The defender correlates outbound communication from an application or service to legitimate external web platforms with mobile runtime context showing that the communication is inconsistent with the app's approved role, expected destinations, user interaction pattern, or device state. The strongest Android evidence is a managed or installed app communicating with cloud storage, social, messaging, code-hosting, or generic HTTPS web-service infrastructure shortly after background activation, protected-resource use, or local staging activity, especially when the device is locked, user interaction is absent, or the app's historical network baseline does not include that service class.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class |
| Application State (DC0123) | MobileEDR:telemetry | App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior |
| File Creation (DC0039) | MobileEDR:telemetry | App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow |
| OS API Execution (DC0021) | MobileEDR:telemetry | App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication |
| Application Permission (DC0114) | android:MDMLog | App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile |
| Field | Description |
|---|---|
| TimeWindow | Correlation window linking app state, resource use, staging activity, and web-service communication. |
| AllowedAppList | Approved app identities and expected business roles vary by fleet and device group. |
| AllowedServiceClasses | Some organizations legitimately use cloud storage, messaging, or collaboration services from mobile apps. |
| AllowedDestinations | Expected domains, SNI values, CDNs, API endpoints, and redirectors vary by application and tenant. |
| ForegroundStateRequired | Certain apps may legitimately communicate only in foreground, while others support background sync. |
| RecentUserInteractionWindow | Defines how close traffic must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Recurring connection periodicity thresholds vary with push, sync, and collaboration workloads. |
| UplinkBytesThreshold | Data volume threshold for suspicious transfer to legitimate web-service infrastructure. |
| ExpectedBackgroundBehavior | Normal background communication differs across app categories such as mail, chat, navigation, and security tools. |
The defender correlates communication to legitimate external web-service platforms with supervised managed-app context and device-state information showing that the traffic is inconsistent with the app's expected role, background-refresh profile, or user interaction timing. On iOS, the strongest reliable evidence is network telemetry tied to a managed app or device plus app state and supervision context, especially when traffic to social, collaboration, cloud-storage, or generic HTTPS platforms occurs shortly after background activity, while the device is locked, or without expected user-driven foreground execution. Direct low-level framework visibility is weaker than Android, so primary analytic confidence should be anchored to supervised app context plus network behavior rather than assumed host-level proof.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior |
| Application State (DC0123) | MobileEDR:telemetry | Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction |
| Application Permission (DC0114) | iOS:MDMLog | Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification |
| OS API Execution (DC0021) | iOS:unifiedlog | Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between app state changes and communication with legitimate web-service infrastructure. |
| SupervisedRequired | Strongest app context and managed state analytics depend on supervised iOS devices. |
| AllowedManagedApps | Approved managed apps and expected business use vary by organization and device profile. |
| AllowedServiceClasses | Some managed apps legitimately communicate with collaboration, cloud-storage, or messaging services. |
| AllowedDestinations | Expected Apple, enterprise, SaaS, CDN, and API destinations vary by app and tenant. |
| BackgroundRefreshBaseline | Normal background network behavior differs across mail, chat, navigation, and enterprise apps. |
| RecentUserInteractionWindow | Defines how close traffic must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Allowed periodicity for sync, push, and refresh traffic varies across app categories. |
| UplinkBytesThreshold | Threshold for suspicious transfer volume to legitimate web-service platforms. |