The defender correlates app-attributed outbound sessions where protocol indicators such as TLS handshake, HTTP method and header patterns, DNS semantics, or other application-layer characteristics are observed over a destination port outside the approved baseline for that protocol and app role. The strongest Android evidence is repeated or persistent app-attributed traffic using HTTPS-, HTTP-, DNS-, WebSocket-, or other recognizable application behavior over uncommon destination ports, especially when the app is backgrounded, while the device is locked, without recent user interaction, or when the app is unmanaged or not approved for that protocol-to-port pairing.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session |
| VPN:MobileProxy | Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior | |
| VPN:MobileProxy | Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception | |
| Application State (DC0123) | MobileEDR:telemetry | AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence |
| MobileEDR:telemetry | DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing | |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing | |
| OS API Execution (DC0021) | MobileEDR:telemetry | Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing |
| Application Permission (DC0114) | iOS:MDMLog | App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port |
| Field | Description |
|---|---|
| AllowedProtocolPortMappings | Approved protocol-to-port pairings vary by app, business workflow, proxy architecture, and enterprise policy. |
| AllowedAppList | Approved app identities vary by organization, role, and device group. |
| AllowedServiceClasses | Expected external service classes differ across app categories and enterprise mobile workflows. |
| TimeWindow | Correlation window linking non-standard-port sessions with lifecycle, framework, or local state changes. |
| RecentUserInteractionWindow | Defines how close a session must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Allowed recurrence interval for benign polling, sync, or persistent sessions differs by app type. |
| ForegroundStateRequired | Some apps should only initiate certain outbound communications while foregrounded. |
| EnterpriseExceptionList | Known developer tools, enterprise proxies, VPNs, relays, and security products may legitimately use uncommon ports. |
The defender correlates managed-app or supervised-device outbound sessions where protocol indicators such as TLS handshake, HTTP semantics, or other application-layer behaviors are observed over destination ports outside the approved baseline for that protocol and bundle role. The strongest iOS evidence is network telemetry showing repeated or persistent sessions using recognizable application protocols over uncommon ports, particularly during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol-versus-port mismatch plus supervised managed-app context and device-state enrichment.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session |
| VPN:MobileProxy | Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior | |
| VPN:MobileProxy | Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception | |
| Application State (DC0123) | MobileEDR:telemetry | DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing | |
| Application Permission (DC0114) | iOS:MDMLog | App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port |
| OS API Execution (DC0021) | MobileEDR:telemetry | Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing |
| Field | Description |
|---|---|
| AllowedProtocolPortMappings | Approved protocol-to-port pairings vary by bundle, business workflow, proxy architecture, and enterprise policy. |
| SupervisedRequired | Strongest bundle-governance and protocol-port baseline analytics depend on supervised iOS devices. |
| AllowedManagedApps | Approved managed bundle identities vary by organization and device profile. |
| AllowedServiceClasses | Expected external service classes differ across managed app categories and enterprise mobile workflows. |
| TimeWindow | Correlation window linking non-standard-port sessions with lifecycle or local context signals. |
| RecentUserInteractionWindow | Defines how close a session must be to user activity to be considered expected. |
| BeaconIntervalTolerance | Allowed recurrence interval for benign polling, sync, or persistent sessions differs by bundle type. |
| EnterpriseExceptionList | Known enterprise proxies, relays, developer tooling, and security products may legitimately use uncommon ports. |