Correlates (1) acquisition of foreground or background location permission sufficient for continuous geolocation evaluation, (2) repeated location checks or registration of geofence monitoring in background or low-interaction states, and (3) transition into sensitive behavior only after the device enters, exits, or remains within a qualifying geographic region. The defender observes a causal chain where an application suppresses malicious or higher-risk behavior until a location-derived condition is satisfied, then initiates follow-on actions such as network communication, background processing, or protected resource access.
| Data Component | Name | Channel |
|---|---|---|
| Application State (DC0123) | MobileEDR:telemetry | application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met |
| Application Permission (DC0114) | android:MDMLog | application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between location evaluation, region transition, and guarded execution |
| RegionMatchThreshold | Defines proximity, radius, or duration within region required before subsequent activity is considered geographically gated |
| BackgroundLocationRequired | Whether suspiciousness increases when background location permission is present and activity occurs outside foreground use |
| DormancyThreshold | Amount of low-activity or dormant runtime before location-qualified activation |
| AllowedAppList | Baseline of legitimate apps expected to use geofencing or conditional location-based features |
| ForegroundStateRequired | Whether execution should be considered higher fidelity only when it begins from background or without recent user interaction |
| UplinkBytesThreshold | Minimum outbound traffic volume used to distinguish meaningful post-match activity from benign telemetry |
Correlates (1) application possession and use of location authorization sufficient for ongoing geographic evaluation, (2) repeated location or region-monitoring behavior with limited visible feature activation outside target area, and (3) abrupt onset of network communication, background execution, or feature activation only after a qualifying location context is reached. Because direct visibility into every geofence callback is often weaker on iOS, the defender relies more heavily on the combination of location authorization state, repeated location access, app state transition, and downstream behavior that begins after region alignment.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | iOS:MDMLog | application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior |
| OS API Execution (DC0021) | MobileEDR:telemetry | application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between location access, region qualification, and guarded activity |
| AuthorizationMode | Expected risk weighting for when-in-use versus always authorization and whether background behavior occurs under that mode |
| RegionMatchThreshold | Defines geospatial or dwell-time threshold used to infer region-based activation |
| DormancyThreshold | Duration of inactivity or suppressed behavior before location-qualified activation |
| ExpectedBackgroundModes | Baseline of apps legitimately using location-driven background execution or region monitoring |
| AllowedDestinationList | Expected destinations for apps whose network activity legitimately depends on user location |
| UserInteractionThreshold | Acceptable recency of user interaction before post-location activation is considered suspicious |