An app or app update arrives through an expected delivery path or presents as a known legitimate package identity, but its post-install or post-update behavior materially changes in ways inconsistent with its historical role. The defender correlates package identity and install/update context, newly expanded capability state, changed runtime framework use, new sensor or storage behaviors, and new network destinations shortly after installation or update to identify likely supply-chain compromise rather than ordinary malicious sideloading or unrelated post-compromise activity.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | android:MDMLog | Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior |
| Application Permission (DC0114) | android:MDMLog | Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role |
| Application State (DC0123) | MobileEDR:telemetry | Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline |
| OS API Execution (DC0021) | MobileEDR:telemetry | Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install |
| Field | Description |
|---|---|
| TimeWindow | Maximum span between app install/update event and first suspicious post-delivery behavior. |
| AllowedAppList | Approved apps expected to change permissions, add services, or contact new destinations because of legitimate feature releases. |
| AllowedVersionChangeWindow | Grace period after a documented app release during which some behavior drift may be expected. |
| ForegroundStateRequired | Whether certain behaviors should only be considered suspicious when they occur without visible user interaction. |
| RecentUserInteractionWindow | Threshold for determining whether immediate post-update activity was user-driven or autonomous. |
| DestinationAllowList | Expected new destinations, APIs, CDNs, or telemetry endpoints associated with approved app updates. |
| CapabilityDriftThreshold | Threshold for how many newly added or newly exercised permissions/capabilities are considered abnormal for a known app. |
| BehaviorBaselinePopulation | Population of prior devices, versions, or user cohorts used to baseline normal app behavior. |
A managed or supervised app, app update, or enterprise-distributed build retains a legitimate-seeming identity but exhibits post-delivery behavior inconsistent with its expected role, prior version, or distribution context. Because iOS exposes less direct visibility into bundled dependency tampering or component-level supply-chain insertion, the defender prioritizes supervised app inventory, signing/provisioning trust posture, entitlement and behavior drift after update, new sensor/resource use, and new downstream network effects soon after install or version change.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | iOS:MDMLog | Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change |
| Application Permission (DC0114) | iOS:MDMLog | Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role |
| Application State (DC0123) | MobileEDR:telemetry | Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction |
| OS API Execution (DC0021) | MobileEDR:telemetry | Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install |
| Field | Description |
|---|---|
| TimeWindow | Maximum span between app install/version change and first suspicious post-delivery behavior. |
| SupervisedOnly | Whether the analytic should only apply to supervised devices with high-confidence app inventory and managed distribution telemetry. |
| AllowedAppList | Approved apps expected to expand capabilities or contact new destinations because of legitimate releases. |
| AllowedVersionChangeWindow | Grace period after approved releases during which some behavior drift may be expected. |
| ForegroundStateRequired | Whether certain behaviors should only be treated as suspicious when they occur without expected visible user interaction. |
| RecentUserInteractionWindow | Threshold for distinguishing autonomous post-update behavior from expected user-driven first-run flows. |
| DestinationAllowList | Expected new domains, APIs, telemetry services, or CDNs associated with approved app updates. |
| CapabilityDriftThreshold | Threshold for how much entitlement or capability drift is tolerated for a known app. |