Adds support for MMS parsing in android backups

mvt/android/modules/backup/sms.py

@@ -34,5 +34,11 @@ class SMS(BackupExtraction):
             self.log.info("Processing SMS backup file at %s", file)
             data = self._get_file_content(file)
             self.results.extend(parse_sms_file(data))
-        self.log.info("Extracted a total of %d SMS messages containing links",
+
+        for file in self._get_files_by_pattern("apps/com.android.providers.telephony/d_f/*_mms_backup"):
+            self.log.info("Processing MMS backup file at %s", file)
+            data = self._get_file_content(file)
+            self.results.extend(parse_sms_file(data))
+
+        self.log.info("Extracted a total of %d SMS & MMS messages containing links",
                       len(self.results))

mvt/android/parsers/backup.py

@@ -174,7 +174,8 @@ def parse_tar_for_sms(data):
     tar = tarfile.open(fileobj=dbytes)
     res = []
     for member in tar.getmembers():
-        if member.name.startswith("apps/com.android.providers.telephony/d_f/") and member.name.endswith("_sms_backup"):
+        if member.name.startswith("apps/com.android.providers.telephony/d_f/") and \
+                (member.name.endswith("_sms_backup") or member.name.endswith("_mms_backup")):
             dhandler = tar.extractfile(member)
             res.extend(parse_sms_file(dhandler.read()))
 
@@ -183,15 +184,21 @@ def parse_tar_for_sms(data):
 
 def parse_sms_file(data):
     """
-    Parse an SMS file extracted from a folder
-    Returns a list of SMS entries
+    Parse an SMS or MMS file extracted from a backup
+    Returns a list of SMS or MMS entries
     """
     res = []
     data = zlib.decompress(data)
     json_data = json.loads(data)
 
     for entry in json_data:
+        # Adapt MMS format to SMS format
+        if "mms_body" in entry:
+            entry["body"] = entry["mms_body"]
+            entry.pop("mms_body")
+
         message_links = check_for_links(entry["body"])
+
         utc_timestamp = datetime.datetime.utcfromtimestamp(int(entry["date"]) / 1000)
         entry["isodate"] = convert_timestamp_to_iso(utc_timestamp)
         entry["direction"] = ("sent" if int(entry["date_sent"]) else "received")

tests/android/test_backup_module.py

@@ -26,7 +26,7 @@ class TestBackupModule:
                 files.append(os.path.relpath(os.path.join(root, fname), backup_path))
         mod.from_folder(backup_path, files)
         run_module(mod)
-        assert len(mod.results) == 1
+        assert len(mod.results) == 2
         assert len(mod.results[0]["links"]) == 1
         assert mod.results[0]["links"][0] == "https://google.com/"
 
@@ -43,7 +43,7 @@ class TestBackupModule:
             files.append(member.name)
         mod.from_ab(fpath, tar, files)
         run_module(mod)
-        assert len(mod.results) == 1
+        assert len(mod.results) == 2
         assert len(mod.results[0]["links"]) == 1
 
     def test_module_file2(self):

tests/android/test_backup_parser.py

@@ -20,12 +20,12 @@ class TestBackupParsing:
 
         m = hashlib.sha256()
         m.update(ddata)
-        assert m.hexdigest() == "0799b583788908f06bccb854608cede375041ee878722703a39182edeb008324"
+        assert m.hexdigest() == "ce1ac5009fea5187a9f546b51e1446ba450243ae91d31dc779233ec0937b5d18"
         sms = parse_tar_for_sms(ddata)
         assert isinstance(sms, list)
-        assert len(sms) == 1
+        assert len(sms) == 2
         assert len(sms[0]["links"]) == 1
-        assert sms[0]["links"][0] == "https://google.com/"
+        assert sms[0]["links"][0] == "http://google.com"
 
     def test_parsing_encryption(self):
         file = get_artifact("android_backup/backup2.ab")