
-        matches = rxp.findall(line)
-        if not matches:
-            matches = rxp_no_pid.findall(line)
-            if not matches:
-                continue
-
-            match = matches[0]
-            results.append(
-                {
-                    "isodate": match[0],
-                    "action": match[1],
-                    "sql": match[2],
-                    "path": pool,
-                }
-            )
-        else:
-            match = matches[0]
-            results.append(
-                {
-                    "isodate": match[0],
-                    "pid": match[1],
-                    "action": match[2],
-                    "sql": match[3],
-                    "path": pool,
-                }
-            )
-
-    return results
-
-
-def parse_dumpsys_receiver_resolver_table(output: str) -> Dict[str, Any]:
-    results = {}
-
-    in_receiver_resolver_table = False
-    in_non_data_actions = False
-    intent = None
-    for line in output.splitlines():
-        if line.startswith("Receiver Resolver Table:"):
-            in_receiver_resolver_table = True
-            continue
-
-        if not in_receiver_resolver_table:
-            continue
-
-        if line.startswith("  Non-Data Actions:"):
-            in_non_data_actions = True
-            continue
-
-        if not in_non_data_actions:
-            continue
-
-        # If we hit an empty line, the Non-Data Actions section should be
-        # finished.
-        if line.strip() == "":
-            break
-
-        # We detect the action name.
-        if line.startswith(" " * 6) and not line.startswith(" " * 8) and ":" in line:
-            intent = line.strip().replace(":", "")
-            results[intent] = []
-            continue
-
-        # If we are not in an intent block yet, skip.
-        if not intent:
-            continue
-
-        # If we are in a block but the line does not start with 8 spaces
-        # it means the block ended a new one started, so we reset and
-        # continue.
-        if not line.startswith(" " * 8):
-            intent = None
-            continue
-
-        # If we got this far, we are processing receivers for the
-        # activities we are interested in.
-        receiver = line.strip().split(" ")[1]
-        package_name = receiver.split("/")[0]
-
-        results[intent].append(
-            {
-                "package_name": package_name,
-                "receiver": receiver,
-            }
-        )
-
-    return results
-
-
-def parse_dumpsys_appops(output: str) -> List[Dict[str, Any]]:
-    results = []
-    perm = {}
-    package = {}
-    entry = {}
-    uid = None
-    in_packages = False
-
-    for line in output.splitlines():
-        if line.startswith("  Uid 0:"):
-            in_packages = True
-
-        if not in_packages:
-            continue
-
-        if line.startswith("  Uid "):
-            uid = line[6:-1]
-            if entry:
-                perm["entries"].append(entry)
-                entry = {}
-
-            if package:
-                if perm:
-                    package["permissions"].append(perm)
-
-                perm = {}
-                results.append(package)
-            package = {}
-            continue
-
-        if line.startswith("    Package "):
-            if entry:
-                perm["entries"].append(entry)
-                entry = {}
-
-            if package:
-                if perm:
-                    package["permissions"].append(perm)
-
-                perm = {}
-                results.append(package)
-
-            package = {
-                "package_name": line[12:-1],
-                "permissions": [],
-                "uid": uid,
-            }
-            continue
-
-        if package and line.startswith("      ") and line[6] != " ":
-            if entry:
-                perm["entries"].append(entry)
-                entry = {}
-            if perm:
-                package["permissions"].append(perm)
-                perm = {}
-
-            perm["name"] = line.split()[0]
-            perm["entries"] = []
-            if len(line.split()) > 1:
-                perm["access"] = line.split()[1][1:-2]
-
-            continue
-
-        if line.startswith("          "):
-            # Permission entry like:
-            # Reject: [fg-s]2021-05-19 22:02:52.054 (-314d1h25m2s33ms)
-            if entry:
-                perm["entries"].append(entry)
-                entry = {}
-
-            entry["access"] = line.split(":")[0].strip()
-            entry["type"] = line[line.find("[") + 1 : line.find("]")]
-
-            try:
-                entry["timestamp"] = convert_datetime_to_iso(
-                    datetime.strptime(
-                        line[line.find("]") + 1 : line.find("(")].strip(),
-                        "%Y-%m-%d %H:%M:%S.%f",
-                    )
-                )
-            except ValueError:
-                # Invalid date format
-                pass
-
-        if line.strip() == "":
-            break
-
-    if entry:
-        perm["entries"].append(entry)
-    if perm:
-        package["permissions"].append(perm)
-    if package:
-        results.append(package)
-
-    return results
-
 
 def parse_dumpsys_package_for_details(output: str) -> Dict[str, Any]:
     """

mvt/android/utils.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 from datetime import datetime, timedelta

mvt/common/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/common/artifact.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/cmd_check_iocs.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -53,7 +53,7 @@ class CmdCheckIOCS(Command):
                 if self.module_name and iocs_module.__name__ != self.module_name:
                     continue
 
-                if iocs_module().get_slug() != name_only:
+                if iocs_module.get_slug() != name_only:
                     continue
 
                 log.info(

mvt/common/command.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/help.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/indicators.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/logo.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/module.py

@@ -1,17 +1,16 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import csv
+import json
 import logging
 import os
 import re
 from typing import Any, Dict, List, Optional, Union
 
-import simplejson as json
-
-from .utils import exec_or_profile
+from .utils import CustomJSONEncoder, exec_or_profile
 
 
 class DatabaseNotFoundError(Exception):
@@ -75,12 +74,13 @@ class MVTModule:
                 log.info('Loaded %d results from "%s"', len(results), json_path)
             return cls(results=results, log=log)
 
-    def get_slug(self) -> str:
+    @classmethod
+    def get_slug(cls) -> str:
         """Use the module's class name to retrieve a slug"""
-        if self.slug:
-            return self.slug
+        if cls.slug:
+            return cls.slug
 
-        sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)
+        sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", cls.__name__)
         return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()
 
     def check_indicators(self) -> None:
@@ -103,7 +103,7 @@ class MVTModule:
             results_json_path = os.path.join(self.results_path, results_file_name)
             with open(results_json_path, "w", encoding="utf-8") as handle:
                 try:
-                    json.dump(self.results, handle, indent=4, default=str)
+                    json.dump(self.results, handle, indent=4, cls=CustomJSONEncoder)
                 except Exception as exc:
                     self.log.error(
                         "Unable to store results of module %s to file %s: %s",
@@ -116,7 +116,7 @@ class MVTModule:
             detected_file_name = f"{name}_detected.json"
             detected_json_path = os.path.join(self.results_path, detected_file_name)
             with open(detected_json_path, "w", encoding="utf-8") as handle:
-                json.dump(self.detected, handle, indent=4, default=str)
+                json.dump(self.detected, handle, indent=4, cls=CustomJSONEncoder)
 
     def serialize(self, record: dict) -> Union[dict, list, None]:
         raise NotImplementedError

mvt/common/options.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/updates.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/url.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/utils.py

@@ -1,11 +1,12 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import cProfile
 import datetime
 import hashlib
+import json
 import logging
 import os
 import re
@@ -14,6 +15,28 @@ from typing import Any, Iterator, Union
 from rich.logging import RichHandler
 
 
+class CustomJSONEncoder(json.JSONEncoder):
+    """
+    Custom JSON encoder to handle non-standard types.
+
+    Some modules are storing non-UTF-8 bytes in their results dictionaries.
+    This causes exceptions when the results are being encoded as JSON.
+
+    Of course this means that when MVT is run via `check-iocs` with existing
+    results, the encoded version will be loaded back into the dictionary.
+    Modules should ensure they encode anything that needs to be compared
+    against an indicator in a JSON-friendly type.
+    """
+
+    def default(self, o):
+        if isinstance(o, bytes):
+            # Decode as utf-8, replace any invalid UTF-8 bytes with escaped hex
+            return o.decode("utf-8", errors="backslashreplace")
+
+        # For all other types try to use the string representation.
+        return str(o)
+
+
 def convert_chrometime_to_datetime(timestamp: int) -> datetime.datetime:
     """Converts Chrome timestamp to a datetime.
 

mvt/common/version.py

@@ -1,6 +1,6 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Copyright (c) 2021-2023 The MVT Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.4.1"
+MVT_VERSION = "2.4.5"