fix: use exact package match in bugreport receiver check

[DevenDucommun]

The check_receiver_prefix method used unanchored substring matching, causing false CRITICAL alerts when a legitimate AOSP receiver class path contained an indicator value as a substring (e.g. TheOneSpy's "com.android.services" matching inside com.android.phone's SIP telephony receiver).

Replace with check_app_id on the extracted package name, consistent with the artifact module's approach. Remove the now-unused check_receiver_prefix method.

Fixes #803

AI assisted

[viktor3002]

Hi @DevenDucommun, thanks for the PR! This sounds all very good and plausible, but I'm having trouble reproducing and testing the issue on my side.
Do you maybe have a bugreport you can share with us that triggers the bug? If yes, feel free to send a link to mail@lab.rsf.org. I would then test it and merge the PR.

[DevenDucommun]

Hi @viktor3002, thanks for taking a look.

I don't have a real-world bugreport I can share, but the false positive doesn't need one. It only requires a receiver whose class path contains com.android.services as a substring while the package is something else. The AOSP SIP telephony receiver in com.android.phone does exactly that, and it ships on plenty of Android <= 13 builds (SIP was deprecated in API 31 and removed in API 34, so older stock and OEM ROMs that kept it still have it).

So I put together a minimal synthetic bugreport that triggers it. Two files in a zip:

main_entry.txt:

dumpstate.txt

dumpstate.txt (the relevant part):

DUMP OF SERVICE package:

Receiver Resolver Table:
  Non-Data Actions:
      android.intent.action.PHONE_STATE:
        37c9e2a com.android.phone/com.android.services.telephony.sip.SipIncomingCallReceiver filter 9f02bb1

And a one-indicator STIX2 file with TheOneSpy's real com.android.services app id:

{ "pattern": "[app:id='com.android.services']", "pattern_type": "stix" }

Running mvt-android check-bugreport -i theonespy.stix2 -o out bugreport.zip:

• On current main, this produces dumpsys_receivers_detected.json with a CRITICAL alert, message identical to the one in False positive: check_receiver_prefix does unanchored substring match, triggers CRITICAL on AOSP com.android.phone for the TheOneSpy / com.android.services indicator #803: Found a known suspicious receiver with name "com.android.phone/com.android.services.telephony.sip.SipIncomingCallReceiver" matching indicators from "TheOneSpy".
• With this PR applied, the receiver is still parsed, but no detection fires.

I'll also email the ready-made zip and stix2 file to mail@lab.rsf.org so you can run it directly. Happy to fold this into a regression test fixture under tests/artifacts/android_data/bugreport/ if you'd like.

(For transparency: the patch and this analysis were done with AI assistance, as noted in the PR body.)