The defender correlates repeated inbound retrieval and outbound submission activity by the same Android app identity to the same legitimate public web-service class within a short operational window, where the two-way exchange is inconsistent with the app's approved role, interaction model, or background behavior baseline. The strongest Android evidence is app-attributed communication to collaboration, social, cloud storage, code-hosting, messaging, or generic HTTPS platforms where requests that retrieve content are followed by app-attributed posts, uploads, document updates, API writes, or repeated small bidirectional exchanges, especially when they occur while the app is backgrounded, while the device is locked, without recent user interaction, or shortly after local staging or protected-resource access.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow |
| VPN:MobileProxy | Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval | |
| VPN:MobileProxy | Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity | |
| Application State (DC0123) | MobileEDR:telemetry | AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write |
| MobileEDR:telemetry | DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform | |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity | |
| File Creation (DC0039) | MobileEDR:telemetry | Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class |
| OS API Execution (DC0021) | MobileEDR:telemetry | Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform |
| Application Permission (DC0114) | android:MDMLog | App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between retrieval and outbound write over the same web-service class. |
| AllowedAppList | Approved app identities vary by organization, business unit, and device group. |
| AllowedServiceClasses | Some apps legitimately perform read/write operations against collaboration, storage, or messaging services. |
| AllowedReadWriteMappings | Defines which apps are expected to both retrieve and submit content to a given public service class. |
| RecentUserInteractionWindow | Defines how close the bidirectional exchange must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Allowed recurrence interval for repeated bidirectional exchanges varies by app type. |
| ForegroundStateRequired | Some apps should only perform read/write web interactions while foregrounded. |
| InboundOutboundRatioThreshold | Expected ratio of response size to outbound write size varies by legitimate app workflow. |
The defender correlates repeated retrieval and outbound submission activity from a supervised device or managed iOS app to the same legitimate public web-service class where the two-way exchange does not fit the bundle's approved role or expected background-refresh model. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, storage, messaging, social, or generic HTTPS platforms where inbound content fetches are followed by outbound writes, uploads, updates, or message submissions within a short window, especially when occurring during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow |
| VPN:MobileProxy | Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval | |
| VPN:MobileProxy | Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity | |
| Application State (DC0123) | MobileEDR:telemetry | DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity | |
| MobileEDR:telemetry | BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred | |
| Application Permission (DC0114) | iOS:MDMLog | Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations |
| OS API Execution (DC0021) | iOS:unifiedlog | Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between retrieval and outbound write over the same public web-service class. |
| SupervisedRequired | Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices. |
| AllowedManagedApps | Approved managed bundle identities vary by organization and device profile. |
| AllowedServiceClasses | Some managed apps legitimately perform bidirectional exchanges with collaboration, storage, or messaging services. |
| AllowedReadWriteMappings | Defines which bundles are expected to both retrieve and submit content to a given public service class. |
| BackgroundRefreshBaseline | Expected background read/write network behavior differs across managed app categories. |
| RecentUserInteractionWindow | Defines how close the bidirectional exchange must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Allowed recurrence interval for repeated bidirectional exchanges varies by bundle type. |