fix tombstone unpack parsing bug

there were characters in the revision field

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

Makefile

@@ -23,7 +23,7 @@ install:
 	python3 -m pip install --upgrade -e .
 
 test-requirements:
-	python3 -m pip install --upgrade -r test-requirements.txt
+	python3 -m pip install --upgrade --group dev
 
 generate-proto-parsers:
 	# Generate python parsers for protobuf files

docs/requirements.txt

@@ -1,5 +1,5 @@
 mkdocs==1.6.1
-mkdocs-autorefs==1.2.0
+mkdocs-autorefs==1.4.3
-mkdocs-material==9.5.42
+mkdocs-material==9.6.20
 mkdocs-material-extensions==1.3.1
-mkdocstrings==0.23.0
+mkdocstrings==0.30.1

pyproject.toml

@@ -1,13 +1,11 @@
 [project]
 name = "mvt"
 dynamic = ["version"]
-authors = [
+authors = [{ name = "Claudio Guarnieri", email = "nex@nex.sx" }]
-    {name = "Claudio Guarnieri", email = "nex@nex.sx"}
-]
 maintainers = [
-    {name = "Etienne Maynier", email = "tek@randhome.io"},
+    { name = "Etienne Maynier", email = "tek@randhome.io" },
-    {name = "Donncha Ó Cearbhaill", email = "donncha.ocearbhaill@amnesty.org"},
+    { name = "Donncha Ó Cearbhaill", email = "donncha.ocearbhaill@amnesty.org" },
-    {name = "Rory Flynn", email = "rory.flynn@amnesty.org"}
+    { name = "Rory Flynn", email = "rory.flynn@amnesty.org" },
 ]
 description = "Mobile Verification Toolkit"
 readme = "README.md"
@@ -16,27 +14,28 @@ classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Intended Audience :: Information Technology",
     "Operating System :: OS Independent",
-    "Programming Language :: Python"
+    "Programming Language :: Python",
 ]
 dependencies = [
     "click==8.2.1",
-    "rich==14.0.0",
+    "rich==14.1.0",
     "tld==0.13.1",
-    "requests==2.32.2",
+    "requests==2.32.4",
     "simplejson==3.20.1",
     "packaging==25.0",
     "appdirs==1.4.4",
     "iOSbackup==0.9.925",
     "adb-shell[usb]==0.4.4",
     "libusb1==3.3.1",
-    "cryptography==45.0.3",
+    "cryptography==45.0.6",
     "PyYAML>=6.0.2",
-    "pyahocorasick==2.1.0",
+    "pyahocorasick==2.2.0",
     "betterproto==1.2.5",
-    "pydantic==2.11.5",
+    "pydantic==2.11.7",
-    "pydantic-settings==2.9.1",
+    "pydantic-settings==2.10.1",
     "NSKeyedUnArchiver==1.5.2",
     "python-dateutil==2.9.0.post0",
+    "tzdata==2025.2",
 ]
 requires-python = ">= 3.10"
 
@@ -45,20 +44,31 @@ homepage = "https://docs.mvt.re/en/latest/"
 repository = "https://github.com/mvt-project/mvt"
 
 [project.scripts]
-    mvt-ios = "mvt.ios:cli"
+mvt-ios = "mvt.ios:cli"
-    mvt-android = "mvt.android:cli"
+mvt-android = "mvt.android:cli"
+
+[dependency-groups]
+dev = [
+    "requests>=2.31.0",
+    "pytest>=7.4.3",
+    "pytest-cov>=4.1.0",
+    "pytest-github-actions-annotate-failures>=0.2.0",
+    "pytest-mock>=3.14.0",
+    "stix2>=3.0.1",
+    "ruff>=0.1.6",
+    "mypy>=1.7.1",
+    "betterproto[compiler]",
+]
 
 [build-system]
 requires = ["setuptools>=61.0"]
 build-backend = "setuptools.build_meta"
 
 [tool.coverage.run]
-omit = [
+omit = ["tests/*"]
-    "tests/*",
-]
 
 [tool.coverage.html]
-directory= "htmlcov"
+directory = "htmlcov"
 
 [tool.mypy]
 install_types = true
@@ -68,15 +78,13 @@ packages = "src"
 
 [tool.pytest.ini_options]
 addopts = "-ra -q --cov=mvt --cov-report html --junitxml=pytest.xml --cov-report=term-missing:skip-covered"
-testpaths = [
+testpaths = ["tests"]
-    "tests"
-]
 
 [tool.ruff.lint]
-select = ["C90", "E", "F", "W"]  # flake8 default set
+select = ["C90", "E", "F", "W"] # flake8 default set
 ignore = [
-    "E501",  # don't enforce line length violations
+    "E501", # don't enforce line length violations
-    "C901",  # complex-structure
+    "C901", # complex-structure
 
     # These were previously ignored but don't seem to be required:
     # "E265",  # no-space-after-block-comment
@@ -88,14 +96,14 @@ ignore = [
 ]
 
 [tool.ruff.lint.per-file-ignores]
-"__init__.py" = ["F401"]  # unused-import
+"__init__.py" = ["F401"] # unused-import
 
 [tool.ruff.lint.mccabe]
 max-complexity = 10
 
 [tool.setuptools]
 include-package-data = true
-package-dir = {"" = "src"}
+package-dir = { "" = "src" }
 
 [tool.setuptools.packages.find]
 where = ["src"]
@@ -104,4 +112,4 @@ where = ["src"]
 mvt = ["ios/data/*.json"]
 
 [tool.setuptools.dynamic]
-version = {attr = "mvt.common.version.MVT_VERSION"}
+version = { attr = "mvt.common.version.MVT_VERSION" }

src/mvt/android/artifacts/settings.py

@@ -51,11 +51,6 @@ ANDROID_DANGEROUS_SETTINGS = [
         "key": "send_action_app_error",
         "safe_value": "1",
     },
-    {
-        "description": "enabled installation of non Google Play apps",
-        "key": "install_non_market_apps",
-        "safe_value": "0",
-    },
     {
         "description": "enabled accessibility services",
         "key": "accessibility_enabled",

src/mvt/android/artifacts/tombstone_crashes.py

@@ -53,7 +53,7 @@ class TombstoneCrashResult(pydantic.BaseModel):
     file_name: str
     file_timestamp: str  # We store the timestamp as a string to avoid timezone issues
     build_fingerprint: str
-    revision: int
+    revision: str
     arch: Optional[str] = None
     timestamp: str  # We store the timestamp as a string to avoid timezone issues
     process_uptime: Optional[int] = None
@@ -70,7 +70,7 @@ class TombstoneCrashResult(pydantic.BaseModel):
 
 
 class TombstoneCrashArtifact(AndroidArtifact):
-    """ "
+    """
     Parser for Android tombstone crash files.
 
     This parser can parse both text and protobuf tombstone crash files.
@@ -121,9 +121,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
     def parse_protobuf(
         self, file_name: str, file_timestamp: datetime.datetime, data: bytes
     ) -> None:
-        """
+        """Parse Android tombstone crash files from a protobuf object."""
-        Parse Android tombstone crash files from a protobuf object.
-        """
         tombstone_pb = Tombstone().parse(data)
         tombstone_dict = tombstone_pb.to_dict(
             betterproto.Casing.SNAKE, include_default_values=True
@@ -144,21 +142,23 @@ class TombstoneCrashArtifact(AndroidArtifact):
     def parse(
         self, file_name: str, file_timestamp: datetime.datetime, content: bytes
     ) -> None:
-        """
+        """Parse text Android tombstone crash files."""
-        Parse text Android tombstone crash files.
-        """
-
-        # Split the tombstone file into a dictonary
         tombstone_dict = {
             "file_name": file_name,
             "file_timestamp": convert_datetime_to_iso(file_timestamp),
         }
         lines = content.decode("utf-8").splitlines()
-        for line in lines:
+        for line_num, line in enumerate(lines, 1):
             if not line.strip() or TOMBSTONE_DELIMITER in line:
                 continue
-            for key, destination_key in TOMBSTONE_TEXT_KEY_MAPPINGS.items():
+            try:
-                self._parse_tombstone_line(line, key, destination_key, tombstone_dict)
+                for key, destination_key in TOMBSTONE_TEXT_KEY_MAPPINGS.items():
+                    if self._parse_tombstone_line(
+                        line, key, destination_key, tombstone_dict
+                    ):
+                        break
+            except Exception as e:
+                raise ValueError(f"Error parsing line {line_num}: {str(e)}")
 
         # Validate the tombstone and add it to the results
         tombstone = TombstoneCrashResult.model_validate(tombstone_dict)
@@ -168,7 +168,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
         self, line: str, key: str, destination_key: str, tombstone: dict
     ) -> bool:
         if not line.startswith(f"{key}"):
-            return None
+            return False
 
         if key == "pid":
             return self._load_pid_line(line, tombstone)
@@ -187,7 +187,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
             raise ValueError(f"Expected key {key}, got {line_key}")
 
         value_clean = value.strip().strip("'")
-        if destination_key in ["uid", "revision"]:
+        if destination_key == "uid":
             tombstone[destination_key] = int(value_clean)
         elif destination_key == "process_uptime":
             # eg. "Process uptime: 40s"
@@ -200,51 +200,50 @@ class TombstoneCrashArtifact(AndroidArtifact):
         return True
 
     def _load_pid_line(self, line: str, tombstone: dict) -> bool:
-        pid_part, tid_part, name_part = [part.strip() for part in line.split(",")]
+        try:
+            parts = line.split(" >>> ") if " >>> " in line else line.split(">>>")
+            process_info = parts[0]
 
-        pid_key, pid_value = pid_part.split(":", 1)
+            # Parse pid, tid, name from process info
-        if pid_key != "pid":
+            info_parts = [p.strip() for p in process_info.split(",")]
-            raise ValueError(f"Expected key pid, got {pid_key}")
+            for info in info_parts:
-        pid_value = int(pid_value.strip())
+                key, value = info.split(":", 1)
+                key = key.strip()
+                value = value.strip()
 
-        tid_key, tid_value = tid_part.split(":", 1)
+                if key == "pid":
-        if tid_key != "tid":
+                    tombstone["pid"] = int(value)
-            raise ValueError(f"Expected key tid, got {tid_key}")
+                elif key == "tid":
-        tid_value = int(tid_value.strip())
+                    tombstone["tid"] = int(value)
+                elif key == "name":
+                    tombstone["process_name"] = value
 
-        name_key, name_value = name_part.split(":", 1)
+            # Extract binary path if it exists
-        if name_key != "name":
+            if len(parts) > 1:
-            raise ValueError(f"Expected key name, got {name_key}")
+                tombstone["binary_path"] = parts[1].strip().rstrip(" <")
-        name_value = name_value.strip()
-        process_name, binary_path = self._parse_process_name(name_value, tombstone)
 
-        tombstone["pid"] = pid_value
+            return True
-        tombstone["tid"] = tid_value
-        tombstone["process_name"] = process_name
-        tombstone["binary_path"] = binary_path
-        return True
 
-    def _parse_process_name(self, process_name_part, tombstone: dict) -> bool:
+        except Exception as e:
-        process_name, process_path = process_name_part.split(">>>")
+            raise ValueError(f"Failed to parse PID line: {str(e)}")
-        process_name = process_name.strip()
-        binary_path = process_path.strip().split(" ")[0]
-        return process_name, binary_path
 
     def _load_signal_line(self, line: str, tombstone: dict) -> bool:
-        signal, code, _ = [part.strip() for part in line.split(",", 2)]
+        signal_part, code_part = map(str.strip, line.split(",")[:2])
-        signal = signal.split("signal ")[1]
-        signal_code, signal_name = signal.split(" ")
-        signal_name = signal_name.strip("()")
 
-        code_part = code.split("code ")[1]
+        def parse_part(part: str, prefix: str) -> tuple[int, str]:
-        code_number, code_name = code_part.split(" ")
+            match = part.split(prefix)[1]
-        code_name = code_name.strip("()")
+            number = int(match.split()[0])
+            name = match.split("(")[1].split(")")[0] if "(" in match else "UNKNOWN"
+            return number, name
+
+        signal_number, signal_name = parse_part(signal_part, "signal ")
+        code_number, code_name = parse_part(code_part, "code ")
 
         tombstone["signal_info"] = {
-            "code": int(code_number),
+            "code": code_number,
             "code_name": code_name,
             "name": signal_name,
-            "number": int(signal_code),
+            "number": signal_number,
         }
         return True
 
@@ -256,7 +255,6 @@ class TombstoneCrashArtifact(AndroidArtifact):
     @staticmethod
     def _parse_timestamp_string(timestamp: str) -> str:
         timestamp_parsed = parser.parse(timestamp)
-
         # HACK: Swap the local timestamp to UTC, so keep the original time and avoid timezone conversion.
         local_timestamp = timestamp_parsed.replace(tzinfo=datetime.timezone.utc)
         return convert_datetime_to_iso(local_timestamp)

src/mvt/android/modules/adb/packages.py

@@ -107,8 +107,7 @@ class Packages(AndroidExtraction):
                     result["matched_indicator"] = ioc
                     self.detected.append(result)
 
-    @staticmethod
+    def check_virustotal(self, packages: list) -> None:
-    def check_virustotal(packages: list) -> None:
         hashes = []
         for package in packages:
             for file in package.get("files", []):
@@ -143,8 +142,15 @@ class Packages(AndroidExtraction):
 
         for package in packages:
             for file in package.get("files", []):
-                row = [package["package_name"], file["path"]]
+                if "package_name" in package:
-
+                    row = [package["package_name"], file["path"]]
+                elif "name" in package:
+                    row = [package["name"], file["path"]]
+                else:
+                    self.log.error(
+                        f"Package {package} has no name or package_name. packages.json or apks.json is malformed"
+                    )
+                    continue
                 if file["sha256"] in detections:
                     detection = detections[file["sha256"]]
                     positives = detection.split("/")[0]

src/mvt/android/parsers/backup.py

@@ -231,6 +231,7 @@ def parse_sms_file(data):
             entry.pop("mms_body")
 
         body = entry.get("body", None)
+        message_links = None
         if body:
             message_links = check_for_links(entry["body"])
 

src/mvt/ios/data/ios_versions.json

@@ -895,6 +895,10 @@
         "version": "15.8.4",
         "build": "19H390"
     },
+    {
+        "version": "15.8.5",
+        "build": "19H394"
+    },
     {
         "build": "20A362",
         "version": "16.0"
@@ -1000,6 +1004,10 @@
         "version": "16.7.11",
         "build": "20H360"
     },
+    {
+        "version": "16.7.12",
+        "build": "20H364"
+    },
     {
         "version": "17.0",
         "build": "21A327"
@@ -1131,5 +1139,29 @@
     {
         "version": "18.5",
         "build": "22F76"
+    },
+    {
+        "version": "18.6",
+        "build": "22G86"
+    },
+    {
+        "version": "18.6.1",
+        "build": "22G90"
+    },
+    {
+        "version": "18.6.2",
+        "build": "22G100"
+    },
+    {
+        "version": "18.7",
+        "build": "22H20"
+    },
+    {
+        "version": "26",
+        "build": "23A341"
+    },
+    {
+        "version": "26.0.1",
+        "build": "23A355"
     }
 ]

src/mvt/ios/modules/mixed/global_preferences.py

@@ -43,6 +43,8 @@ class GlobalPreferences(IOSExtraction):
                     self.log.warning("Lockdown mode enabled")
                 else:
                     self.log.warning("Lockdown mode disabled")
+                return
+        self.log.warning("Lockdown mode disabled")
 
     def process_file(self, file_path: str) -> None:
         with open(file_path, "rb") as handle:

src/mvt/ios/modules/mixed/safari_browserstate.py

@@ -95,14 +95,17 @@ class SafariBrowserState(IOSExtraction):
             )
         except sqlite3.OperationalError:
             # Old version iOS <12 likely
-            cur.execute(
+            try:
+                cur.execute(
+                    """
+                    SELECT
+                        title, url, user_visible_url, last_viewed_time, session_data
+                    FROM tabs
+                    ORDER BY last_viewed_time;
                 """
-                SELECT
+                )
-                    title, url, user_visible_url, last_viewed_time, session_data
+            except sqlite3.OperationalError as e:
-                FROM tabs
+                self.log.error(f"Error executing query: {e}")
-                ORDER BY last_viewed_time;
-            """
-            )
 
         for row in cur:
             session_entries = []

src/mvt/ios/modules/mixed/tcc.py

@@ -116,13 +116,16 @@ class TCC(IOSExtraction):
                 )
                 db_version = "v2"
             except sqlite3.OperationalError:
-                cur.execute(
+                try:
-                    """SELECT
+                    cur.execute(
-                    service, client, client_type, allowed,
+                        """SELECT
-                    prompt_count
+                        service, client, client_type, allowed,
-                    FROM access;"""
+                        prompt_count
-                )
+                        FROM access;"""
-                db_version = "v1"
+                    )
+                    db_version = "v1"
+                except sqlite3.OperationalError as e:
+                    self.log.error(f"Error parsing TCC database: {e}")
 
         for row in cur:
             service = row[0]

test-requirements.txt

@@ -1,9 +0,0 @@
-requests>=2.31.0
-pytest>=7.4.3
-pytest-cov>=4.1.0
-pytest-github-actions-annotate-failures>=0.2.0
-pytest-mock>=3.14.0
-stix2>=3.0.1
-ruff>=0.1.6
-mypy>=1.7.1
-betterproto[compiler]