mvt/mvt/ios/modules/mixed/safari_history.py

# Mobile Verification Toolkit (MVT)
# Copyright (c) 2021 The MVT Project Authors.
# Use of this software is governed by the MVT License 1.1 that can be found at
#   https://license.mvt.re/1.1/

import os
import sqlite3

from mvt.common.url import URL
from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso

from ..base import IOSExtraction

SAFARI_HISTORY_BACKUP_RELPATH = "Library/Safari/History.db"
SAFARI_HISTORY_ROOT_PATHS = [
    "private/var/mobile/Library/Safari/History.db",
    "private/var/mobile/Containers/Data/Application/*/Library/Safari/History.db",
]


class SafariHistory(IOSExtraction):
    """This module extracts all Safari visits and tries to detect potential
    network injection attacks.


    """

    def __init__(self, file_path=None, base_folder=None, output_folder=None,
                 fast_mode=False, log=None, results=[]):
        super().__init__(file_path=file_path, base_folder=base_folder,
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

    def serialize(self, record):
        return {
            "timestamp": record["isodate"],
            "module": self.__class__.__name__,
            "event": "safari_history",
            "data": f"Safari visit to {record['url']} (ID: {record['id']}, Visit ID: {record['visit_id']})",
        }

    def _find_injections(self):
        for result in self.results:
            # We presume injections only happen on HTTP visits.
            if not result["url"].lower().startswith("http://"):
                continue

            # If there is no destination, no redirect happened.
            if not result["redirect_destination"]:
                continue

            origin_domain = URL(result["url"]).domain

            # We loop again through visits in order to find redirect record.
            for redirect in self.results:
                if redirect["visit_id"] != result["redirect_destination"]:
                    continue

                redirect_domain = URL(redirect["url"]).domain
                # If the redirect destination is the same domain as the origin,
                # it's most likely an HTTPS upgrade.
                if origin_domain == redirect_domain:
                    continue

                self.log.info("Found HTTP redirect to different domain: \"%s\" -> \"%s\"",
                              origin_domain, redirect_domain)

                redirect_time = convert_mactime_to_unix(redirect["timestamp"])
                origin_time = convert_mactime_to_unix(result["timestamp"])
                elapsed_time = redirect_time - origin_time
                elapsed_ms = elapsed_time.microseconds / 1000

                if elapsed_time.seconds == 0:
                    self.log.warning("Redirect took less than a second! (%d milliseconds)", elapsed_ms)

    def check_indicators(self):
        self._find_injections()

        if not self.indicators:
            return

        for result in self.results:
            if self.indicators.check_domain(result["url"]):
                self.detected.append(result)

    def _process_history_db(self, history_path):
        self._recover_sqlite_db_if_needed(history_path)
        conn = sqlite3.connect(history_path)
        cur = conn.cursor()
        cur.execute("""
            SELECT
                history_items.id,
                history_items.url,
                history_visits.id,
                history_visits.visit_time,
                history_visits.redirect_source,
                history_visits.redirect_destination
            FROM history_items
            JOIN history_visits ON history_visits.history_item = history_items.id
            ORDER BY history_visits.visit_time;
        """)

        for row in cur:
            self.results.append({
                "id": row[0],
                "url": row[1],
                "visit_id": row[2],
                "timestamp": row[3],
                "isodate": convert_timestamp_to_iso(convert_mactime_to_unix(row[3])),
                "redirect_source": row[4],
                "redirect_destination": row[5],
                "safari_history_db": os.path.relpath(history_path, self.base_folder),
            })

        cur.close()
        conn.close()

    def run(self):
        if self.is_backup:
            for history_file in self._get_backup_files_from_manifest(relative_path=SAFARI_HISTORY_BACKUP_RELPATH):
                history_path = self._get_backup_file_from_id(history_file["file_id"])
                if not history_path:
                    continue

                self.log.info("Found Safari history database at path: %s", history_path)
                self._process_history_db(history_path)
        elif self.is_fs_dump:
            for history_path in self._get_fs_files_from_patterns(SAFARI_HISTORY_ROOT_PATHS):
                self.log.info("Found Safari history database at path: %s", history_path)
                self._process_history_db(history_path)

        self.log.info("Extracted a total of %d history records", len(self.results))