The defender correlates repeated or periodic app-attributed retrieval from a legitimate public web-service platform with runtime conditions showing that the retrieval is not aligned to normal foreground consumption, user interaction, or approved app role. The strongest Android evidence is a managed or installed app repeatedly issuing inbound-oriented GET, fetch, sync, or content-pull operations to social, collaboration, paste, code-hosting, cloud-storage, messaging, or generic HTTPS platforms while the app is backgrounded, while the device is locked, or without recent user interaction, and without a corresponding outbound writeback to that same service class during the operational window. The detection is strengthened when the retrieval is temporally adjacent to scheduled/background execution, local state changes, or later downstream effects that do not require the same public platform to receive output.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class |
| VPN:MobileProxy | Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content | |
| VPN:MobileProxy | Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile | |
| Application State (DC0123) | MobileEDR:telemetry | AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence |
| MobileEDR:telemetry | DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform | |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity | |
| Application Permission (DC0114) | android:MDMLog | App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval |
| Field | Description |
|---|---|
| TimeWindow | Correlation window used to evaluate recurring retrieval and absence of same-service writeback. |
| AllowedAppList | Approved app identities vary by organization, role, and device group. |
| AllowedServiceClasses | Some apps legitimately retrieve content from collaboration, messaging, storage, or code-hosting services. |
| AllowedReadOnlyMappings | Defines which apps are expected to only retrieve, and under what foreground/background conditions. |
| RecentUserInteractionWindow | Defines how close retrieval must be to user activity to be considered expected |
| BeaconIntervalTolerance | Allowed recurrence interval for benign refresh, sync, or polling behavior differs by app category |
| ForegroundStateRequired | Some apps should only retrieve from certain public service classes while foregrounded |
| InboundOutboundRatioThreshold | Expected ratio of inbound to outbound bytes for benign app refresh behavior varies by workload. |
The defender correlates repeated retrieval-oriented communication from a supervised device or managed iOS app to a legitimate public web-service platform where the activity remains primarily inbound and does not produce corresponding writeback to that same service class during the operational window. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, social, messaging, storage, or generic HTTPS platforms where inbound fetches or content pulls recur during background refresh, while the device is locked, or without recent user interaction, and no matching POST, upload, update, or message-send activity to that same public service class is observed. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class |
| VPN:MobileProxy | Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content | |
| VPN:MobileProxy | Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile | |
| Application State (DC0123) | MobileEDR:telemetry | DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity | |
| Application Permission (DC0114) | iOS:MDMLog | Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval |
| Field | Description |
|---|---|
| TimeWindow | Correlation window used to evaluate recurring retrieval and absence of same-service writeback. |
| SupervisedRequired | Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices. |
| AllowedManagedApps | Approved managed bundle identities vary by organization and device profile. |
| AllowedServiceClasses | Some managed apps legitimately retrieve content from storage, collaboration, or messaging services. |
| AllowedReadOnlyMappings | Defines which bundles are expected to retrieve without writeback, and in what context. |
| BackgroundRefreshBaseline | Expected background retrieval behavior differs across managed app categories. |
| RecentUserInteractionWindow | Defines how close retrieval must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Allowed recurrence interval for benign refresh, polling, or sync behavior differs by bundle type. |
| InboundOutboundRatioThreshold | Expected ratio of inbound to outbound bytes for benign managed-app refresh behavior varies by workflow. |