Minor additions and typo fixes

content/posts/knowledge/Mobile Verification Toolkit for Android and iOS.md

@@ -13,6 +13,8 @@ For example, there is very little any end-user can do to detect intrusions by th
 
 It should also be recognised and stressed that being targeted by complex mercenary spyware is an expensive undertaking and so the overwhelming majority individuals are very unlikely to be affected. The confirmed targets involve politicians, activists, developers of AI-based guidance systems, lawyers, journalists, and whistleblowers. See The Citizen Lab's [publication list](https://citizenlab.ca/publications/) for more references.
 
+We must also strongly emphasise that one of the most effective strategies and habits any end-user can develop to both prevent and defend against these complex attacks is to simply keep your devices running the latest OS versions (see for example updates from [Apple](https://support.apple.com/en-us/HT201222), [Android](https://source.android.com/docs/security/bulletin/asb-overview), and [GrapheneOS](https://grapheneos.org/releases#changelog)) while totally avoiding the use of devices that are no longer receiving patches (end-of-life).
+
 ## Detecting traces of known compromise with `mvt`
 
 Fortunately, [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) have made public their [Mobile Verification Toolkit (MVT)](https://docs.mvt.re/en/latest/) to facilitate the consensual forensic analysis of Android and iOS/iPadOS devices for the purposes of identifying traces of compromise. As discussed in "Limitations" further below, it should be stressed that that this tool can only prove a positive, not a negative. If a device is infected, there is nothing stopping it from reporting a negative even though it actually is compromised.
@@ -24,7 +26,7 @@ The software can be installed from some of the following sources:
 - GitHub [repository](https://github.com/mvt-project/mvt)
 - PyPi [package](https://pypi.org/project/mvt/)
 
-For iOS/iPadOS devices, if you decide to back up data with `libimobiledevice` instead of iTunes, you may need to install from source using a `git clone` of the [repository](https://github.com/libimobiledevice/libimobiledevice) as opposed to using the latest [release](https://github.com/libimobiledevice/libimobiledevice/releases) in order for it to be compatible with more recent iOS releases as there can often be a large time delay between `libimobiledevice` releases.
+For iOS/iPadOS devices, if you decide to back up data with `libimobiledevice` instead of iTunes, you may need to install from source using a `git clone` of the [repository](https://github.com/libimobiledevice/libimobiledevice) as opposed to using the latest [release](https://github.com/libimobiledevice/libimobiledevice/releases) in order for it to be compatible with more recent iOS/iPadOS releases as there can often be a large time delay between `libimobiledevice` releases.
 
 Next, always ensure either the `mvt-android download-iocs` or `mvt-ios download-iocs` command is performed prior to a scan to ensure the latest indicators have been obtained.
 
@@ -49,7 +51,7 @@ Therefore we highlight a few strict requirements prior to using `mvt`. First ens
 
 Next, for transferring internal mobile device content, ensure the data is only ever copied to encrypted storage media. Never under any situation use a unencrypted device to store and analyse the mobile device data since data recovery of ‘deleted’ files is very mature profession [[12](https://en.wikipedia.org/wiki/Data_recovery), [13](https://en.wikipedia.org/wiki/Data_erasure), [14](https://docs.bleachbit.org/doc/shred-files-and-wipe-disks.html)].
 
-For maximum privacy the author advises the use of [VeraCrypt](https://www.veracrypt.fr/en/Home.html) volumes as these enable robust cross-platform compatibility allowing the seamless construction of containers with pre-determined size using unmodified existing desktop OS installations. Additionally, while there are countless alternatives methods to securely store data such as other disk encryption software or even the use of RAM disks, we ultimately leave this decision to the reader. Regarding the recommendation of VeraCrypt, there exists substantial evidence from very experienced and well-established ([nation-state-sponsored](https://www.elcomsoft.com/company.html)) practitioners [[15](https://blog.elcomsoft.com/2020/01/a-comprehensive-guide-on-securing-your-system-archives-and-documents/), [16](https://blog.elcomsoft.com/2020/03/breaking-veracrypt-containers/), [17](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/)] detailing its strengths (despite some theoretical limitations discussed across various online forum threads). In short, the 75 possible unique combinations of [symmetric encryption algorithms](https://www.veracrypt.fr/en/Encryption%20Algorithms.html) and [hashing algorithms](https://www.veracrypt.fr/en/Hash%20Algorithms.html) (without any specifics being stored in the disk header), variable [PIM](https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20(PIM).html) selection, and also the ability to create [hidden volumes](https://www.veracrypt.fr/en/Hidden%20Volume.html) are only some of the reasons that make VeraCrypt a good default choice.
+For maximum privacy the author advises the use of [VeraCrypt](https://www.veracrypt.fr/en/Home.html) volumes as these enable robust cross-platform compatibility allowing the seamless construction of containers with predetermined size using unmodified existing desktop OS installations. Additionally, while there are countless alternatives methods to securely store data such as other disk encryption software or even the use of RAM disks, we ultimately leave this decision to the reader. Regarding the recommendation of VeraCrypt, there exists substantial evidence from very experienced and well-established ([nation-state-sponsored](https://www.elcomsoft.com/company.html)) practitioners [[15](https://blog.elcomsoft.com/2020/01/a-comprehensive-guide-on-securing-your-system-archives-and-documents/), [16](https://blog.elcomsoft.com/2020/03/breaking-veracrypt-containers/), [17](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/)] detailing its strengths (despite some theoretical limitations discussed across various online forum threads). In short, the 75 possible unique combinations of [symmetric encryption algorithms](https://www.veracrypt.fr/en/Encryption%20Algorithms.html) and [hashing algorithms](https://www.veracrypt.fr/en/Hash%20Algorithms.html) (without any of their respective specifics being stored in the disk header), variable [PIM](https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20(PIM).html) selection, and also the ability to create [hidden volumes](https://www.veracrypt.fr/en/Hidden%20Volume.html) are only some of the reasons that make VeraCrypt a good default choice.
 
 If using VeraCrypt, simply create a new volume prior to a scan and only use this volume for all `mvt` related data. For typical devices the required VeraCrypt volume size for `mvt` outputs depends on the length of history of the device, allocating 1GB should generally be more than sufficient for most cases involving Android devices. For iOS/iPadOS devices, since the entire contents of the devices must also be transferred, allocated volume size must be sufficiently greater than double the size of the all data stored on the mobile devices.
 
@@ -63,7 +65,7 @@ If you are using `mvt` purely due to a mixture of paranoia and curiosity, after
 
 While `mvt` is a very handy tool and periodic scans should be performed with a frequency proportional to your threat model, it is once again only a detection tool based on [known indicators](https://deploy-preview-86--privsec-dev.netlify.app/posts/knowledge/badness-enumeration/) of compromise. It is also reasonable to assume that once indicators are publicly exposed, sophisticated threat actors will take steps to modify their existing spyware and potentially even temporarily erase it from your device in order to avoid detection. This can be very clearly seen through the time-evolution of NSO Group’s Pegasus infrastructure ([Section 9.3](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/)) where known malicious domains are quickly replaced. More recently there appears to be shift to using cloud service providers.
 
-Therefore, as with “anti-virus” programs, `mvt` is simply a detection tool with no explicit preventive capabilities. Note that while `mvt` still require extensive administrative permissions at runtime for extracting data from both Android and iOS devices, the software can be used in a purely offline manner with zero built-in telemetry.
+Therefore, as with “anti-virus” programs, `mvt` is simply a detection tool with no explicit preventive capabilities. Note that while `mvt` still requires extensive administrative permissions at runtime when extracting data from both Android and iOS/iPadOS devices, the software can be used in a purely offline manner with zero built-in telemetry.
 
 ## Advanced extensions