search

mvt-project / mvt

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
https://mvt.re
Other
10.35k stars 973 forks source link

Issue with mvt.ios.modules.mixed.applications #383

Closed fibrizho closed 1 year ago

fibrizho commented 1 year ago

Hi guys,

I have noticed that I am receiving what seems to be a false positive with this module. I am getting this warning message:

2023-09-07 09:42:00,345 - mvt.ios.modules.mixed.applications - WARNING - Suspicious app not installed from the App Store or MDM: gr.sparklean.klean

On this application 2022-01-13 22:46:11.000000,"Applications","app_installed","App gr.sparklean.klean version 1.3.0 from SPARKLEAN P.C. installed from com.apple.AppStore.ProductPageExtension"

Howevever, according to the code, this should not happen:

 # Some apps installed from apple store with sourceApp "com.apple.AppStore.ProductPageExtension"
            if result.get("sourceApp", "com.apple.AppStore") not in [
                "com.apple.AppStore",
                "com.apple.AppStore.ProductPageExtension",
                "com.apple.dmd",
                "dmd",
            ]:
                self.log.warning(
                    "Suspicious app not installed from the App Store or MDM: %s",
                    result["softwareVersionBundleId"],
                )
                self.detected.append(result)
DonnchaC commented 1 year ago

Hi @fibrizho, this false positive was fixed in v2.4.2 which was released on PyPi two days ago. Were you using the latest code from Git when you tested it. Can you try again with release v2.4.2 and check if this fixed the problem?

fibrizho commented 1 year ago

Hi Donncha, thanks for answering. Indeed, we were not using the very last version, so this could explain.

Thanks a lot for your time and effort!