search

mvt-project / mvt

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
https://mvt.re
Other
10.39k stars 982 forks source link

Suspicious app not installed from the app store or MDM (false detection?) #495

Open dkg opened 6 months ago

dkg commented 6 months ago

A recent run of mvt-ios warned that two applications had not been installed from the app store or from MDM:

Suspicious app not installed from the app store or MDM

in applications_detected.json, both app descriptors contained identical values of the following keys:

{
  "is-auto-download": false,
  "launchProhibited": true,
  "is-purchased-redownload": false,
  "s": 143441,
  "isFactoryInstall": false,
  "gameCenterEverEnabled": false,
  "gameCenterEnabled": false,
  "kind": "software",
  "hasMessagesExtension": true,
  "betaExternalVersionIdentifier": 0,
  "variantID": "iPhone9,3",
  "sideLoadedDeviceBasedVPP": false,
  "DeviceBasedVPP": false,
  "sourceApp": "com.apple.datausage.atc",
  "subgenres": [],
  "rating": {
    "label": "4+",
    "rank": 100
  },
  "icon_sha256": "8f447f708ca1c4cca4d6934c4c1fd0eee374b85ae159befe7534c1a869cc415b"
}

Both also contained a top-level isodate field from the same day (different times) and a com.apple.iTunesStore.downloadInfo member that contains a dict with a purchaseDate (matching the outer isodate but in UTC) and an accountInfo that appears to contain static information about the user's AppleID.

This seems similar to #348, #383, and #487, but i don't know whether it is something to be concerned about. the date is several years in the past, so i don't have great notes about what else was happening at the time. Can you help me make sense of this alert? does the warning need to be tuned to avoid a false alarm?

dkg commented 6 months ago

I'm happy to supply more data privately if that would be useful. obviously the fields mentioned above are not the only fields in applications_detected.json, but i don't want to publish more info than i need to.

dkg commented 5 months ago

any suggestions on this question? more data i should try to gather?

Te-k commented 5 months ago

Hi @dkg , The Application module is alerting on any app not installed from the App Store or MDM based on the SourceApp field. It was intended to detect side loaded apps that can be used by spyware such as Hermit and isn't usually raising a lot of false positive (but we are expecting to see some with alternative stores being accepted in EU soon).

So I am not fully clear why you would have a different sourceApp there, a similar case was reported in #487 so it may be a recent change in iOS 17. Is this phone in iOS 17? Do you have a distributorInfo entry about this app? If the app was coming from the AppStore, it should be mentioned there (and if this is more reliable than the sourceApp entry, we will consider changing the check to this structure instead)

I hope it helps

dkg commented 5 months ago

Hi @Te-k, thanks for the feedback. I agree it's weird that the sourceApp fields are noted as com.apple.datausage.atc -- i don't know what that is supposed to mean. I don't have a distributorInfo about either app at all. Of the 188 apps in applications.json, only 152 of them have a distributorInfo, though.

I believe the device is iOS 17, but i'm currently only looking at the artifacts generated from the MVT scan. is there a standard way to get that information from the artifacts, or do i need to go back to the device to get that info?

dkg commented 5 months ago

i can confirm that the device was running iOS 17.4 at the time of the scan. Any pointers as to next steps that would be useful?

Te-k commented 2 months ago

Hi @dkg , apologies for the delay. I have rechecked on a phone with iOS 17+ and I wasn't able to reproduce that. All the apps I have includes a sourceApp and distributorInfo fields. So I really don't have explanation for this behaviour. Was there anything unusual done on the phone? Any 3rd party market? Anything unusual in the way it was installed?

dkg commented 2 months ago

thanks for getting back to this. i am unaware of any unusual pattern of activity on the phone. it's a well-lived-in device that has probably been updated from older devices (that is, i believe the installation included porting user data and apps from older phones as part of a normal life cycle upgrade). But i don't think that'd be unusual for normal iPhone use.

Are there any concrete things that you think might be worth checking? i no longer have easy access to this device (and it's certainly changed some in the meantime) but i can try to get some tests run if you think they'd be useful.