Represents the permissions, entitlements, or capability grants associated with a mobile application, including both permissions declared by the application and those granted or requested during runtime.
Monitoring permission state helps defenders identify applications attempting to access protected device resources such as sensors, storage, communications interfaces, or system services.
Examples include:
Android
iOS
| Name | Channel |
|---|---|
| android:logcat | READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime |
| android:MDMLog | Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability |
| android:MDMLog | Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+) |
| android:MDMLog | Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change |
| android:MDMLog | New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity |
| android:MDMLog | ADB_DEBUGGING_ENABLED |
| android:MDMLog | Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access |
| android:MDMLog | Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role |
| android:MDMLog | Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role |
| android:MDMLog | Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact |
| android:MDMLog | Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline |
| android:MDMLog | App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile |
| android:MDMLog | App initiating resolver→pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure |
| android:MDMLog | App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations |
| android:MDMLog | App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval |
| android:MDMLog | App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture |
| android:MDMLog | Application granted or retaining the READ_CALL_LOG permission. |
| android:MDMLog | Application granted or retaining the READ_CONTACTS permission. |
| android:MDMLog | Application granted or retaining the READ_SMS or RECEIVE_SMS permission. |
| android:MDMLog | App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows |
| android:MDMLog | NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list |
| android:MDMLog | App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality |
| android:MDMLog | App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior |
| android:MDMLog | Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline |
| android:MDMLog | Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation |
| android:MDMLog | Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity |
| android:MDMLog | Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging |
| android:MDMLog | Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline |
| android:MDMLog | Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow |
| android:MDMLog | Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity |
| android:MDMLog | Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase |
| android:MDMLog | Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline |
| android:MDMLog | Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity |
| android:MDMLog | Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase |
| android:MDMLog | device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity) |
| android:MDMLog | application integrity mismatch or package signature inconsistency relative to expected deployment baseline |
| android:MDMLog | application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants) |
| android:MDMLog | application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction) |
| android:MDMLog | application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present |
| android:MDMLog | application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity |
| android:MDMLog | managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity |
| android:MDMLog | installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity |
| android:MDMLog | change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation |
| android:MDMLog | application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt |
| android:MDMLog | application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt |
| android:MDMLog | application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity |
| android:MDMLog | application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event |
| android:MDMLog | device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation |
| android:MDMLog | security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation |
| android:MDMLog | device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device |
| android:MDMLog | managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity |
| android:MDMLog | application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event |
| android:MDMLog | application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance |
| android:MDMLog | device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow |
| android:MDMLog | application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event |
| android:MDMLog | device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity |
| android:MDMLog | Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. |
| Application Vetting | None |
| iOS:MDMLog | Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability |
| iOS:MDMLog | App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state |
| iOS:MDMLog | Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting) |
| iOS:MDMLog | Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity |
| iOS:MDMLog | Compliance posture or restriction state relevant to accessory access, USB restricted mode, supervised trust policy, or backup/pairing restrictions |
| iOS:MDMLog | Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role |
| iOS:MDMLog | Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline |
| iOS:MDMLog | Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline |
| iOS:MDMLog | Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification |
| iOS:MDMLog | Bundle performing resolver→pivot sequence not present in approved managed-app baseline or lacks expected service relationship |
| iOS:MDMLog | Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations |
| iOS:MDMLog | Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval |
| iOS:MDMLog | App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port |
| iOS:MDMLog | Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture |
| iOS:MDMLog | Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS |
| iOS:MDMLog | Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity |
| iOS:MDMLog | Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline |
| iOS:MDMLog | Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline |
| iOS:MDMLog | application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present |
| iOS:MDMLog | application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior |
| MobileEDR:telemetry | App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged |
| MobileEDR:telemetry | Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure |
| MobileEDR:telemetry | Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation |