mvt 1.1

Mobile Verification Toolkit

# Mobile Verification Toolkit

Mobile Verification Toolkit (MVT) is a collection of utilities designed to simplify and automate the process of gathering data that might be helpful to identify any potential compromise or infection of the Android or iOS device.

## Installation

### Dependencies on Linux

First install some basic dependencies that will be necessary to build all required tools:

sudo apt install python3 python3-pip python3-dev build-essential libssl-dev libffi-dev swig android-sdk-platform-tools

### Dependencies on Mac

Running MVT on Mac requires Xcode and [homebrew](https://brew.sh) to be installed.

In order to install adb and other dependencies use:

brew install openssl swig libusb python3 brew install homebrew/cask/android-platform-tools

### Installing MVT

If you haven’t done so, you can add this to your .bashrc file in order to add locally installed Pypi binaries to your $PATH:

export PATH=$PATH:~/.local/bin

Then you can install MVT directly:

pip3 install mvt

You now should have the mvt-ios and mvt-android utilities installed.

## mvt-ios

mvt-ios allows to extract relevant info from an unencrypted iTunes backup or a full filesystem dump.

Currently, it is capable of:

• Extracting Safari browsing history, and highlight potentially suspicious redirect chains perhaps indicative of network injection attacks.
• Extract domains from Safari’s LocalStorage.
• Extract domains from Safari’s IndexedDB storage.
• Extract all SMS messages containing links.
• Extract all WhatsApp messages containing links.
• Compare all of the above records with a provided list of suspicious domains.
• Extract a list of processes identified in netusage.sqlite, and highlight those which look suspicious.
• Extract a list of processes identified in DataUsage.sqlite.

And more.

### Installing libimobiledevice

In order to easily extract an iTunes backup from an iOS device, we recommend using the [libimobiledevice](https://www.libimobiledevice.org/) utilities. On some versions of Debian-based Linux systems they are available for install through:

sudo apt install libimobiledevice-utils

On Mac, you can try installing it from brew:

brew install –HEAD libimobiledevice

If you have a reasonably recent version of libimobiledevice in your package manager, it might work straight out of the box. Try connecting your iOS device to your computer via USB and run:

ideviceinfo

Because the utilities and its libraries are subject to frequent changes in response to new versions of iOS, you might want to consider compiling libimobiledevice utilities from sources.

### Installing libimobiledevice from sources

Warning: the following instructions are a best effort. The installation from source requires several steps, and it is likely some have been forgotten here and that won’t work for you. You will likely need to fiddle around a bit before getting this right.

Make sure you have uninstalled all the libimobiledevice tools from your package manage:

sudo apt remove –purge libimobiledevice-utils libimobiledevice-dev libimobiledevice6 libplist-dev libplist3 libusbmuxd-dev libusbmuxd-tools libusbmuxd4 libusbmuxd6 usbmuxd

Firstly you need to install [libplist](https://github.com/libimobiledevice/libplist). Then you can install [libusbmuxd](https://github.com/libimobiledevice/libusbmuxd).

Now you should be able to to download and install the actual suite of tools at [https://github.com/libimobiledevice/libimobiledevice](https://github.com/libimobiledevice/libimobiledevice).

You can now also build and install [usbmuxd](https://github.com/libimobiledevice/usbmuxd).

### Generating the backup

Once the idevice tools are available you can check if everything works fine by connecting your iOS device and running:

ideviceinfo

This should some many details on the connected iOS device. If you are connecting the device to your laptop for the first time, it will require to unlock and enter the PIN code on the mobile device. If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first:

sudo usbmuxd -f -d idevicepair pair

Again, it will ask to unlock the phone and enter the PIN code. If everything is now fine you can proceed with the backup. Firstly we need to make sure that the backup is NOT encrypted:

idevicebackup2 -i encryption off

Then you can proceed with the actual extraction:

idevicebackup2 backup /path/to/backup/

### Running mvt-ios on a backup

The backup might take some time. It is best to make sure the phone remains unlocked during the backup process. Afterwards, a new folder will be created under the path you specified using the UDID of the iPhone you backed up. You can then pass that folder to the mvt-ios script and specify another folder to store the results in:

mvt-ios check-backup /path/to/backup/udid/ –output /path/to/output/

This will create a few JSON files containing the results from the extraction. If you do not specify a –output option, mvt-ios will just process the data without storing results on disk.

### Running mvt-ios on a full filesystem dump

While iTunes backup provide a lot of very useful databases and diagnistic data, they might not be enough. From iOS 13, for example, Safari’s browsing history is no longer exported by iTunes. You might want to jailbreak the device and perform a full filesystem dump. In that case, you should take a look at [checkra1n](https://checkra.in/). Note: before you checkra1n any device, make sure you take a full backup, and that you are prepared to do a full factory reset before restoring it. Even after using checkra1n’s “Restore System”, some traces of the jailbreak are still left on the device and [apps with anti-jailbreaks will be able to detect them](https://github.com/checkra1n/BugTracker/issues/279).

mvt-ios is capable of extracting data and look for indicators of compromise on a full filesystem dump as well:

mvt-ios check-fs /path/to/filesystem/dump/root/ –output /path/to/output/

## mvt-android

In order to use mvt-android you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable) on the Android device.

Make sure to generate your adb keys:

mkdir $HOME/.android adb keygen $HOME/.android/adbkey

The following command might be necessary on Mac systems:

adb pubkey $HOME/.android/adbkey > $HOME/.android/adbkey.pub

If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.

Now you can launch mvt-android and specify the fetch-apks command and the path to the folder where you want to store the extracted data:

mvt-android fetch-apks –output /path/to/folder

Optionally, you can decide to enable lookups of the SHA256 hash of all the extracted APKs on [VirusTotal](https://www.virustotal.com) and/or [Koodous](https://www.koodous.com). While these lookups do not provide any conclusive assessment on all of the extracted APKs, they might highlight any known malicious ones.

mvt-android fetch-apks –output /path/to/folder –virustotal mvt-android fetch-apks –output /path/to/folder –koodous

Or, to launch all available lookups:

mvt-android fetch-apks –output /path/to/folder –all-checks