Apple mobile devices and the iPhone in particular are generally regarded as highly secure consumer-grade computing devices. Apple's commitment to security is very real, and that commitment is made evident by the very design of iOS as well as by a steady flow of new features aiming at enhancing user privacy and security. Yet, in July 2021, The Pegasus Project revealed widespread use of military-grade spyware by repressive governments targeting both Android and Apple phones.
These revelations highlight anti-democratic use of advanced surveillance technology which goes far beyond the scope of legitimate criminal or terrorism investigations. Particularly disheartening is the fact that no iPhone is safe – even the latest and fully updated devices were targeted, and successful infections have taken place without any user interaction ('zero-click' attacks). In some cases, all it took was to receive a malicious message, which could then be deleted by the attacker before the user ever became aware of the attack.
In order to prove widespread and overreaching use of surveillance, The Pegasus Project needed to perform digital forensics on the devices of multiple targeted politicians, activists, journalists and lawyers. In that context, Amnesty International's Security Lab developed generic mobile spyware detection methodology and compiled a list of IOCs (Indicators of Compromise) related to Pegasus infection. From Amnesty International's Pegasus Forensic Methodology Report:
In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats.
Source: Forensic Methodology Report: How to catch NSO Group’s Pegasus
The open-source mobile forensics tool mentioned above is the Mobile Verification Toolkit (MVT). According to the project's README
file, MVT's goal is to "simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices".
After studying the Mobile Verification Toolkit's Python code, my colleagues and I quickly realized how uniquely positioned we were to facilitate the process even further. iMazing is built on a toolkit which was developed and refined over a decade for the purpose of simplifying iOS backups, file transfers and local device management tasks. It would therefore be possible to relatively quickly re-implement MVT's methodology in our toolkit, and integrate a user-friendly 'wizard' in iMazing's user interface. And because iMazing can already perform iOS backups and decrypt backup files, the tool we envisaged had the potential to dramatically reduce the technical barrier of entry whilst enhancing performance and promoting backup encryption.
At the same time, we started getting Pegasus-related requests from current iMazing users, and noticed increasing interest in MVT from a public not always tech-savvy enough to successfully run its command-line tools. We took the plunge, shifting most of our Windows and macOS development resources to the realisation of a fully integrated equivalent in iMazing. Today, we are releasing the result of that work as a free feature in iMazing 2.14. No setup or prior backup is required – all it takes to get started is to launch iMazing, connect an iPhone and select the Detect Spyware action:
Our spyware analyzer mirrors MVT's methodology very closely:
In addition, it offers the following enhancements:
But also the following downsides and voluntary omissions:
iMazing's spyware analyzer is limited to the detection of a subset of known threats. It does not prevent infection. Its results may be hard to interpret and do not replace expert advice. Its ease of use and low barrier of entry is not without risks, in that some among its users could develop a false sense of security.
For all the reasons listed above, we have taken great care to include upfront information relative to the scope and limitations of our tool every step of the way, translated in all of the eleven languages iMazing supports. Here is the final screen of the wizard:
The vast majority of iPhone users have never been targeted by spyware such as Pegasus. Yet, we cannot be blind to the fact that military-grade spyware is being deployed in shockingly petty and corrupt contexts by governments which we don't typically associate with liberticide authoritarian regimes. This attack targeting a prominent health official and two NGO directors in Mexico comes to mind – the victims were citizens of a republican democracy who defended a soda tax project, not political dissidents in a dictatorship.
We all feel revolted and compelled to act when human rights come under attack in such dystopian ways. NGOs, journalists and citizens of all nationalities already work tirelessly to protect our freedom, sometimes at the risk of their lives. They deserve our gratitude and support.
Gregorio Zanon