fix ruff

Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.5 to 45.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/45.0.5...45.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 45.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/tests.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.8', '3.9', '3.10']  # , '3.11']
+        python-version: ['3.10', '3.11', '3.12', '3.13']
 
     steps:
       - uses: actions/checkout@v4
@@ -35,4 +35,4 @@ jobs:
         if: github.event_name == 'pull_request'
         with:
           pytest-coverage-path: ./pytest-coverage.txt
-          junitxml-path: ./pytest.xml
+          junitxml-path: ./pytest.xml

docs/requirements.txt

@@ -1,5 +1,5 @@
 mkdocs==1.6.1
-mkdocs-autorefs==1.2.0
-mkdocs-material==9.5.42
+mkdocs-autorefs==1.4.2
+mkdocs-material==9.6.16
 mkdocs-material-extensions==1.3.1
-mkdocstrings==0.23.0
+mkdocstrings==0.30.0

pyproject.toml

@@ -19,26 +19,26 @@ classifiers = [
     "Programming Language :: Python"
 ]
 dependencies = [
-    "click >=8.1.3",
-    "rich >=12.6.0",
-    "tld >=0.12.6",
-    "requests >=2.28.1",
-    "simplejson >=3.17.6",
-    "packaging >=21.3",
-    "appdirs >=1.4.4",
-    "iOSbackup >=0.9.923",
-    "adb-shell[usb] >=0.4.3",
-    "libusb1 >=3.0.0",
-    "cryptography >=42.0.5",
-    "pyyaml >=6.0",
-    "pyahocorasick >= 2.0.0",
-    "betterproto >=1.2.0",
-    "pydantic >= 2.10.0",
-    "pydantic-settings >= 2.7.0",
-    'backports.zoneinfo; python_version < "3.9"',
-    "NSKeyedUnArchiver==1.5",
+    "click==8.2.1",
+    "rich==14.1.0",
+    "tld==0.13.1",
+    "requests==2.32.4",
+    "simplejson==3.20.1",
+    "packaging==25.0",
+    "appdirs==1.4.4",
+    "iOSbackup==0.9.925",
+    "adb-shell[usb]==0.4.4",
+    "libusb1==3.3.1",
+    "cryptography==45.0.6",
+    "PyYAML>=6.0.2",
+    "pyahocorasick==2.2.0",
+    "betterproto==1.2.5",
+    "pydantic==2.11.7",
+    "pydantic-settings==2.10.1",
+    "NSKeyedUnArchiver==1.5.2",
+    "python-dateutil==2.9.0.post0",
 ]
-requires-python = ">= 3.8"
+requires-python = ">= 3.10"
 
 [project.urls]
 homepage = "https://docs.mvt.re/en/latest/"

src/mvt/android/artifacts/settings.py

@@ -51,11 +51,6 @@ ANDROID_DANGEROUS_SETTINGS = [
         "key": "send_action_app_error",
         "safe_value": "1",
     },
-    {
-        "description": "enabled installation of non Google Play apps",
-        "key": "install_non_market_apps",
-        "safe_value": "0",
-    },
     {
         "description": "enabled accessibility services",
         "key": "accessibility_enabled",

src/mvt/android/artifacts/tombstone_crashes.py

@@ -8,6 +8,7 @@ from typing import List, Optional, Union
 
 import pydantic
 import betterproto
+from dateutil import parser
 
 from mvt.common.utils import convert_datetime_to_iso
 from mvt.android.parsers.proto.tombstone import Tombstone
@@ -254,12 +255,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
 
     @staticmethod
     def _parse_timestamp_string(timestamp: str) -> str:
-        timestamp_date, timezone = timestamp.split("+")
-        # Truncate microseconds before parsing
-        timestamp_without_micro = timestamp_date.split(".")[0] + "+" + timezone
-        timestamp_parsed = datetime.datetime.strptime(
-            timestamp_without_micro, "%Y-%m-%d %H:%M:%S%z"
-        )
+        timestamp_parsed = parser.parse(timestamp)
 
         # HACK: Swap the local timestamp to UTC, so keep the original time and avoid timezone conversion.
         local_timestamp = timestamp_parsed.replace(tzinfo=datetime.timezone.utc)

src/mvt/android/modules/androidqf/__init__.py

@@ -19,6 +19,7 @@ from .processes import Processes
 from .settings import Settings
 from .sms import SMS
 from .files import Files
+from .root_binaries import RootBinaries
 
 ANDROIDQF_MODULES = [
     DumpsysActivities,
@@ -37,4 +38,5 @@ ANDROIDQF_MODULES = [
     SMS,
     DumpsysPackages,
     Files,
+    RootBinaries,
 ]

src/mvt/android/modules/androidqf/root_binaries.py

@@ -0,0 +1,121 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import json
+import logging
+from typing import Optional
+
+from .base import AndroidQFModule
+
+
+class RootBinaries(AndroidQFModule):
+    """This module analyzes root_binaries.json for root binaries found by androidqf."""
+
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        module_options: Optional[dict] = None,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None,
+    ) -> None:
+        super().__init__(
+            file_path=file_path,
+            target_path=target_path,
+            results_path=results_path,
+            module_options=module_options,
+            log=log,
+            results=results,
+        )
+
+    def serialize(self, record: dict) -> dict:
+        return {
+            "timestamp": record.get("timestamp"),
+            "module": self.__class__.__name__,
+            "event": "root_binary_found",
+            "data": f"Root binary found: {record['path']} (binary: {record['binary_name']})",
+        }
+
+    def check_indicators(self) -> None:
+        """Check for indicators of device rooting."""
+        if not self.results:
+            return
+
+        # All found root binaries are considered indicators of rooting
+        for result in self.results:
+            self.log.warning(
+                'Found root binary "%s" at path "%s"',
+                result["binary_name"],
+                result["path"],
+            )
+            self.detected.append(result)
+
+        if self.detected:
+            self.log.warning(
+                "Device shows signs of rooting with %d root binaries found",
+                len(self.detected),
+            )
+
+    def run(self) -> None:
+        """Run the root binaries analysis."""
+        root_binaries_files = self._get_files_by_pattern("*/root_binaries.json")
+
+        if not root_binaries_files:
+            self.log.info("No root_binaries.json file found")
+            return
+
+        rawdata = self._get_file_content(root_binaries_files[0]).decode(
+            "utf-8", errors="ignore"
+        )
+
+        try:
+            root_binary_paths = json.loads(rawdata)
+        except json.JSONDecodeError as e:
+            self.log.error("Failed to parse root_binaries.json: %s", e)
+            return
+
+        if not isinstance(root_binary_paths, list):
+            self.log.error("Expected root_binaries.json to contain a list of paths")
+            return
+
+        # Known root binary names that might be found and their descriptions
+        # This maps the binary name to a human-readable description
+        known_root_binaries = {
+            "su": "SuperUser binary",
+            "busybox": "BusyBox utilities",
+            "supersu": "SuperSU root management",
+            "Superuser.apk": "Superuser app",
+            "KingoUser.apk": "KingRoot app",
+            "SuperSu.apk": "SuperSU app",
+            "magisk": "Magisk root framework",
+            "magiskhide": "Magisk hide utility",
+            "magiskinit": "Magisk init binary",
+            "magiskpolicy": "Magisk policy binary",
+        }
+
+        for path in root_binary_paths:
+            if not path or not isinstance(path, str):
+                continue
+
+            # Extract binary name from path
+            binary_name = path.split("/")[-1].lower()
+
+            # Check if this matches a known root binary by exact name match
+            description = "Unknown root binary"
+            for known_binary in known_root_binaries:
+                if binary_name == known_binary.lower():
+                    description = known_root_binaries[known_binary]
+                    break
+
+            result = {
+                "path": path.strip(),
+                "binary_name": binary_name,
+                "description": description,
+            }
+
+            self.results.append(result)
+
+        self.log.info("Found %d root binaries", len(self.results))

src/mvt/android/parsers/backup.py

@@ -231,6 +231,7 @@ def parse_sms_file(data):
             entry.pop("mms_body")
 
         body = entry.get("body", None)
+        message_links = None
         if body:
             message_links = check_for_links(entry["body"])
 

src/mvt/common/version.py

@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.6.0"
+MVT_VERSION = "2.6.1"

src/mvt/ios/data/ios_versions.json

@@ -1131,5 +1131,9 @@
     {
         "version": "18.5",
         "build": "22F76"
+    },
+    {
+        "version": "18.6",
+        "build": "22G86"
     }
 ]

src/mvt/ios/modules/mixed/global_preferences.py

@@ -43,6 +43,8 @@ class GlobalPreferences(IOSExtraction):
                     self.log.warning("Lockdown mode enabled")
                 else:
                     self.log.warning("Lockdown mode disabled")
+                return
+        self.log.warning("Lockdown mode disabled")
 
     def process_file(self, file_path: str) -> None:
         with open(file_path, "rb") as handle:

src/mvt/ios/modules/mixed/safari_browserstate.py

@@ -95,14 +95,17 @@ class SafariBrowserState(IOSExtraction):
             )
         except sqlite3.OperationalError:
             # Old version iOS <12 likely
-            cur.execute(
+            try:
+                cur.execute(
+                    """
+                    SELECT
+                        title, url, user_visible_url, last_viewed_time, session_data
+                    FROM tabs
+                    ORDER BY last_viewed_time;
                 """
-                SELECT
-                    title, url, user_visible_url, last_viewed_time, session_data
-                FROM tabs
-                ORDER BY last_viewed_time;
-            """
-            )
+                )
+            except sqlite3.OperationalError as e:
+                self.log.error(f"Error executing query: {e}")
 
         for row in cur:
             session_entries = []

src/mvt/ios/modules/mixed/tcc.py

@@ -116,13 +116,16 @@ class TCC(IOSExtraction):
                 )
                 db_version = "v2"
             except sqlite3.OperationalError:
-                cur.execute(
-                    """SELECT
-                    service, client, client_type, allowed,
-                    prompt_count
-                    FROM access;"""
-                )
-                db_version = "v1"
+                try:
+                    cur.execute(
+                        """SELECT
+                        service, client, client_type, allowed,
+                        prompt_count
+                        FROM access;"""
+                    )
+                    db_version = "v1"
+                except sqlite3.OperationalError as e:
+                    self.log.error(f"Error parsing TCC database: {e}")
 
         for row in cur:
             service = row[0]

tests/android/test_artifact_tombstones.py

@@ -64,4 +64,4 @@ class TestTombstoneCrashArtifact:
         # We often don't know the time offset for a log entry and so can't convert everything to UTC.
         # MVT should output the local time only:
         # So original 2023-04-12 12:32:40.518290770+0200 -> 2023-04-12 12:32:40.000000
-        assert tombstone_result.get("timestamp") == "2023-04-12 12:32:40.000000"
+        assert tombstone_result.get("timestamp") == "2023-04-12 12:32:40.518290"

tests/android_androidqf/test_root_binaries.py

@@ -0,0 +1,116 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from pathlib import Path
+
+import pytest
+
+from mvt.android.modules.androidqf.root_binaries import RootBinaries
+from mvt.common.module import run_module
+
+from ..utils import get_android_androidqf, list_files
+
+
+@pytest.fixture()
+def data_path():
+    return get_android_androidqf()
+
+
+@pytest.fixture()
+def parent_data_path(data_path):
+    return Path(data_path).absolute().parent.as_posix()
+
+
+@pytest.fixture()
+def file_list(data_path):
+    return list_files(data_path)
+
+
+@pytest.fixture()
+def module(parent_data_path, file_list):
+    m = RootBinaries(target_path=parent_data_path, log=logging)
+    m.from_folder(parent_data_path, file_list)
+    return m
+
+
+class TestAndroidqfRootBinaries:
+    def test_root_binaries_detection(self, module):
+        run_module(module)
+
+        # Should find 4 root binaries from the test file
+        assert len(module.results) == 4
+        assert len(module.detected) == 4
+
+        # Check that all results are detected as indicators
+        binary_paths = [result["path"] for result in module.results]
+        assert "/system/bin/su" in binary_paths
+        assert "/system/xbin/busybox" in binary_paths
+        assert "/data/local/tmp/magisk" in binary_paths
+        assert "/system/bin/magiskhide" in binary_paths
+
+    def test_root_binaries_descriptions(self, module):
+        run_module(module)
+
+        # Check that binary descriptions are correctly identified
+        su_result = next((r for r in module.results if "su" in r["binary_name"]), None)
+        assert su_result is not None
+        assert "SuperUser binary" in su_result["description"]
+
+        busybox_result = next(
+            (r for r in module.results if "busybox" in r["binary_name"]), None
+        )
+        assert busybox_result is not None
+        assert "BusyBox utilities" in busybox_result["description"]
+
+        magisk_result = next(
+            (r for r in module.results if r["binary_name"] == "magisk"), None
+        )
+        assert magisk_result is not None
+        assert "Magisk root framework" in magisk_result["description"]
+
+        magiskhide_result = next(
+            (r for r in module.results if "magiskhide" in r["binary_name"]), None
+        )
+        assert magiskhide_result is not None
+        assert "Magisk hide utility" in magiskhide_result["description"]
+
+    def test_root_binaries_warnings(self, caplog, module):
+        run_module(module)
+
+        # Check that warnings are logged for each root binary found
+        assert 'Found root binary "su" at path "/system/bin/su"' in caplog.text
+        assert (
+            'Found root binary "busybox" at path "/system/xbin/busybox"' in caplog.text
+        )
+        assert (
+            'Found root binary "magisk" at path "/data/local/tmp/magisk"' in caplog.text
+        )
+        assert (
+            'Found root binary "magiskhide" at path "/system/bin/magiskhide"'
+            in caplog.text
+        )
+        assert "Device shows signs of rooting with 4 root binaries found" in caplog.text
+
+    def test_serialize_method(self, module):
+        run_module(module)
+
+        # Test that serialize method works correctly
+        if module.results:
+            serialized = module.serialize(module.results[0])
+            assert serialized["module"] == "RootBinaries"
+            assert serialized["event"] == "root_binary_found"
+            assert "Root binary found:" in serialized["data"]
+
+    def test_no_root_binaries_file(self, parent_data_path):
+        # Test behavior when no root_binaries.json file is present
+        empty_file_list = []
+        m = RootBinaries(target_path=parent_data_path, log=logging)
+        m.from_folder(parent_data_path, empty_file_list)
+
+        run_module(m)
+
+        assert len(m.results) == 0
+        assert len(m.detected) == 0

tests/android_bugreport/test_bugreport.py

@@ -9,6 +9,7 @@ from pathlib import Path
 from mvt.android.modules.bugreport.appops import Appops
 from mvt.android.modules.bugreport.getprop import Getprop
 from mvt.android.modules.bugreport.packages import Packages
+from mvt.android.modules.bugreport.tombstones import Tombstones
 from mvt.common.module import run_module
 
 from ..utils import get_artifact_folder
@@ -54,3 +55,8 @@ class TestBugreportAnalysis:
     def test_getprop_module(self):
         m = self.launch_bug_report_module(Getprop)
         assert len(m.results) == 0
+
+    def test_tombstones_modules(self):
+        m = self.launch_bug_report_module(Tombstones)
+        assert len(m.results) == 2
+        assert m.results[1]["pid"] == 3559

tests/artifacts/android_data/bugreport/FS/data/tombstones/tombstone_00

@@ -0,0 +1,27 @@
+*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+Build fingerprint: 'samsung/a10eea/a10:10/.190711.020/A105:user/release-keys'
+Revision: '5'
+ABI: 'arm'
+Timestamp: 2021-09-29 17:43:49+0200
+pid: 9850, tid: 9893, name: UsbFfs-worker  >>> /system/bin/adbd <<<
+uid: 2000
+signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
+Abort message: 'Check failed: payload.size() <= bytes_left (payload.size()=99, bytes_left=51) '
+    r0  00000000  r1  000026a5  r2  00000006  r3  f11fad98
+    r4  f11fadac  r5  f11fad90  r6  0000267a  r7  0000016b
+    r8  f11fada8  r9  f11fad98  r10 f11fadc8  r11 f11fadb8
+    ip  000026a5  sp  f11fad68  lr  f20c23b7  pc  f20c23ca
+
+backtrace:
+      #00 pc 000603ca  /apex/com.android.runtime/lib/bionic/libc.so (abort+166) (BuildId: 320fbdc2a1289fadd7dacae7f2eb77a3)
+      #01 pc 00007e23  /system/lib/libbase.so (android::base::DefaultAborter(char const*)+6) (BuildId: a28585ee446ea17e3e6fcf9c907fff2a)
+      #02 pc 0000855f  /system/lib/libbase.so (android::base::LogMessage::~LogMessage()+406) (BuildId: a28585ee446ea17e3e6fcf9c907fff2a)
+      #03 pc 000309cf  /system/lib/libadbd.so (UsbFfsConnection::ProcessRead(IoBlock*)+814) (BuildId: 3645b175977ae210c156a57b25dfa599)
+      #04 pc 00030459  /system/lib/libadbd.so (UsbFfsConnection::HandleRead(TransferId, long long)+84) (BuildId: 3645b175977ae210c156a57b25dfa599)
+      #05 pc 00030349  /system/lib/libadbd.so (UsbFfsConnection::ReadEvents()+92) (BuildId: 3645b175977ae210c156a57b25dfa599)
+      #06 pc 00030169  /system/lib/libadbd.so (_ZZN16UsbFfsConnection11StartWorkerEvENKUlvE_clEv+504) (BuildId: 3645b175977ae210c156a57b25dfa599)
+      #07 pc 0002ff53  /system/lib/libadbd.so (_ZNSt3__114__thread_proxyINS_5tupleIJNS_10unique_ptrINS_15__thread_structENS_14default_deleteIS3_EEEEZN16UsbFfsConnection11StartWorkerEvEUlvE_EEEEEPvSA_+26) (BuildId: 3645b175977ae210c156a57b25dfa599)
+      #08 pc 000a75b3  /apex/com.android.runtime/lib/bionic/libc.so (__pthread_start(void*)+20) (BuildId: 320fbdc2a1289fadd7dacae7f2eb77a3)
+      #09 pc 00061b33  /apex/com.android.runtime/lib/bionic/libc.so (__start_thread+30) (BuildId: 320fbdc2a1289fadd7dacae7f2eb77a3)
+
+

tests/artifacts/android_data/bugreport/FS/data/tombstones/tombstone_01

@@ -0,0 +1,38 @@
+*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+Build fingerprint: 'samsung/a10eea/a10:11/RP1A.200720.012/A105:user/release-keys'
+Revision: '5'
+ABI: 'arm'
+Timestamp: 2023-08-21 23:28:59-0400
+pid: 3559, tid: 3568, name: tzts_daemon  >>> /vendor/bin/tzts_daemon <<<
+uid: 1000
+signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe8b4d14c
+    r0  e8b4d14c  r1  e8b4d14c  r2  0000002b  r3  00000004
+    r4  00000000  r5  e8b4d14c  r6  00000000  r7  00000000
+    r8  e7ef78b0  r9  0000002b  r10 e7ef7dad  r11 e7ef7400
+    ip  00000000  sp  e7ef7208  lr  e89f4b01  pc  e89c273a
+
+backtrace:
+      #00 pc 0005f73a  /apex/com.android.runtime/lib/bionic/libc.so (strlen_a15+54) (BuildId: fef5b751123147ea65bf3f4f798c9518)
+      #01 pc 00091afd  /apex/com.android.runtime/lib/bionic/libc.so (__vfprintf+3364) (BuildId: fef5b751123147ea65bf3f4f798c9518)
+      #02 pc 000a68e5  /apex/com.android.runtime/lib/bionic/libc.so (vsnprintf+152) (BuildId: fef5b751123147ea65bf3f4f798c9518)
+      #03 pc 000051cf  /system/lib/liblog.so (__android_log_vprint+74) (BuildId: 3fcead474cd0ecbdafb529ff176b0d13)
+      #04 pc 000012e8  /vendor/bin/tzts_daemon
+
+memory near r0:
+    e8b4d12c -------- -------- -------- --------  ................
+    e8b4d13c -------- -------- -------- --------  ................
+    e8b4d14c -------- -------- -------- --------  ................
+    e8b4d15c -------- -------- -------- --------  ................
+    e8b4d16c -------- -------- -------- --------  ................
+    e8b4d17c -------- -------- -------- --------  ................
+    e8b4d18c -------- -------- -------- --------  ................
+    e8b4d19c -------- -------- -------- --------  ................
+    e8b4d1ac -------- -------- -------- --------  ................
+    e8b4d1bc -------- -------- -------- --------  ................
+    e8b4d1cc -------- -------- -------- --------  ................
+    e8b4d1dc -------- -------- -------- --------  ................
+    e8b4d1ec -------- -------- -------- --------  ................
+    e8b4d1fc -------- -------- -------- --------  ................
+    e8b4d20c -------- -------- -------- --------  ................
+    e8b4d21c -------- -------- -------- --------  ................
+

tests/artifacts/androidqf/root_binaries.json

@@ -0,0 +1,6 @@
+[
+    "/system/bin/su",
+    "/system/xbin/busybox",
+    "/data/local/tmp/magisk",
+    "/system/bin/magiskhide"
+]

tests/common/test_utils.py

@@ -62,7 +62,7 @@ class TestHashes:
     def test_hash_from_folder(self):
         path = os.path.join(get_artifact_folder(), "androidqf")
         hashes = list(generate_hashes_from_path(path, logging))
-        assert len(hashes) == 7
+        assert len(hashes) == 8
         # Sort the files to have reliable order for tests.
         hashes = sorted(hashes, key=lambda x: x["file_path"])
         assert hashes[0]["file_path"] == os.path.join(path, "backup.ab")