-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suspicious app not installed from the app store or MDM (false detection?) #495
Comments
I'm happy to supply more data privately if that would be useful. obviously the fields mentioned above are not the only fields in |
any suggestions on this question? more data i should try to gather? |
Hi @dkg , So I am not fully clear why you would have a different sourceApp there, a similar case was reported in #487 so it may be a recent change in iOS 17. Is this phone in iOS 17? Do you have a I hope it helps |
Hi @Te-k, thanks for the feedback. I agree it's weird that the I believe the device is iOS 17, but i'm currently only looking at the artifacts generated from the MVT scan. is there a standard way to get that information from the artifacts, or do i need to go back to the device to get that info? |
i can confirm that the device was running iOS 17.4 at the time of the scan. Any pointers as to next steps that would be useful? |
Hi @dkg , apologies for the delay. I have rechecked on a phone with iOS 17+ and I wasn't able to reproduce that. All the apps I have includes a sourceApp and distributorInfo fields. So I really don't have explanation for this behaviour. |
thanks for getting back to this. i am unaware of any unusual pattern of activity on the phone. it's a well-lived-in device that has probably been updated from older devices (that is, i believe the installation included porting user data and apps from older phones as part of a normal life cycle upgrade). But i don't think that'd be unusual for normal iPhone use. Are there any concrete things that you think might be worth checking? i no longer have easy access to this device (and it's certainly changed some in the meantime) but i can try to get some tests run if you think they'd be useful. |
A recent run of
mvt-ios
warned that two applications had not been installed from the app store or from MDM:in
applications_detected.json
, both app descriptors contained identical values of the following keys:Both also contained a top-level
isodate
field from the same day (different times) and acom.apple.iTunesStore.downloadInfo
member that contains a dict with apurchaseDate
(matching the outerisodate
but in UTC) and anaccountInfo
that appears to contain static information about the user's AppleID.This seems similar to #348, #383, and #487, but i don't know whether it is something to be concerned about. the date is several years in the past, so i don't have great notes about what else was happening at the time. Can you help me make sense of this alert? does the warning need to be tuned to avoid a false alarm?
The text was updated successfully, but these errors were encountered: