Defender observes an app enumerating installed security/management controls (AV/EDR/MDM/VPN/Play Protect) via PackageManager, DevicePolicyManager, AppOps, and Settings queries or shell ‘pm list’ usage, optionally probing Accessibility/Device Admin state. Enumeration is followed by local inventory artifact creation and/or small egress. Chain: capability to query → burst of security-focused checks (packages/permissions/policies) → optional foreground targeting → artifact write → quick POST.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks |
| Command Execution (DC0064) | android:logcat | Command 'pm list packages' executed by app sandbox or child proc |
| Process Access (DC0035) | android:logcat | Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE |
| Application Log Content (DC0038) | android:logcat | Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn |
| File Creation (DC0039) | android:logcat | CREATE/WRITE /data/data/ |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from discovery burst to persist/exfil (e.g., 10–120s). |
| MinEnumCount | Minimum API calls/rows indicating inventory (e.g., ≥30 in 10s). |
| SecurityTargetsList | Regex/prefix list of AV/EDR/MDM/VPN packages & services to elevate severity. |
| PersistPathRegex | Regex for local inventory artifacts (DB/JSON/TXT) in app container. |
| ExfilDomainAllowlist | Allowlisted analytics/endpoints to suppress FPs. |
| WorkProfileOnly | Scope to Work Profile events to reduce personal-profile noise. |
Defender correlates app attempts to enumerate or infer security/management tooling (ManagedConfiguration/MDM presence, VPN/NEFilter config, AV/EDR app presence via LaunchServices or URL-scheme probing, private APIs) with local inventory persistence and egress. Chain: probe (MDM/NE/VPN/AV presence) → burst of LS/canOpenURL/ManagedConfiguration calls → inventory cache write → small POST.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | iOS:unifiedlog | Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE of /Library/Caches/security_inventory.*\\.(json|plist|db) |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from probe burst to persist/exfil (e.g., 10–120s). |
| MinProbeCount | Minimum API/probe count to flag (e.g., ≥25/10s). |
| SecurityTargetsList | Schemes/bundle IDs for AV/EDR/MDM/VPN vendors (regex/prefix). |
| PersistPathRegex | Regex for inventory artifacts in app/extension containers. |
| ExfilDomainAllowlist | Known-good analytics/CDN allowlist. |
| JailbreakContext | Escalate severity if private APIs used on non-managed devices. |