Bumped version

Dockerfile improvements, support arm64 builds

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:22.04
 
 # Ref. https://github.com/mvt-project/mvt
 
@@ -7,13 +7,12 @@ LABEL vcs-url="https://github.com/mvt-project/mvt"
 LABEL description="MVT is a forensic tool to look for signs of infection in smartphone devices."
 
 ENV PIP_NO_CACHE_DIR=1
+ENV DEBIAN_FRONTEND=noninteractive
 
 # Fixing major OS dependencies
 # ----------------------------
 RUN apt update \
-  && apt install -y python3 python3-pip libusb-1.0-0-dev \
-  && apt install -y wget unzip\ 
-  && DEBIAN_FRONTEND=noninteractive apt-get -y install default-jre-headless \
+  && apt install -y python3 python3-pip libusb-1.0-0-dev wget unzip default-jre-headless adb \
 
 # Install build tools for libimobiledevice
 # ----------------------------------------
@@ -67,18 +66,9 @@ RUN mkdir /opt/abe \
 # Create alias for abe
   && echo 'alias abe="java -jar /opt/abe/abe.jar"' >> ~/.bashrc
 
-# Install Android Platform Tools 
-# ------------------------------ 
-
-RUN mkdir /opt/android \
-  && wget -q https://dl.google.com/android/repository/platform-tools-latest-linux.zip \
-  && unzip platform-tools-latest-linux.zip -d /opt/android \
-# Create alias for adb 
-  && echo 'alias adb="/opt/android/platform-tools/adb"' >> ~/.bashrc 
-
 # Generate adb key folder 
 # ------------------------------ 
-RUN mkdir /root/.android && /opt/android/platform-tools/adb keygen /root/.android/adbkey
+RUN mkdir /root/.android && adb keygen /root/.android/adbkey
 
 # Setup investigations environment
 # --------------------------------

docs/docker.md

@@ -1,4 +1,4 @@
-Using Docker simplifies having all the required dependencies and tools (including most recent versions of [libimobiledevice](https://libimobiledevice.org)) readily installed.
+Using Docker simplifies having all the required dependencies and tools (including most recent versions of [libimobiledevice](https://libimobiledevice.org)) readily installed. Note that this requires a Linux host, as Docker for Windows and Mac [doesn't support passing through USB devices](https://docs.docker.com/desktop/faqs/#can-i-pass-through-a-usb-device-to-a-container).
 
 Install Docker following the [official documentation](https://docs.docker.com/get-docker/).
 
@@ -10,11 +10,6 @@ cd mvt
 docker build -t mvt .
 ```
 
-Optionally, you may need to specify your platform to Docker in order to build successfully (Apple M1)
-```bash
-docker build --platform amd64 -t mvt .
-```
-
 Test if the image was created successfully:
 
 ```bash

mvt/android/modules/adb/packages.py

@@ -71,6 +71,16 @@ SECURITY_PACKAGES = [
     "com.samsung.android.app.omcagent",
     "com.samsung.android.securitylogagent",
     "com.sec.android.soagent",
+]
+SYSTEM_UPDATE_PACKAGES = [
+    "com.android.updater",
+    "com.google.android.gms",
+    "com.huawei.android.hwouc",
+    "com.lge.lgdmsclient",
+    "com.motorola.ccc.ota",
+    "com.oneplus.opbackup",
+    "com.oppo.ota",
+    "com.transsion.systemupdate",
     "com.wssyncmldm",
 ]
 
@@ -133,6 +143,10 @@ class Packages(AndroidExtraction):
                 self.log.warning("Found a security package disabled: \"%s\"",
                                  result["package_name"])
 
+            if result["package_name"] in SYSTEM_UPDATE_PACKAGES and result["disabled"]:
+                self.log.warning("System OTA update package \"%s\" disabled on the phone",
+                                 result["package_name"])
+
             if not self.indicators:
                 continue
 

mvt/android/modules/androidqf/__init__.py

@@ -6,10 +6,13 @@
 from .dumpsys_accessibility import DumpsysAccessibility
 from .dumpsys_activities import DumpsysActivities
 from .dumpsys_appops import DumpsysAppops
+from .dumpsys_packages import DumpsysPackages
 from .dumpsys_receivers import DumpsysReceivers
 from .getprop import Getprop
 from .processes import Processes
 from .settings import Settings
+from .sms import SMS
 
 ANDROIDQF_MODULES = [DumpsysActivities, DumpsysReceivers, DumpsysAccessibility,
-                     DumpsysAppops, Processes, Getprop, Settings]
+                     DumpsysAppops, Processes, Getprop, Settings, SMS,
+                     DumpsysPackages]

mvt/android/modules/androidqf/sms.py

@@ -0,0 +1,85 @@
+# Mobile Verification Toolkit (MVT) - Private
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# This file is part of MVT Private and its content is confidential.
+# Please refer to the project maintainers before sharing with others.
+
+import getpass
+import logging
+from typing import Optional
+
+from mvt.android.parsers.backup import (AndroidBackupParsingError,
+                                        InvalidBackupPassword, parse_ab_header,
+                                        parse_backup_file, parse_tar_for_sms)
+
+from .base import AndroidQFModule
+
+
+class SMS(AndroidQFModule):
+    """This module analyse SMS file in backup"""
+
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        fast_mode: Optional[bool] = False,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None
+    ) -> None:
+        super().__init__(file_path=file_path, target_path=target_path,
+                         results_path=results_path, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for message in self.results:
+            if "body" not in message:
+                continue
+
+            if self.indicators.check_domains(message["links"]):
+                self.detected.append(message)
+
+    def parse_backup(self, data):
+        header = parse_ab_header(data)
+        if not header["backup"]:
+            self.log.critical("Invalid backup format, backup.ab was not analysed")
+            return
+
+        password = None
+        if header["encryption"] != "none":
+            password = getpass.getpass(prompt="Backup Password: ", stream=None)
+        try:
+            tardata = parse_backup_file(data, password=password)
+        except InvalidBackupPassword:
+            self.log.critical("Invalid backup password")
+            return
+        except AndroidBackupParsingError:
+            self.log.critical("Impossible to parse this backup file, please use"
+                              " Android Backup Extractor instead")
+            return
+
+        if not tardata:
+            return
+
+        try:
+            self.results = parse_tar_for_sms(tardata)
+        except AndroidBackupParsingError:
+            self.log.info("Impossible to read SMS from the Android Backup, "
+                          "please extract the SMS and try extracting it with "
+                          "Android Backup Extractor")
+            return
+
+    def run(self) -> None:
+        files = self._get_files_by_pattern("*/backup.ab")
+        if not files:
+            self.log.info("No backup data found")
+            return
+
+        with open(files[0], "rb") as handle:
+            data = handle.read()
+
+        self.parse_backup(data)
+        self.log.info("Identified %d SMS in backup data",
+                      len(self.results))

mvt/common/logo.py

@@ -19,7 +19,7 @@ def check_updates() -> None:
     else:
         if latest_version:
             rich_print(f"\t\t[bold]Version {latest_version} is available! "
-                       "Upgrade mvt![/bold]")
+                       "Upgrade mvt with `pip3 install -U mvt`[/bold]")
 
     # Then we check for indicators files updates.
     ioc_updates = IndicatorsUpdates()

mvt/common/version.py

@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.2"
+MVT_VERSION = "2.2.1"

mvt/ios/modules/base.py

@@ -169,7 +169,7 @@ class IOSExtraction(MVTModule):
                     file_path = self._get_backup_file_from_id(backup_id)
                     if file_path:
                         break
-            
+
             if root_paths:
                 # If this file does not exist we might be processing a full
                 # filesystem dump (checkra1n all the things!).

mvt/ios/versions.py

@@ -42,6 +42,9 @@ IPHONE_MODELS = [
     {"identifier": "iPhone14,5", "description": "iPhone 13"},
     {"identifier": "iPhone14,2", "description": "iPhone 13 Pro"},
     {"identifier": "iPhone14,3", "description": "iPhone 13 Pro Max"},
+    {"identifier": "iPhone14,8", "decription": "iPhone 14 Plus"},
+    {"identifier": "iPhone15,2", "description": "iPhone 14 Pro"},
+    {"identifier": "iPhone15,3", "description": "iPhone 14 Pro Max"}
 ]
 
 IPHONE_IOS_VERSIONS = [
@@ -245,6 +248,8 @@ IPHONE_IOS_VERSIONS = [
     {"build": "19G82", "version": "15.6.1"},
     {"build": "19H12", "version": "15.7"},
     {"build": "20A362", "version": "16.0"},
+    {"build": "20B82", "version": "16.1"},
+    {"build": "20B101", "version": "16.1.1"}
 ]
 
 

setup.cfg

@@ -22,16 +22,16 @@ include_package_data = True
 python_requires = >= 3.8
 install_requires =
     click >=8.1.3
-    rich >=12.4.4
+    rich >=12.6.0
     tld >=0.12.6
     requests >=2.28.1
     simplejson >=3.17.6
     packaging >=21.3
     appdirs >=1.4.4
-    iOSbackup >=0.9.921
+    iOSbackup >=0.9.923
     adb-shell >=0.4.3
     libusb1 >=3.0.0
-    cryptography >=37.0.4
+    cryptography >=38.0.1
     pyyaml >=6.0
 
 [options.packages.find]

tests/android_androidqf/test_dumpsysaccessbility.py

@@ -0,0 +1,22 @@
+# Mobile Verification Toolkit (MVT) - Private
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# This file is part of MVT Private and its content is confidential.
+# Please refer to the project maintainers before sharing with others.
+
+import logging
+
+from mvt.common.module import run_module
+
+from mvt.android.modules.androidqf.dumpsys_accessibility import \
+    DumpsysAccessibility
+
+from ..utils import get_android_androidqf
+
+
+class TestDumpsysAccessibilityModule:
+    def test_parsing(self):
+        data_path = get_android_androidqf()
+        m = DumpsysAccessibility(target_path=data_path)
+        run_module(m)
+        assert len(m.results) == 4
+        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsysappops.py

@@ -0,0 +1,22 @@
+# Mobile Verification Toolkit (MVT) - Private
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# This file is part of MVT Private and its content is confidential.
+# Please refer to the project maintainers before sharing with others.
+
+import logging
+
+from mvt.common.module import run_module
+
+from mvt.android.modules.androidqf.dumpsys_appops import DumpsysAppops
+
+from ..utils import get_android_androidqf
+
+
+class TestDumpsysAppOpsModule:
+    def test_parsing(self):
+        data_path = get_android_androidqf()
+        m = DumpsysAppops(target_path=data_path)
+        run_module(m)
+        assert len(m.results) == 12
+        assert len(m.timeline) == 16
+        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsyspackages.py

@@ -0,0 +1,37 @@
+# Mobile Verification Toolkit (MVT) - Private
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# This file is part of MVT Private and its content is confidential.
+# Please refer to the project maintainers before sharing with others.
+
+import logging
+
+from mvt.common.indicators import Indicators
+from mvt.common.module import run_module
+
+from mvt.android.modules.androidqf.dumpsys_packages import DumpsysPackages
+
+from ..utils import get_android_androidqf
+
+
+class TestDumpsysPackagesModule:
+    def test_parsing(self):
+        data_path = get_android_androidqf()
+        m = DumpsysPackages(target_path=data_path)
+        run_module(m)
+        assert len(m.results) == 2
+        assert len(m.detected) == 0
+        assert len(m.timeline) == 6
+        assert m.results[0]["package_name"] == "com.samsung.android.provider.filterprovider"
+
+    def test_detection_pkgname(self, indicator_file):
+        data_path = get_android_androidqf()
+        m = DumpsysPackages(target_path=data_path)
+        ind = Indicators(log=logging.getLogger())
+        ind.parse_stix2(indicator_file)
+        ind.ioc_collections[0]["app_ids"].append("com.sec.android.app.DataCreate")
+        m.indicators = ind
+        run_module(m)
+        assert len(m.results) == 2
+        assert len(m.detected) == 1
+        assert len(m.timeline) == 6
+        assert m.detected[0]["package_name"] == "com.sec.android.app.DataCreate"

tests/android_androidqf/test_dumpsysreceivers.py

@@ -0,0 +1,21 @@
+# Mobile Verification Toolkit (MVT) - Private
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# This file is part of MVT Private and its content is confidential.
+# Please refer to the project maintainers before sharing with others.
+
+import logging
+
+from mvt.common.module import run_module
+
+from mvt.android.modules.androidqf.dumpsys_receivers import DumpsysReceivers
+
+from ..utils import get_android_androidqf
+
+
+class TestDumpsysReceiversModule:
+    def test_parsing(self):
+        data_path = get_android_androidqf()
+        m = DumpsysReceivers(target_path=data_path)
+        run_module(m)
+        assert len(m.results) == 4
+        assert len(m.detected) == 0

tests/android_androidqf/test_getprop.py

@@ -0,0 +1,22 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import os
+import logging
+
+from mvt.android.modules.androidqf.getprop import Getprop
+from mvt.common.module import run_module
+
+from ..utils import get_artifact_folder
+
+
+class TestAndroidqfGetpropAnalysis:
+
+    def test_androidqf_getprop(self):
+        m = Getprop(target_path=os.path.join(get_artifact_folder(), "androidqf"), log=logging)
+        run_module(m)
+        assert len(m.results) == 10
+        assert len(m.timeline) == 0
+        assert len(m.detected) == 0

tests/android_androidqf/test_processes.py

@@ -0,0 +1,21 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import os
+import logging
+
+from mvt.android.modules.androidqf.processes import Processes
+from mvt.common.module import run_module
+
+from ..utils import get_artifact_folder
+
+
+class TestAndroidqfProcessesAnalysis:
+    def test_androidqf_processes(self):
+        m = Processes(target_path=os.path.join(get_artifact_folder(), "androidqf"), log=logging)
+        run_module(m)
+        assert len(m.results) == 15
+        assert len(m.timeline) == 0
+        assert len(m.detected) == 0

tests/android_androidqf/test_settings.py

@@ -0,0 +1,20 @@
+# Mobile Verification Toolkit (MVT) - Private
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# This file is part of MVT Private and its content is confidential.
+# Please refer to the project maintainers before sharing with others.
+
+from mvt.common.module import run_module
+
+from mvt.android.modules.androidqf.settings import Settings
+
+from ..utils import get_android_androidqf
+
+
+class TestSettingsModule:
+    def test_parsing(self):
+        data_path = get_android_androidqf()
+        m = Settings(target_path=data_path)
+        run_module(m)
+        assert len(m.results) == 1
+        assert "random" in m.results.keys()
+        assert len(m.detected) == 0

tests/android_androidqf/test_sms.py

@@ -0,0 +1,21 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import os
+import logging
+
+from mvt.android.modules.androidqf.sms import SMS
+from mvt.common.module import run_module
+
+from ..utils import get_artifact_folder
+
+
+class TestAndroidqfSMSAnalysis:
+    def test_androidqf_sms(self):
+        m = SMS(target_path=os.path.join(get_artifact_folder(), "androidqf"), log=logging)
+        run_module(m)
+        assert len(m.results) == 2
+        assert len(m.timeline) == 0
+        assert len(m.detected) == 0

tests/artifacts/androidqf/dumpsys.txt

@@ -0,0 +1,254 @@
+some random text here
+
+DUMP OF SERVICE accessibility:
+ACCESSIBILITY MANAGER (dumpsys accessibility)
+
+User state[attributes:{id=0, currentUser=true
+  mIsNavBarMagnificationAssignedToAccessibilityButton = false
+
+  mIsNavBarMagnifierWindowAssignedToAccessibilityButton = false
+  mIsNavBarAmplifyAmbientSoundAssignedToAccessibilityButton = fals
+e
+  mIsAmplifyAmbientSoundEnabled = false
+  mIsBixbyRunning = false
+  mIsMagniferWindowEnabled = false
+  mIsFollowTypingFocusEnabled = false
+  mIsTapDurationEnabled = false
+  mIsTouchBlockingEnabled = false
+  mIsStickyKeysEnabled = false
+  mIsBounceKeysEnabled = false
+  mIsTouchExplorationEnabled = false
+  mIsTextHighContrastEnabled = false
+  mIsDisplayMagnificationEnabled = false
+  mIsNavBarMagnificationEnabled = false
+  mIsAutoclickEnabled = false
+  mIsPerformGesturesEnabled = false
+  mIsFilterKeyEventsEnabled = false
+  mAccessibilityFocusOnlyInActiveWindow = true
+  mUserNonInteractiveUiTimeout = 0
+  mUserInteractiveUiTimeout = 0
+  mBindInstantServiceAllowed = false
+  mIsGestureNaviBar = false
+  }
+  installed services: {
+  installed services: {
+    0 : com.android.settings/com.samsung.android.settings.development.gpuwatch.GPUWatchInterceptor
+    1 : com.samsung.accessibility/.universalswitch.UniversalSwitchService
+    2 : com.samsung.accessibility/com.samsung.android.app.talkback.TalkBackService
+    3 : com.sec.android.app.camera/com.samsung.android.glview.AccessibilityGestureHandler
+  }
+  enabled services: {
+  }
+  binding services: {
+  }
+  bound services:{
+  }
+  AccessibilityInputFilter:{
+  }]
+
+--------- 0.004s was the duration of dumpsys accessibility, ending at: 2022-01-28 17:37:22
+----------------------------
+-------------------------------------------------------------------------------
+DUMP OF SERVICE package:
+Database versions:
+  Internal:
+    sdkVersion=29 databaseVersion=3
+    fingerprint=samsung/a40
+  External:
+    sdkVersion=28 databaseVersion=3
+    fingerprint=samsung/a40
+
+Verifiers:
+  Required: com.android.vending (uid=10019)
+
+Intent Filter Verifier:
+  Using: com.google.android.gms (uid=10012)
+
+Receiver Resolver Table:
+  Non-Data Actions:
+      com.android.storagemanager.automatic.SHOW_NOTIFICATION:
+        23fa699 com.android.storagemanager/.automatic.NotificationController
+      android.intent.action.PHONE_STATE:
+        85c0aa6 com.facebook.katana/com.facebook.confirmation.util.BackgroundVoiceCallReceiver
+        a713de8 com.samsung.android.app.contacts/com.samsung.android.contacts.notification.CallStateBroadcastReceiver
+        ba10b0b com.sec.hearingadjust/.Receiver
+        c843c01 com.samsung.android.messaging/.ui.receiver.notification.CmcPhoneStateUpdateReceiver
+      com.samsung.intent.internal.stk.user_action:
+        2062d63 com.android.stk/.StkCmdReceiver
+      android.intent.action.NEW_OUTGOING_CALL:
+        1ff4352 com.sec.android.app.safetyassurance/.emergencyreporthelper.EmergencyReportStartMonitorReceiver
+        2906244 com.google.android.gms/.chimera.GmsIntentOperationService$PersistentTrustedReceiver
+
+Active APEX packages:
+
+
+Inactive APEX packages:
+
+
+Factory APEX packages:
+
+Packages:
+  Package [com.samsung.android.provider.filterprovider] (4be8eeb):
+    userId=1000
+    sharedUser=SharedUserSetting{b8a0e41 android.uid.system/1000}
+    pkg=Package{1660fe6 com.samsung.android.provider.filterprovider}
+    codePath=/system/app/FilterProvider
+    resourcePath=/system/app/FilterProvider
+    legacyNativeLibraryDir=/system/app/FilterProvider/lib
+    primaryCpuAbi=armeabi-v7a
+    secondaryCpuAbi=null
+    versionCode=500700000 minSdk=28 targetSdk=28
+    versionName=5.0.07
+    splits=[base]
+    apkSigningVersion=2
+    applicationInfo=ApplicationInfo{b6df792 com.samsung.android.provider.filterprovider}
+    flags=[ SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA ]
+    privateFlags=[ PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE_VIA_SDK_VERSION PRIVATE_FLAG_REQUEST_LEGACY_EXTERNAL_STORAGE ]
+    dataDir=/data/user/0/com.samsung.android.provider.filterprovider
+    supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
+    usesLibraries:
+      android.hidl.manager-V1.0-java
+      android.hidl.base-V1.0-java
+    usesLibraryFiles:
+      /system/framework/android.hidl.manager-V1.0-java.jar
+      /system/framework/android.hidl.base-V1.0-java.jar
+    timeStamp=2008-12-31 16:00:00
+    firstInstallTime=2008-12-31 16:00:00
+    lastUpdateTime=2008-12-31 16:00:00
+    signatures=PackageSignatures{3310927 version:2, signatures:[b378e95c], past signatures:[]}
+    installPermissionsFixed=true
+    pkgFlags=[ SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA ]
+  Package [com.sec.android.app.DataCreate] (8c78be6):
+    userId=10143
+    pkg=Package{7d4f7d4 com.sec.android.app.DataCreate}
+    codePath=/system/app/AutomationTest_FB
+    resourcePath=/system/app/AutomationTest_FB
+    legacyNativeLibraryDir=/system/app/AutomationTest_FB/lib
+    primaryCpuAbi=null
+    secondaryCpuAbi=null
+    versionCode=1 minSdk=29 targetSdk=29
+    versionName=1.0
+    splits=[base]
+    apkSigningVersion=2
+    applicationInfo=ApplicationInfo{b284d7d com.sec.android.app.DataCreate}
+    flags=[ SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]
+    privateFlags=[ PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE_VIA_SDK_VERSION ALLOW_AUDIO_PLAYBACK_CAPTURE ]
+    dataDir=/data/user/0/com.sec.android.app.DataCreate
+    supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
+    timeStamp=2008-12-31 16:00:00
+    firstInstallTime=2008-12-31 16:00:00
+    lastUpdateTime=2008-12-31 16:00:00
+
+
+  APEX session state:
+
+Active install Logging info:
+  []
+    1642419683196: "Ver":"", "Session":"0",
+--------- 2.929s was the duration of dumpsys package, ending at: 2022-01-28 17:37:43
+-------------------------------------------------------------------------------
+DUMP OF SERVICE appops:
+Current AppOps Service state:
+  Settings:
+    top_state_settle_time=+30s0ms
+    fg_service_state_settle_time=+10s0ms
+    bg_state_settle_time=+1s0ms
+
+  Op mode watchers:
+    Op COARSE_LOCATION:
+      #0: ModeCallback{b8f1a14 watchinguid=-1 flags=0x1 from uid=1000 pid=4098}
+      #1: ModeCallback{e9062d4 watchinguid=-1 flags=0x1 from uid=u0a12 pid=13172}
+    Op READ_CALL_LOG:
+      #0: ModeCallback{4b4eb4e watchinguid=-1 flags=0x0 from uid=1000 pid=4098}
+    Op WRITE_CALL_LOG:
+      #0: ModeCallback{4b4eb4e watchinguid=-1 flags=0x0 from uid=1000 pid=4098}
+    Op READ_SMS:
+      #0: ModeCallback{4b4eb4e watchinguid=-1 flags=0x0 from uid=1000 pid=4098}
+    Op RECEIVE_SMS:
+      #0: ModeCallback{4b4eb4e watchinguid=-1 flags=0x0 from uid=1000 pid=4098}
+    Op RECEIVE_MMS:
+      #0: ModeCallback{4b4eb4e watchinguid=-1 flags=0x0 from uid=1000 pid=4098}
+
+  Uid 0:
+    state=cch
+    Package com.android.phone:
+      MANAGE_IPSEC_TUNNELS (allow):
+    Package com.sec.epdg:
+      MANAGE_IPSEC_TUNNELS (deny):
+  Uid 1000:
+    state=pers
+      LEGACY_STORAGE: mode=allow
+    Package com.samsung.android.provider.filterprovider:
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+    Package com.samsung.android.smartswitchassistant:
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+    Package com.samsung.clipboardsaveservice:
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+      RUN_IN_BACKGROUND (allow):
+    Package com.skms.android.agent:
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+    Package com.sec.factory.camera:
+      RECORD_AUDIO (allow):
+      RUN_IN_BACKGROUND (allow):
+          Access: [pers-s] 2022-03-29 18:37:30.315 (-4h50m23s772ms)
+  Uid u0a103:
+    state=cch
+      COARSE_LOCATION: mode=ignore
+      LEGACY_STORAGE: mode=allow
+    Package com.facebook.katana:
+      READ_CONTACTS (allow):
+          Access: [bg-tpd] 2022-03-07 18:05:34.325 (-22d4h22m19s762ms)
+      WRITE_SMS (ignore):
+          Reject: [fg-s]2021-05-19 22:02:52.054 (-314d1h25m2s33ms)
+          Reject: [bg-s]2022-03-10 19:35:06.426 (-19d2h52m47s661ms)
+          Reject: [cch-s]2022-03-29 18:48:02.923 (-4h39m51s164ms)
+      WAKE_LOCK (allow):
+          Access: [fg-s] 2021-05-19 22:02:49.186 (-314d1h25m4s901ms)
+          Access: [bg-s] 2022-03-29 23:03:03.763 (-24m50s324ms) duration=+33ms
+          Access: [cch-s] 2022-03-07 14:57:11.635 (-22d7h30m42s452ms)
+      TOAST_WINDOW (allow):
+      READ_PHONE_STATE (allow):
+          Access: [fg-s] 2021-05-19 22:02:53.336 (-314d1h25m0s751ms)
+          Access: [bg-s] 2022-03-24 21:06:52.731 (-5d1h21m1s356ms)
+          Access: [cch-s] 2022-03-29 18:57:58.524 (-4h29m55s563ms)
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+      READ_DEVICE_IDENTIFIERS (deny):
+          Reject: [fg-s]2021-05-19 22:02:53.434 (-314d1h25m0s653ms)
+          Reject: [bg-s]2022-03-24 21:06:56.538 (-5d1h20m57s549ms)
+          Reject: [cch-s]2022-03-29 18:57:58.644 (-4h29m55s443ms)
+  Uid u0a104:
+    state=cch
+      COARSE_LOCATION: mode=ignore
+      LEGACY_STORAGE: mode=ignore
+    Package org.mozilla.firefox:
+      REQUEST_INSTALL_PACKAGES (allow):
+  Uid u0a105:
+    state=cch
+    Package com.android.carrierdefaultapp:
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+  Uid u0a106:
+    state=cch
+      LEGACY_STORAGE: mode=allow
+    Package com.samsung.safetyinformation:
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+  Uid u0a107:
+    state=cch
+      LEGACY_STORAGE: mode=allow
+    Package com.sec.android.app.clockpackage:
+      WAKE_LOCK (allow):
+          Access: [bg-s] 2022-03-29 18:38:31.440 (-4h49m22s647ms) duration=+126ms
+          Access: [cch-s] 2021-06-07 12:47:06.642 (-295d10h40m47s445ms)
+      TOAST_WINDOW (allow):
+      READ_EXTERNAL_STORAGE (allow):
+      WRITE_EXTERNAL_STORAGE (allow):
+
+
+
+

tests/artifacts/androidqf/getprop.txt

@@ -0,0 +1,10 @@
+[dalvik.vm.appimageformat]: [lz4]
+[dalvik.vm.dex2oat-Xms]: [64m]
+[dalvik.vm.dex2oat-Xmx]: [512m]
+[dalvik.vm.dex2oat-max-image-block-size]: [524288]
+[dalvik.vm.dex2oat-minidebuginfo]: [true]
+[dalvik.vm.dex2oat-resolve-startup-strings]: [true]
+[dalvik.vm.dexopt.secondary]: [true]
+[dalvik.vm.heapgrowthlimit]: [128m]
+[dalvik.vm.heapmaxfree]: [8m]
+[dalvik.vm.heapminfree]: [512k]

tests/artifacts/androidqf/ps.txt

@@ -0,0 +1,16 @@
+USER           PID  PPID     VSZ    RSS WCHAN            ADDR S NAME
+root             1     0   57912   2084 0                   0 S init
+root             2     0       0      0 0                   0 S [kthreadd]
+root             3     2       0      0 0                   0 S [ksoftirqd/0]
+root             5     2       0      0 0                   0 S [kworker/0:0H]
+root             6     2       0      0 0                   0 S [kworker/u16:0]
+root             7     2       0      0 0                   0 S [rcu_preempt]
+root             8     2       0      0 0                   0 S [rcu_sched]
+root             9     2       0      0 0                   0 S [rcu_bh]
+root            10     2       0      0 0                   0 S [migration/0]
+root            11     2       0      0 0                   0 D [tz_worker_threa]
+root            12     2       0      0 0                   0 S [watchdog/0]
+root            13     2       0      0 0                   0 S [watchdog/1]
+root            14     2       0      0 0                   0 D [tz_worker_threa]
+root            15     2       0      0 0                   0 S [migration/1]
+root            16     2       0      0 0                   0 S [ksoftirqd/1]

tests/artifacts/androidqf/settings_random.txt

@@ -0,0 +1,9 @@
+samsung_errorlog_agree=0
+package_verifier_enable=1
+package_verifier_user_consent=1
+navigationbar_hide_bar=1
+navigationbar_key_order=0
+navigationbar_pressure_user_level=3
+navigationbar_recently_used_color=
+navigationbar_unlock_with_home_button=0
+navigationbar_use_theme_default=0

tests/test_check_android_androidqf.py

@@ -0,0 +1,20 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import os
+from click.testing import CliRunner
+
+from mvt.android.cli import check_androidqf
+
+from .utils import get_artifact_folder
+
+
+class TestCheckAndroidqfCommand:
+
+    def test_check(self):
+        runner = CliRunner()
+        path = os.path.join(get_artifact_folder(), "androidqf")
+        result = runner.invoke(check_androidqf, [path])
+        assert result.exit_code == 0

tests/utils.py

@@ -28,5 +28,9 @@ def get_android_backup_folder():
     return os.path.join(os.path.dirname(__file__), "artifacts", "android_backup")
 
 
+def get_android_androidqf():
+    return os.path.join(os.path.dirname(__file__), "artifacts", "androidqf")
+
+
 def get_indicator_file():
     print("PYTEST env", os.getenv("PYTEST_CURRENT_TEST"))