Incorporate peer feedback

content/posts/knowledge/Mobile Verification Toolkit for Android and iOS.md

@@ -1,6 +1,6 @@
 ---
 title: "Mobile Verification Toolkit for Android and iOS"
-date: 2022-11-19
+date: 2023-05-16
 tags: ['Knowledge base', 'Privacy', 'Security', 'Android', 'iOS']
 author: Raja Grewal
 ---
@@ -9,15 +9,15 @@ One of the key principle components involved in maintaining both strong privacy
 
 Building on this, both independent and mainstream media are constantly awash with stories regarding the frequent discoveries of sophisticated malware installed on users phones that have the ability totally compromise a device by giving external parties effectively root access. The most well-known of these variants of spyware target hitherto unknown zero-day exploits as thoroughly discussed by [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) and [The Citizen Lab](https://citizenlab.ca/).
 
-For example, there is very little any end-user can do to detect intrusions by the infamous Pegasus spyware made by the NSO Group, see [[1](https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/), [2](https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/), [3](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/), [4](https://forbiddenstories.org/case/the-pegasus-project/)]. Other high-profile recent examples include [Candiru's spyware](https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/) and [Cytrox’s Predator](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/).
+For example, there is very little any end-user can do to detect intrusions by the infamous Pegasus spyware made by the NSO Group, see [[1](https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/), [2](https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/), [3](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/), [4](https://forbiddenstories.org/case/the-pegasus-project/), [5](https://citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/), [6](https://citizenlab.ca/2022/02/bahraini-activists-hacked-with-pegasus/), [7](https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/), [8](https://citizenlab.ca/2022/04/uk-government-officials-targeted-pegasus/), [9](https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/), [10](https://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/), [11](https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/)]. Other high-profile recent examples of mercenary spyware vendors include [Candiru](https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/), [Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/), an [undisclosed company](https://www.amnesty.org/en/latest/news/2023/03/new-android-hacking-campaign-linked-to-mercenary-spyware-company/), and [QuaDream](https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/).
 
 It should also be recognised and stressed that being targeted by complex mercenary spyware is an expensive undertaking and so the overwhelming majority individuals are very unlikely to be affected. The confirmed targets involve politicians, activists, developers of AI-based guidance systems, lawyers, journalists, and whistleblowers. See The Citizen Lab's [publication list](https://citizenlab.ca/publications/) for more references.
 
-## Detecting traces of compromise with `mvt`
+## Detecting traces of known compromise with `mvt`
 
-Fortunately, [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) have made public their [Mobile Verification Toolkit (MVT)](https://docs.mvt.re/en/latest/) to facilitate the consensual forensic analysis of Android and iOS/iPadOS devices for the purposes of identifying traces of compromise.
+Fortunately, [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) have made public their [Mobile Verification Toolkit (MVT)](https://docs.mvt.re/en/latest/) to facilitate the consensual forensic analysis of Android and iOS/iPadOS devices for the purposes of identifying traces of compromise. As discussed in "Limitations" further below, it should be stressed that that this tool can only prove a positive, not a negative. If a device is infected, there is nothing stopping it from reporting a negative even though it actually is compromised.
 
-MVT analyses your device for a broad range of indicators of compromise obtained from a wide range of sources including [Amnesty Tech](https://github.com/AmnestyTech/investigations) and [Echap](https://github.com/AssoEchap/stalkerware-indicators). Note the tool is currently only accessible using the command line interface.
+MVT analyses your device for a broad range of known historical indicators of compromise obtained from a wide range of sources including [Amnesty Tech](https://github.com/AmnestyTech/investigations) and [Echap](https://github.com/AssoEchap/stalkerware-indicators). As such, use of this tool can not provide any sort of guarantee against an attack from a sophisticated actor as they would be well-aware of what MVT is capable of detecting. Note the tool is currently only accessible using the command line interface.
 
 The software can be installed from some of the following sources:
 - Arch Linux [package](https://archlinux.org/packages/community/any/mvt/)
@@ -49,7 +49,9 @@ Therefore we highlight a few strict requirements prior to using `mvt`. First ens
 
 Next, for transferring internal mobile device content, ensure the data is only ever copied to encrypted storage media. Never under any situation use a unencrypted device to store and analyse the mobile device data since data recovery of ‘deleted’ files is very mature profession.
 
-For maximum privacy we advise the use of [VeraCrypt](https://www.veracrypt.fr/en/Home.html) volumes. Simply create a new volume prior to a scan and only use this volume for all `mvt` related data. For typical devices the required VeraCrypt volume size for `mvt` outputs depends on the length of history of the device, allocating 1GB should be more than sufficient for most cases. For iOS/iPadOS devices, since the entire contents of the devices must also be transferred, allocated volume size must be sufficiently greater than double the size of the all data stored on the mobile devices. Upon completion of the scans, you can transfer `mvt` outputs to other secure storage media for logging purposes, then dismount and delete the VeraCrypt volume which will assist in preventing forensic data recovery.
+For maximum privacy the author advises the use of [VeraCrypt](https://www.veracrypt.fr/en/Home.html) volumes as these enable robust cross-platform compatibility allowing the seamless construction of containers with pre-determined size using unmodified existing desktop OS installations. Additionally, while there are countless alternatives methods to securely store data such as other disk encryption software or even the use of RAM disks, we ultimately leave this decision to the reader. Regarding the default recommendation of VeraCrypt, there exists substantial evidence from very experienced and well-established practitioners [[1](https://blog.elcomsoft.com/2020/01/a-comprehensive-guide-on-securing-your-system-archives-and-documents/), [2](https://blog.elcomsoft.com/2020/03/breaking-veracrypt-containers/), [3](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/)] detailing its strengths (despite some theoretical limitations discussed across various online forum threads).
+
+If using VeraCrypt, simply create a new volume prior to a scan and only use this volume for all `mvt` related data. For typical devices the required VeraCrypt volume size for `mvt` outputs depends on the length of history of the device, allocating 1GB should generally be more than sufficient for most cases involving Android devices. For iOS/iPadOS devices, since the entire contents of the devices must also be transferred, allocated volume size must be sufficiently greater than double the size of the all data stored on the mobile devices. Upon completion of the scans, you can transfer `mvt` outputs to other secure similarly storage media for logging purposes, then dismount and delete the VeraCrypt volume which will assist in preventing forensic data recovery.
 
 To emphasise again, extreme care must be taken with the handling and storage of all `mvt` related data. Any leak of this data would be very dangerous as it provides extraordinary amounts of detail regarding the internal contents of the mobile device, the overwhelming of which is even impossible to access on-device.