Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps’ Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree) |
| Application Log Content (DC0038) | android:logcat | ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background |
| File Access (DC0055) | android:logcat | READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow |
| Application Permission (DC0114) | android:logcat | READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime |
| Field | Description |
|---|---|
| TimeWindowSeconds | Time window to correlate API queries with file listings (e.g., 30–300s). |
| MinDistinctPaths | Minimum unique paths accessed to qualify as discovery (e.g., ≥50). |
| BackgroundOnly | Require app to be backgrounded to reduce user-driven noise. |
| TargetPathRegex | Scope to enterprise-relevant locations (e.g., /Documents, /Android/media/ |
| AllowlistedPackages | Backup/DLP/security apps expected to enumerate broadly. |
| ProfileScope | Limit to Work Profile to reduce personal data noise. |
Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | iOS:unifiedlog | enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers |
| File Access (DC0055) | iOS:unifiedlog | readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\ My\\ iPhone with >N distinct paths in TimeWindow |
| Application Log Content (DC0038) | iOS:unifiedlog | UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window between enumeration API calls and path bursts (e.g., 30–300s). |
| MinDistinctPaths | Minimum number of unique paths to flag discovery (e.g., ≥40). |
| TargetPathRegex | Enterprise-relevant containers/providers to include/exclude. |
| RequireBackgroundState | Set true to require background discovery for higher confidence. |
| AllowlistedBundles | Legitimate backup/DLP/file-management apps to suppress. |
| ManagedProfileScope | Limit to managed devices/profiles. |