After Amnesty International’s Methodology Report from last Sunday, I early-adopted the Mobile Verification Toolkit on Monday evening. At that time, parts of the documentation and cross-referencing were pretty basic, so I'm documenting my process and concentrating links to all resources here.
Less tech-savvy users may want to wait for the announced GUI.
Preconditions:
adb installed or use the Docker image (this saves some MVT installation steps, too)Further read:
I installed the project's dependencies in a pipenv to not pollute the system's python packages and $PATH:
# Clone repository
git clone https://github.com/mvt-project/mvt.git
cd mvt/
# Install dependencies in pipenv
pipenv --python 3
pipenv run pip3 install .Since you can't use the tool to download the APKs and check for malware signatures later, it's best to do this right away. Otherwise you'd need to download the packages twice:
mkdir android-apks
pipenv run mvt-android download-apks -o android-apks/ --virustotalSometimes the Android device is busy and MVT recommends to reset the adb server. This works just fine:
adb kill-serverOn the phone, when downloading the APKs, you will be asked (multiple times, even if you check the 'allow future access' box) to allow adb access, this dialog needs to be accepted within 5 seconds, otherwise MVT times out. It's best to be attentive and watch the phone screen. ;)
This process is well-documented:
abe.jar from the releases page.# Backup SMS from Android device
adb backup com.android.providers.telephony
# Extract SMS backup
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
# Check backup against STIX v2 file
pipenv run mvt-android check-backup . --iocs pegasus.stix2