Correlates (1) application access to device- or environment-specific attributes used to validate target conditions, (2) suppression of sensitive behavior until those attributes match an expected value, and (3) immediate transition into protected actions such as sensor use, file access, or network communication only after the condition is satisfied. The defender observes a causal chain where an app repeatedly evaluates device state or environment context and withholds execution until a target-specific match occurs.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present |
| OS API Execution (DC0021) | MobileEDR:telemetry | application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between environment checks and subsequent guarded execution |
| TargetAttributeSet | Environment attributes treated as likely guardrail inputs, such as locale, geolocation, carrier, Wi-Fi identity, device model, or lock state |
| DormancyThreshold | Amount of suppressed or low-activity runtime before sensitive behavior begins |
| AllowedAppList | Baseline of legitimate apps expected to evaluate environment attributes before conditional feature activation |
| ForegroundStateRequired | Whether guarded execution is only suspicious when activated from background or without recent user interaction |
| UplinkBytesThreshold | Minimum outbound traffic volume used to distinguish meaningful guarded execution from benign telemetry |
Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment.
| Data Component | Name | Channel |
|---|---|---|
| Application State (DC0123) | MobileEDR:telemetry | application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists |
| Application Permission (DC0114) | iOS:MDMLog | application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present |
| OS API Execution (DC0021) | MobileEDR:telemetry | application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between context checks and guarded execution |
| TargetContextSet | Expected environment properties used for gating, such as location region, locale, SSID/network context, device lock state, or user activity timing |
| DormancyThreshold | Duration of inactivity before guarded behavior begins |
| ExpectedBackgroundModes | Baseline of legitimate apps whose feature activation is context-dependent in background execution |
| AllowedDestinationList | Expected destinations for apps whose network activity legitimately begins only in certain contexts |
| UserInteractionThreshold | Acceptable recency of user interaction before guarded execution is considered suspicious |