The defender correlates application TLS trust customization activity with subsequent outbound encrypted sessions that bypass enterprise interception visibility or fail only under enterprise inspection conditions. The analytic looks for an app establishing its own certificate or public-key trust logic, then initiating HTTPS sessions to destinations not aligned with approved app behavior, especially from background state or without recent user interaction. Higher-confidence observations come from Android runtime/framework telemetry showing custom trust manager, certificate validation override, or pin validation logic immediately preceding network connection attempts, combined with network evidence of failed-inspection patterns or opaque direct TLS sessions.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment |
| Application State (DC0123) | MobileEDR:telemetry | TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false |
| Application Permission (DC0114) | android:MDMLog | Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline |
| Network Traffic Content (DC0085) | NSM:Flow | Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window |
| NSM:Inspection | TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between trust customization activity and outbound TLS connection |
| AllowedAppList | Apps legitimately expected to implement SSL pinning such as banking, enterprise auth, or secure messaging apps |
| AllowedDestinationList | Approved domains, IPs, and service endpoints for managed applications |
| ForegroundStateRequired | Whether the application is expected to establish pinned sessions only during active user-driven workflows |
| InspectionFailureThreshold | Number of repeated inspection failures or certificate mismatch events before escalating |
| RetryPatternWindow | Time tolerance for inspection failure followed by retry/direct connection pattern |
The defender correlates supervised-device application posture and background execution context with network-side evidence that an app rejects enterprise inspection or performs certificate/public-key-bound trust behavior during TLS establishment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to network control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encrypted sessions inconsistent with baseline app behavior. Additional confidence comes from managed app identity, background execution context, and supervised device policy state.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | iOS:MDMLog | Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS |
| Application State (DC0123) | MobileEDR:telemetry | Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt |
| Network Traffic Content (DC0085) | NSM:Flow | App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window |
| NSM:Inspection | TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between app lifecycle event and network-side inspection failure or opaque TLS session |
| AllowedAppList | Managed apps expected to use certificate or public-key pinning for legitimate purposes |
| AllowedDestinationList | Approved endpoints expected for legitimate pinned sessions |
| ForegroundStateRequired | Whether the app is expected to perform network establishment only during user-driven workflows |
| InspectionFailureThreshold | Number of repeated TLS-inspection failures needed before escalating confidence |