The defender correlates newly granted or recently exercised storage- or privilege-relevant access with burst reads of local files, local databases, or protected records from operating-system or external-storage locations, especially when the reads are inconsistent with app role, occur in background or locked-device context, or are followed by temporary data staging or network transmission. The analytic emphasizes Android-specific observables such as external storage access, app-private database reads where visible to the sensor, and repeated enumeration/read activity against local paths associated with media, tokens, caches, or exported application data.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase |
| File Access (DC0055) | MobileEDR:telemetry | Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between permission state, local data reads, optional staging, and outbound transfer |
| AllowedAppList | Apps legitimately expected to read local files or databases such as backup, sync, file manager, security, or media management apps |
| AllowedPathList | Expected local paths, storage roots, and database locations for legitimate app behavior |
| ForegroundStateRequired | Whether sensitive local data access should happen only during active user-driven workflows |
| BurstReadThreshold | Minimum number of file or record reads within a short interval required to indicate suspicious collection |
| SensitivePathPatterns | Environment-specific list of high-value local paths such as external media roots, app export folders, token stores, or browser data locations |
| UplinkBytesThreshold | Minimum upload size expected if collection is followed by exfiltration |
The defender correlates supervised-device app posture and lifecycle context with repeated local file or local-database access effects, especially when a managed app reads browser, messaging, keychain-adjacent, or application-container data outside its expected role and then stages or uploads the result. Because direct low-level local system access visibility is weaker on iOS, the primary analytic is effect-based: managed app identity, file/database access where visible to the mobile sensor, background execution context, and near-term outbound communication.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | iOS:MDMLog | Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission |
| File Access (DC0055) | MobileEDR:telemetry | Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between managed app posture, local access activity, optional staging, and upload |
| AllowedAppList | Managed apps expected to access local records such as enterprise sync, backup, or approved investigation tools |
| AllowedContainerPatterns | Expected app-container or local artifact locations for legitimate workflows |
| ForegroundStateRequired | Whether local record access should happen only during active user interaction |
| BurstReadThreshold | Minimum number of local file or record reads in a short interval required for alerting |
| SensitiveArtifactPatterns | Environment-specific list of high-value browser, messaging, token, or local record artifacts |
| UplinkBytesThreshold | Minimum outbound volume consistent with recent local data collection |