Defender correlates an application gaining/retaining fine or background location capability with subsequent location sensor sessions that occur while the app is backgrounded or the device is locked, followed by repeated location reads at a periodic cadence and near-term outbound connections to domains not typical for fleet navigation/MDM services, indicating covert location tracking.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs |
| Process Access (DC0035) | EDR:telemetry | Sustained or high-frequency location sensor access, including background location usage |
| Application Permission (DC0114) | android:MDMLog | Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+) |
| Field | Description |
|---|---|
| LocationSamplingFrequencyThreshold | Defines acceptable rate of location queries before triggering anomaly conditions |
| BackgroundLocationPolicy | Baseline of legitimate background location usage across applications |
| LocationToNetworkTimeWindow | Temporal linkage between location access and outbound traffic |
| UserInteractionWindow | Maximum time since last user interaction before location access becomes suspicious. |
| AllowedLocationApps | Allow-list of expected location-heavy apps (maps, rideshare, fleet apps) for the enterprise device population |
| DevicePolicySensitivity | Tuning for how aggressively to treat background location permission as risky depending on org policy. |
| AllowedDestinationsBaseline | Baseline of expected domains/IPs for legitimate location services (OEM, mapping SDKs, MDM endpoints) to reduce false positives. |
Defender correlates an application’s location authorization level (When-In-Use vs Always) and entitlement posture with observed location sensor activity that occurs without proximate user interaction, including background updates, followed by periodic outbound network sessions aligned to location update timing—suggesting covert or policy-violating location tracking.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | iOS:unifiedlog | Application activates CoreLocation services or CLLocationManager APIs |
| Application Permission (DC0114) | iOS:MDMLog | App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state |
| Field | Description |
|---|---|
| ForegroundLocationExpectation | Defines legitimate location usage relative to app state |
| LocationAccessDurationThreshold | Baseline deviation tolerance for sustained location tracking |
| LocationToTransmissionWindow | Temporal threshold linking location access to network activity |