spytrap-adb 0.3.5

Test a phone for stalkerware using adb and usb debugging to scan for suspicious apps and configuration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

use crate::accessibility;
use crate::args;
use crate::dumpsys;
use crate::errors::*;
use crate::ioc::{Suspicion, SuspicionLevel};
use crate::package;
use crate::pm;
use crate::remote_clock;
use crate::rules::Rules;
use crate::settings;
use crate::tui::Message;
use forensic_adb::Device;
use tokio::sync::mpsc;

pub enum ScanNotifier {
    Null,
    Channel(mpsc::Sender<Message>),
}

impl ScanNotifier {
    pub async fn sus(&mut self, sus: Suspicion) -> Result<()> {
        if let ScanNotifier::Channel(tx) = self {
            tx.send(Message::Suspicion(sus)).await?;
        }
        Ok(())
    }

    pub async fn app(&mut self, name: String, sus: Suspicion) -> Result<()> {
        if let ScanNotifier::Channel(tx) = self {
            tx.send(Message::App { name, sus }).await?;
        }
        Ok(())
    }
}

pub struct Settings {
    pub skip_apps: bool,
}

impl From<&args::Scan> for Settings {
    fn from(args: &args::Scan) -> Settings {
        Settings {
            skip_apps: args.skip_apps,
        }
    }
}

pub async fn run(
    device: &Device,
    rules: &Rules,
    scan: &Settings,
    report: &mut ScanNotifier,
) -> Result<()> {
    debug!("Using device: {:?}", device);

    info!("Fetching remote clock");
    let (local_time, remote_time, drift) = remote_clock::determine(device).await?;
    info!(
        "Local time is {}, remote time is {}, drift={:#}",
        local_time, remote_time, drift
    );

    info!("Enumerating android settings");
    for (_namespace, settings) in settings::dump(device).await? {
        for sus in settings.audit() {
            warn!("Suspicious {:?}: {}", sus.level, sus.description);
            report.sus(sus).await?;
        }
    }

    info!("Enumerating service list");
    let services = dumpsys::list_services(device).await?;

    if services.contains("accessibility") {
        info!("Reading accessibility settings");
        let accessibility = accessibility::dump(device).await?;
        for sus in accessibility.audit() {
            warn!("Suspicious {:?}: {}", sus.level, sus.description);
            report.sus(sus).await?;
        }
    }

    if !scan.skip_apps {
        // TODO: maybe `cmd package list packages -f`
        info!("Comparing list of installed apps with known stalkerware ids");

        let installed_apps = pm::list_packages(device).await?;
        let mut progress = 0;
        for apps in installed_apps.chunks(100) {
            info!(
                "Scanning installed apps ({}/{})",
                progress,
                installed_apps.len()
            );

            for pkg in apps {
                progress += 1;

                // TODO: maybe fetch apk and inspect eg. cert

                if let Some(name) = rules.get(&pkg.id) {
                    let alert = format!(
                        "Found known stalkerware with rule: {:?} ({:?})",
                        pkg.id, name
                    );
                    warn!("Suspicious {:?}: {}", SuspicionLevel::High, alert);
                    report
                        .app(
                            pkg.id.clone(),
                            Suspicion {
                                level: SuspicionLevel::High,
                                description: alert,
                            },
                        )
                        .await?;
                }

                // fetch infos about package
                let info = package::dump(device, &pkg.id).await?;
                trace!("package infos {:?}: {:#?}", pkg.id, info);

                for sus in info.audit() {
                    warn!("Suspicious {:?}: {}", sus.level, sus.description);
                    report.app(pkg.id.clone(), sus).await?;
                }
            }
        }
    }

    info!("Scan finished");

    Ok(())
}