An application generates, imports, or accesses asymmetric keypairs (e.g., RSA/ECC), uses a public key to encrypt outbound data or establish encrypted sessions, and transmits resulting ciphertext in structured communication patterns. Detection correlates keypair lifecycle activity + asymmetric crypto API usage + data transformation + background execution context + network transmission, especially when inconsistent with expected application functionality.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers |
| MobileEDR:telemetry | Keypair generation, import, or access events (public/private key usage) occurring prior to network communication | |
| File Creation (DC0039) | MobileEDR:telemetry | App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission |
| Application State (DC0123) | MobileEDR:telemetry | Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction |
| Application Permission (DC0114) | android:MDMLog | App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between keypair usage and outbound communication |
| AllowedCryptoApps | Apps expected to use asymmetric cryptography (e.g., secure messaging, VPN, enterprise auth apps) |
| ForegroundStateRequired | Whether key generation/encryption should occur only during user interaction |
| KeyGenerationThreshold | Frequency of keypair generation/import events considered anomalous |
| PayloadSizeVariance | Expected variability in payload sizes due to asymmetric encryption overhead |
Indirect evidence of asymmetric cryptographic channel usage inferred through key exchange-like network patterns and application background execution behavior, where direct observation of keypair operations is limited. Detection correlates app entitlement posture + background execution + asymmetric handshake patterns + subsequent encrypted communication.
| Field | Description |
|---|---|
| TimeWindow | Correlation window between initial communication burst and steady encrypted traffic |
| AllowedAppList | Apps expected to perform asymmetric key exchanges |
| HandshakePatternThreshold | Threshold for identifying asymmetric handshake-like traffic patterns |
| ForegroundStateRequired | Whether communication establishment should occur during user interaction |