Suspicious app not installed from the app store or MDM (false detection?)

[dkg]

A recent run of mvt-ios warned that two applications had not been installed from the app store or from MDM:

Suspicious app not installed from the app store or MDM

in applications_detected.json, both app descriptors contained identical values of the following keys:

{
  "is-auto-download": false,
  "launchProhibited": true,
  "is-purchased-redownload": false,
  "s": 143441,
  "isFactoryInstall": false,
  "gameCenterEverEnabled": false,
  "gameCenterEnabled": false,
  "kind": "software",
  "hasMessagesExtension": true,
  "betaExternalVersionIdentifier": 0,
  "variantID": "iPhone9,3",
  "sideLoadedDeviceBasedVPP": false,
  "DeviceBasedVPP": false,
  "sourceApp": "com.apple.datausage.atc",
  "subgenres": [],
  "rating": {
    "label": "4+",
    "rank": 100
  },
  "icon_sha256": "8f447f708ca1c4cca4d6934c4c1fd0eee374b85ae159befe7534c1a869cc415b"
}

Both also contained a top-level isodate field from the same day (different times) and a com.apple.iTunesStore.downloadInfo member that contains a dict with a purchaseDate (matching the outer isodate but in UTC) and an accountInfo that appears to contain static information about the user's AppleID.

This seems similar to #348, #383, and #487, but i don't know whether it is something to be concerned about. the date is several years in the past, so i don't have great notes about what else was happening at the time. Can you help me make sense of this alert? does the warning need to be tuned to avoid a false alarm?

[dkg]

I'm happy to supply more data privately if that would be useful. obviously the fields mentioned above are not the only fields in applications_detected.json, but i don't want to publish more info than i need to.

[dkg]

any suggestions on this question? more data i should try to gather?

[Te-k]

Hi @dkg ,
The Application module is alerting on any app not installed from the App Store or MDM based on the SourceApp field. It was intended to detect side loaded apps that can be used by spyware such as Hermit and isn't usually raising a lot of false positive (but we are expecting to see some with alternative stores being accepted in EU soon).

So I am not fully clear why you would have a different sourceApp there, a similar case was reported in #487 so it may be a recent change in iOS 17. Is this phone in iOS 17? Do you have a distributorInfo entry about this app? If the app was coming from the AppStore, it should be mentioned there (and if this is more reliable than the sourceApp entry, we will consider changing the check to this structure instead)

I hope it helps

[dkg]

Hi @Te-k, thanks for the feedback. I agree it's weird that the sourceApp fields are noted as com.apple.datausage.atc -- i don't know what that is supposed to mean. I don't have a distributorInfo about either app at all. Of the 188 apps in applications.json, only 152 of them have a distributorInfo, though.

I believe the device is iOS 17, but i'm currently only looking at the artifacts generated from the MVT scan. is there a standard way to get that information from the artifacts, or do i need to go back to the device to get that info?

[dkg]

i can confirm that the device was running iOS 17.4 at the time of the scan. Any pointers as to next steps that would be useful?