Application State represents the operational status and lifecycle context of a mobile application at a given point in time. This includes whether the application is running in the foreground or background, its activity state, recent user interaction, and transitions between lifecycle states.
Monitoring application state helps defenders identify suspicious behavior where an application performs sensitive actions while inactive, in the background, or without recent user interaction.
Application state is particularly useful when detecting malicious activity that occurs outside normal user-driven workflows.
Examples
Android
iOS
Data Collection Measures
- Mobile EDR / MTD runtime monitoring
- OS lifecycle event telemetry
- Application runtime instrumentation
- Mobile security platform behavioral monitoring
| Name | Channel |
|---|---|
| android:MDMLog | Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline |
| MobileEDR:telemetry | pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context |
| MobileEDR:telemetry | Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction |
| MobileEDR:telemetry | Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state |
| MobileEDR:telemetry | Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction |
| MobileEDR:telemetry | Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline |
| MobileEDR:telemetry | Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction |
| MobileEDR:telemetry | Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list |
| MobileEDR:telemetry | Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline |
| MobileEDR:telemetry | Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence |
| MobileEDR:telemetry | Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline |
| MobileEDR:telemetry | App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior |
| MobileEDR:telemetry | Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction |
| MobileEDR:telemetry | AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence |
| MobileEDR:telemetry | DeviceLockState=locked or BackgroundRefresh active during resolver→pivot sequence |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence |
| MobileEDR:telemetry | AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write |
| MobileEDR:telemetry | DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity |
| MobileEDR:telemetry | BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred |
| MobileEDR:telemetry | AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence |
| MobileEDR:telemetry | DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity |
| MobileEDR:telemetry | AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence |
| MobileEDR:telemetry | DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before camera session start and no foreground transition occurred during sustained capture interval |
| MobileEDR:telemetry | Background activity, low-interaction device state, or DeviceLockState=locked was observed during sustained camera session or immediately before camera access from same bundle context |
| MobileEDR:telemetry | Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval |
| MobileEDR:telemetry | Sensitive app category remained foregrounded during screen capture session from different app identity |
| MobileEDR:telemetry | Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence |
| MobileEDR:telemetry | Sensitive app category remained foregrounded during injected UI sequence from different app identity |
| MobileEDR:telemetry | Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction |
| MobileEDR:telemetry | Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction |
| MobileEDR:telemetry | Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction |
| MobileEDR:telemetry | TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false |
| MobileEDR:telemetry | Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt |
| MobileEDR:telemetry | Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior |
| MobileEDR:telemetry | Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval |
| MobileEDR:telemetry | Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase |
| MobileEDR:telemetry | Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase |
| MobileEDR:telemetry | Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase |
| MobileEDR:telemetry | Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow |
| MobileEDR:telemetry | System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase |
| MobileEDR:telemetry | application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists |
| MobileEDR:telemetry | application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met |
| MobileEDR:telemetry | application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals |
| MobileEDR:telemetry | ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active |