Using the Mobile Verification Toolkit

Learn how to safeguard your iOS and Android devices from data theft with practical advice and the Mobile Verification Toolkit by Amnesty International

At a glance

  • Both iOS and Android smartphones are targeted by malicious actors, including nation-state sponsored organizations, to extract valuable data.

  • Key recommendations to keep devices safe include not clicking on URLs from strangers, connecting only to trusted Wi-Fi networks, using VPNs when appropriate, and not installing third-party apps from untrusted sources.

  • Amnesty International Security Lab developed the Mobile Verification Toolkit (MVT) to help detect spyware like Pegasus on smartphones.

  • To use MVT, you need to decrypt an encrypted backup of your device and check it against "indicators of compromise" (IOCs) files. This process can detect if the device has been compromised.

  • It is recommended to turn off your mobile device at least once a week to further enhance security.

There are malicious actors who target iOS and Android smartphones to extract valuable data that they can exploit and/or sell. In some cases, these are even nation-state sponsored organizations targeting their critics and their perceived enemies. Whilst the security of iOS and Android smartphones is frequently improved, it is always a cat-and-mouse game between Apple & Google and these malicious actors. Whilst you might think that you are not within the cross-hairs of these actors, but you might be a bystander, collateral damage as what is the more apt term in warfare, so it is important that you keep your device and data safe. 

The usual recommendations of [1] not clicking on any URL sent to you by strangers, [2] connecting only to trusted wifi networks, [3] using VPN when appropriate, and [3] not installing third-party applications from untrusted sources, all definitely help. Some malicious actors can still find ways to expose you, such as using Pegasus (a spyware). Luckily, ethical security researchers from Amnesty International Security Lab created a toolkit, the Mobile Verification Toolkit (MVT), that helps detect these types of exposure.

When the toolkit was first released, I immediately downloaded it to a Linux laptop, tethered my iPhone (I
don't remember which model it was), and ran mvt on it. Good thing that the iPhone was safe.

I thought of running my iPhone 15 Pro through the MVT to check if there is some hidden malicious software that might have sneaked in via some other means. The MVT requires a recent device backup, so I did an encrypted backup on the Mac and transferred it to the Linux laptop that has the latest MVT, along with the collection of. "indicators of compromise" files downloaded from Amnesty International's public repository. 

Since the back-up is encrypted (encrypted back-up has more data than non-encrypted), first you need to
decrypt, of course.

#### command-line code (format as appropriate)
mvt-ios decrypt-backup -p <password> -d <destination> <location of backup subdirectory>

Depending on how large the backup data is, it will take a few minutes to decrypt all. I noticed that it usually takes time when decrypting video files, specially when saved in 4K. Warning, though, the password you used to decrypt it is exposed, in plaintext, so ensure that you are in a safe place and you are the only one using the computer. 

With the files decrypted, it is now time to check if the device has been compromised. I ran the command below for each of the different "indicators of compromise" (iocs) files and checked if there is any file that ends in "_detected.json".

#### command-line code (format as appropriate)
mvt-ios check-backup -d <destination subdirectory for results> --iocs <location of .stix2 file> <location of decrypted backup subdirectory>

It takes a while to run through all those iocs files, but once you have done it all, checking for files ending in "_detected.json" should be quick and easy. Good thing I did not find any on my iPhone 15 Pro. *whew*

Anyway, it gives me peace of mind that my device isn't compromised. That being said, one tip that you might consider, in addition to the recommendations mentioned above, is to turn off your mobile device at least once a week - the more frequent, the better, of course.

Oh, the Mobile Verification Toolkit works on Android as well. Check out their website at to find out how.

Good luck!