v2026.5.12

This release adds support for the newly launched Intrusion Logging feature available as part of Android Advanced Protection Mode.

What's Changed

• Revise breaking changes notice in README by @besendorf in #784
• Convert dependency management to uv by @besendorf in #785
• Add Android intrusion log checks by @besendorf in #788
• Add documentation for Android intrusion logs by @DonnchaC in #794
• [auto] Update iOS releases and versions by @github-actions[bot] in #787
• Bump urllib3 from 2.6.3 to 2.7.0 by @dependabot[bot] in #795
• Bump tzdata from 2026.1 to 2026.2 by @dependabot[bot] in #793
• Bump version for release 2026.5.12 by @DonnchaC in #796

Full Changelog: v2026.4.28...v2026.5.12

v2026.4.28

This release includes a major internal refactor of MVT which will enable future development.

Most significantly is a redesign of the built-in alerting function, moving away from a binary detected/not-detected logic to a more nuanced set of alert levels. All alerts are also now logged in JSON output. This will allow for easier and more reliable implementation of heuristic detections and processing of MVT output with other tools.

What's Changed

• Check receiver names for IoCs by @viktor3002 in #721
• [auto] Update iOS releases and versions by @github-actions[bot] in #738
• Add support for bugreport modules to analyse the AndroidQF dumpsys.txt by @Max-RSF in #741
• [auto] Update iOS releases and versions by @github-actions[bot] in #739
• [auto] Update iOS releases and versions by @github-actions[bot] in #742
• Detect uninstall and downgrade in battery daily by @besendorf in #736
• Bump cryptography from 46.0.3 to 46.0.5 by @dependabot[bot] in #747
• Bump pydantic from 2.12.3 to 2.12.5 by @dependabot[bot] in #732
• Bump click from 8.3.0 to 8.3.1 by @dependabot[bot] in #731
• Bump mkdocstrings from 0.30.1 to 1.0.0 by @dependabot[bot] in #730
• Fixes bug in IOC import by @Te-k in #749
• [auto] Update iOS releases and versions by @github-actions[bot] in #743
• Bump requests from 2.32.5 to 2.33.1 by @dependabot[bot] in #752
• Bump packaging from 25.0 to 26.0 by @dependabot[bot] in #751
• Bump pydantic-settings from 2.10.1 to 2.13.1 by @dependabot[bot] in #750
• Bump tzdata from 2025.2 to 2025.3 by @dependabot[bot] in #729
• Improve docker images tags based on PR #740 by @DonnchaC in #754
• Bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #755
• Bump rich from 14.1.0 to 14.2.0 by @dependabot[bot] in #728
• Replace betterproto with betterproto2 in dependencies by @besendorf in #763
• Bump tzdata from 2025.3 to 2026.1 by @dependabot[bot] in #761
• Bump click from 8.3.1 to 8.3.2 by @dependabot[bot] in #762
• Bump rich from 14.2.0 to 14.3.3 by @dependabot[bot] in #760
• Fix betterproto2 migration: update generated proto code and callers by @besendorf in #765
• Fix STIX2 hash key parsing to accept spec-compliant algorithm names by @besendorf in #767
• Update add-to-project action version by @besendorf in #768
• handle empty sms databases by @besendorf in #770
• Update README with warning about v3 breaking changes by @besendorf in #771
• Abort analysis and warn user when backup is encrypted by @besendorf in #772
• Bump cryptography from 46.0.6 to 47.0.0 by @dependabot[bot] in #775
• Bump pydantic from 2.12.5 to 2.13.3 by @dependabot[bot] in #777
• [auto] Update iOS releases and versions by @github-actions[bot] in #756
• Bump mkdocs-autorefs from 1.4.3 to 1.4.4 by @dependabot[bot] in #776
• Bump mkdocstrings from 1.0.0 to 1.0.4 by @dependabot[bot] in #759
• Bump mkdocs-material from 9.6.20 to 9.7.6 by @dependabot[bot] in #758
• V3 by @besendorf in #716

New Contributors

• @viktor3002 made their first contribution in #721
• @Max-RSF made their first contribution in #741

Full Changelog: v2.7.0...v2026.4.28

v2.7.0

What's Changed

• Fixes date parsing issue in tombstones by @Te-k in #635
• Update NSKeyedUnarchiver by @besendorf in #636
• Update global_preferences.py by @Te-k in #641
• Create dependabot.yml by @Te-k in #644
• initialise message_links in backup parser to fix sms module bug by @besendorf in #658
• catch sqlite exception in safari_browserstate.py by @besendorf in #660
• fix #579 TCC: no such table: access by @besendorf in #659
• remove deprecated install_non_market_apps permission check by @besendorf in #656
• [auto] Update iOS releases and versions by @github-actions[bot] in #673
• Adds iOS 18.6.1 by @Te-k in #681
• move test dependencies to dev dependency group (PEP 735) by @besendorf in #679
• add iOS 18.6.2 by @r-tx in #682
• [auto] Update iOS releases and versions by @github-actions[bot] in #692
• [auto] Update iOS releases and versions by @github-actions[bot] in #693
• make virustotal check also work with androidqf extractions by @besendorf in #685
• Bump mkdocstrings from 0.30.0 to 0.30.1 by @dependabot[bot] in #697
• [auto] Update iOS releases and versions by @github-actions[bot] in #698
• Add tzdata dependency by @besendorf in #700
• Make revision field a string in TombstoneCrash model to fix error where by @besendorf in #702
• fix tombstone unpack parsing bug by @besendorf in #711
• add mounts module for androidqf by @besendorf in #710
• Add root_binaries androidqf module by @besendorf in #676
• Add Options to disable update checks by @besendorf in #674
• webkit session resource: fail gracefully when date conversion fails by @besendorf in #664
• Deduplicate ADB AndroidQF and other modules by @DonnchaC in #606
• [auto] Update iOS releases and versions by @github-actions[bot] in #712
• [auto] Update iOS releases and versions by @github-actions[bot] in #714
• [auto] Update iOS releases and versions by @github-actions[bot] in #722
• add missing iPhone 16 and 17 models by @r-tx in #717
• Deprecate check-adb and recommend AndroidQF by @besendorf in #723
• Run CI tests against Python3.14 too by @DonnchaC in #724
• Fix outdated security contact point by @DonnchaC in #725
• Fix config for Ruff linter in pyproject config and Makefile by @DonnchaC in #726
• Bump version for release v2.7.0 by @DonnchaC in #727

Dependency updates

• Bump pydantic from 2.11.7 to 2.12.3 by @dependabot[bot] in #708
• Bump requests from 2.32.4 to 2.32.5 by @dependabot[bot] in #684
• Bump cryptography from 45.0.6 to 46.0.3 by @dependabot[bot] in #709
• Bump simplejson from 3.20.1 to 3.20.2 by @dependabot[bot] in #699
• Bump click from 8.2.1 to 8.3.0 by @dependabot[bot] in #696
• Bump mkdocs-autorefs from 1.4.2 to 1.4.3 by @dependabot[bot] in #686
• Bump mkdocs-material from 9.6.18 to 9.6.20 by @dependabot[bot] in #691
• Bump mkdocstrings from 0.30.0 to 0.30.1 by @dependabot[bot] in #697
• Bump requests from 2.32.2 to 2.32.4 by @dependabot[bot] in #642
• Bump cryptography from 45.0.4 to 45.0.5 by @dependabot[bot] in #661
• Bump mkdocs-material from 9.6.14 to 9.6.16 by @dependabot[bot] in #672
• Bump rich from 14.0.0 to 14.1.0 by @dependabot[bot] in #670
• Bump mkdocstrings from 0.29.1 to 0.30.0 by @dependabot[bot] in #671
• Bump pydantic-settings from 2.9.1 to 2.10.1 by @dependabot[bot] in #655
• Bump cryptography from 45.0.5 to 45.0.6 by @dependabot[bot] in #675
• Bump mkdocs-material from 9.6.16 to 9.6.17 by @dependabot[bot] in #678
• Bump mkdocs-material from 9.6.17 to 9.6.18 by @dependabot[bot] in #683
• Bump pyahocorasick from 2.1.0 to 2.2.0 by @dependabot[bot] in #646
• Bump cryptography from 45.0.3 to 45.0.4 by @dependabot[bot] in #645
• Bump mkdocs-material from 9.5.42 to 9.6.14 by @dependabot[bot] in #647
• Bump mkdocs-autorefs from 1.2.0 to 1.4.2 by @dependabot[bot] in #648
• Bump mkdocstrings from 0.23.0 to 0.29.1 by @dependabot[bot] in #649
• Bump pydantic from 2.11.5 to 2.11.7 by @dependabot[bot] in #651

Full Changelog: v2.6.1...v2.7.0

v2.6.1

What's Changed

• [auto] Update iOS releases and versions by @github-actions[bot] in #602
• Add additional Android security warnings by @DonnchaC in #603
• Reworking handling of config options by @DonnchaC in #592
• Add parser for Android tombstone files by @DonnchaC in #568
• Load Android device timezone info and add additional file modification logs by @DonnchaC in #567
• Add support for parsing ADB keystore in XML format by @DonnchaC in #605
• [auto] Update iOS releases and versions by @github-actions[bot] in #607
• Always open automatic PRs as drafts by @DonnchaC in #609
• Fix iOS action error by @DonnchaC in #611
• Update logo.py by @carlosm2 in #615
• Include default values when parsing tombstone protobuf files by @DonnchaC in #617
• [auto] Update iOS releases and versions by @github-actions[bot] in #618
• [auto] Update iOS releases and versions by @github-actions[bot] in #622
• Fixes Android Dumpsys ADb bug by @Te-k in #623
• Fix issue #574 for a module without IOCs output by @ping2A in #620
• [auto] Update iOS releases and versions by @github-actions[bot] in #625
• [auto] Update iOS releases and versions by @github-actions[bot] in #626
• Upgrade main dockerfile runtime to ubuntu:24.04 by @scribblemaniac in #619
• Pin NSKeyedUnarchiver version by @besendorf in #630
• Freeze versions and bump version by @Te-k in #632

New Contributors

• @carlosm2 made their first contribution in #615
• @ping2A made their first contribution in #620

Full Changelog: v2.6.0...v2.6.1

v2.6.0

What's Changed

• Fixes for failing CI by @roaree in #507
• Add packages module for androidqf by @roaree in #506
• [auto] Update iOS releases and versions by @github-actions in #514
• [auto] Update iOS releases and versions by @github-actions in #521
• [auto] Update iOS releases and versions by @github-actions in #532
• Run black linter on pull requests by @DonnchaC in #543
• Docker improvements (multistage builds, separate os images, and more) by @scribblemaniac in #509
• [auto] Update iOS releases and versions by @github-actions in #549
• Configure project to use pyproject.toml and consistent CI and test tooling by @DonnchaC in #544
• Update deprecated functions and other small changes by @besendorf in #533
• Also search for STIX2 files in directories in MVT_STIX2 by @besendorf in #527
• Improves STIX2 support and testing by @Te-k in #523
• Fixes a bug in Android SMS parsing #526 by @Te-k in #530
• Fix CI badge by @DonnchaC in #552
• Adds recovery of sqlite db when db is opened by @Te-k in #516
• Fixes a minor bug in IOC import by @Te-k in #553
• Adds timeout to update checks by @Te-k in #542
• Refactor CLI help messages to make the CLI code more readable and maintainable. by @DonnchaC in #554
• Fix error reporting for update check failures by @DonnchaC in #555
• Add basic support for IP indicators in MVT by @DonnchaC in #556
• Adds androidqf files module by @Te-k in #541
• Add initial parser for ADB state in Dumpsys by @DonnchaC in #547
• Add support for check APK certificate hash IOCs by @DonnchaC in #557
• Fix crash when handling empty adb key list by @DonnchaC in #558
• Add workflow for building Docker image by @DonnchaC in #559
• Fix action which updates iOS verisons and build numbers by @DonnchaC in #560
• Build Docker image on release rather than on branch by @DonnchaC in #561
• Improve Docker image building and add Docker info to docs by @DonnchaC in #562
• Add additional detections for suspicious packages by @DonnchaC in #563
• [auto] Update iOS releases and versions by @github-actions in #569
• Fix error to due extra equal character in Files detection by @DonnchaC in #570
• [auto] Update iOS releases and versions by @github-actions in #572
• [auto] Update iOS releases and versions by @github-actions in #583
• Update MVT contributor guidelines by @DonnchaC in #584
• Reorganize code in iOS app module by @Te-k in #586
• Add a module to parse uninstalled apps from dumpsys data by @DonnchaC in #587
• [auto] Update iOS releases and versions by @github-actions in #595
• Fixes a bug on recent phones not having WIFI column in net usage by @Te-k in #580
• Autofix for ruff by @roaree in #598
• Add command completion docs by @nimrod-a in #597
• Documentation tweaks by @roaree in #599

New Contributors

• @scribblemaniac made their first contribution in #509
• @nimrod-a made their first contribution in #597

Full Changelog: v2.5.4...v2.6.0

v2.5.4

What's Changed

• Returns empty string when no date in date converter by @Te-k in #493
• [auto] Update iOS releases and versions by @github-actions in #498
• Fix dumpsys accessibility detections for v14+ by @roaree in #483
• [auto] Update iOS releases and versions by @github-actions in #499
• Prevent command.log from being appended to when run in a loop by @roaree in #501

Full Changelog: v2.5.3...v2.5.4

v2.5.3

What's Changed

• Use backwards-compatible datetime.timezone.utc by @roaree in #488

Full Changelog: v2.5.2...v2.5.3

v2.5.2

What's Changed

• Convert timezone-aware datetimes automatically to UTC by @roaree in #485
• Mark release 2.5.2 by @roaree in #486

Full Changelog: v2.5.1...v2.5.2

v2.5.1

What's Changed

• change virustotal flag to -V by @r-tx in #440
• [auto] Update iOS releases and versions by @github-actions in #451
• Update install docs by @roaree in #449
• Handle no indicators provided in sms_attachments.py by @roaree in #455
• [auto] Update iOS releases and versions by @github-actions in #460
• Update install.md by @danydin in #461
• [auto] Update iOS releases and versions by @github-actions in #468
• [auto] Update iOS releases and versions by @github-actions in #472
• [auto] Update iOS releases and versions by @github-actions in #473
• Usbmuxd debug option changed from -d to -v by @renini in #464
• Add docs explaining how to seek expert help for forensic analysis by @DonnchaC in #476
• add short urls by @r-tx in #479
• Mark release 2.5.1 by @DonnchaC in #481

New Contributors

• @danydin made their first contribution in #461
• @renini made their first contribution in #464

Full Changelog: v2.5.0...v2.5.1

v2.5.0

What's Changed

• [auto] Update iOS releases and versions by @github-actions in #437
• Impovements for SMS module by @DonnchaC in #438
• Add uri=True in mvt/ios/modules/base.py by @msx98 in #442
• Circular reference in SMS module serialization by @roaree in #444
• dumpsys_accessibility.py: Spell accessibility correctly by @cclauss in #441
• [auto] Update iOS releases and versions by @github-actions in #439

New Contributors

• @msx98 made their first contribution in #442

Full Changelog: v2.4.5...v2.5.0