Application Vetting

Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.


Enterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.


Application Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.

ID: M1005
Version: 1.0
Created: 18 October 2019
Last Modified: 18 October 2019

Techniques Addressed by Mitigation

Domain ID Name Use
Mobile T1401 Abuse Device Administrator Access to Prevent Removal

It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.[1]

Mobile T1435 Access Calendar Entries

On Android, accessing device calendar data requires that the app hold the READ_CALENDAR permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access device calendar data, with extra scrutiny applied to any that do so.

Mobile T1433 Access Call Log

On Android, accessing the device call log requires that the app hold the READ_CALL_LOG permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate.

Mobile T1432 Access Contact List

On Android, accessing the device contact list requires that the app hold the READ_CONTACTS permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access the device contact list, with extra scrutiny applied to any that do so.

Mobile T1413 Access Sensitive Data in Device Logs
Mobile T1409 Access Stored Application Data

Ensure applications do not store data in an insecure fashion, such as in unprotected external storage, without acknowledging the risk that the data can potentially be accessed or modified by other applications.

Mobile T1416 Android Intent Hijacking

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or the App Links feature added in Android 6.0). For mobile applications using OAuth, encourage use of best practice.[3][4]

Mobile T1418 Application Discovery

Application vetting techniques could search for use of the Android PackageManager class to enumerate other apps, and such applications could have extra scrutiny applied to them. However, this technique may not be practical if many apps invoke these methods as part of their legitimate behavior. On iOS, application vetting techniques could similarly search for use of the private API call necessary to obtain a list of apps installed on the device. Additionally, on iOS, use of the private API call is likely to result in the app not being accepted into Apple's App Store.

Mobile T1429 Capture Audio

Applications using the android permission android.permission.RECORD_AUDIO or iOS applications using RequestRecordPermission could be more closely scrutinized and monitored. If android.permission.CAPTURE_AUDIO_OUTPUT is found in a third-party application, it should be heavily scrutinized.

Mobile T1512 Capture Camera

During the vetting process applications using the android permission android.permission.CAMERA, or the iOS NSCameraUsageDescription plist entry could be analyzed more closely.

Mobile T1414 Capture Clipboard Data

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

Mobile T1412 Capture SMS Messages

Enterprises performing application vetting could search for applications that declare the RECEIVE_SMS permission and scrutinize them closely.

Mobile T1448 Carrier Billing Fraud

Application vetting services can check for applications that request SMS permissions, and can provide extra scrutiny to those that do.

Mobile T1510 Clipboard Modification

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

Mobile T1540 Code Injection

Static or dynamic code analysis to look for misuse of dynamic libraries. Increased focus on applications utilizing DexClassLoader.

Mobile T1577 Compromise Application Executable

Application vetting services could look for attempted usage of the Janus vulnerability.

Mobile T1471 Data Encrypted for Impact

A static analysis approach may be able to identify ransomware apps that encrypt user files on the device.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

App store operators and enterprises could assess reputational characteristics of the app, including the popularity of the app or other apps from the same developer and whether or not security issues have been found in other apps from the same developer.

Mobile T1446 Device Lockout

It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.[1]

Mobile T1407 Download New Code at Runtime

Application vetting techniques could (either statically or dynamically) look for indications that the application downloads and executes new code at runtime (e.g., on Android use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability, or on iOS use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques, as the techniques are often used without malicious intent, and because applications may employ other techniques such as to hide their use of these techniques.

Mobile T1523 Evade Analysis Environment

Applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands should be closely scrutinized. Google does not recommend the use of system properties within applications.

Mobile T1404 Exploit OS Vulnerability

Application vetting may be able to identify the presence of exploit code within applications.

Mobile T1405 Exploit TEE Vulnerability
Mobile T1541 Foreground Persistence

Applications could be vetted for their use of the startForeground() API, and could be further scrutinized if usage is found.

Mobile T1472 Generate Fraudulent Advertising Revenue
Mobile T1417 Input Capture

Applications that attempt to register themselves as a device keyboard or request the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration should be closely scrutinized during the vetting process.

Mobile T1516 Input Injection

Applications that register an accessibility service should be scrutinized further for malicious behavior.

Mobile T1411 Input Prompt
Mobile T1579 Keychain

Application vetting services may be able to detect known privilege escalation exploits contained within applications.

Mobile T1430 Location Tracking

On Android, applications must request the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permission to access the device's physical location. Extra scrutiny could be given to applications that request these permissions. On iOS, calls to the relevant APIs could be detected during the vetting process.

Mobile T1463 Manipulate Device Communication

Application vetting techniques can scan for use of cleartext communication, insecure TrustManager implementations, and other potential network communication weaknesses. The Google Play Store now automatically assesses submitted applications for insecure TrustManager implementations.[5]

Mobile T1575 Native Code

Application vetting services could look for the native keyword in function definitions. However, this is widely used for legitimate purposes, so this may not be feasible. Application vetting services may also be able to detect behaviors carried out through the Native Development Kit (NDK) via dynamic analysis.

Mobile T1410 Network Traffic Capture or Redirection

Closely scrutinize applications that request VPN access before allowing their use.

Mobile T1406 Obfuscated Files or Information

Application vetting techniques may be able to alert to the presence of obfuscated or encrypted code in applications, and such applications could have extra scrutiny applied. Unfortunately, this mitigation is likely impractical, as many legitimate applications apply code obfuscation or encryption to resist adversary techniques such as Repackaged Application. Dynamic analysis when used in application vetting may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

Mobile T1424 Process Discovery

Application vetting techniques could be used to attempt to identify applications with this behavior.

Mobile T1544 Remote File Copy

Applications with network connections to unknown domains or IP addresses could be further scrutinized to detect unauthorized file copying. Further, some application vetting services may indicate precisely what content was requested during application execution.

Mobile T1513 Screen Capture

Applications can be vetted for their use of the Android MediaProjectionManager class, with extra scrutiny applied to any application that uses the class.

Mobile T1426 System Information Discovery

App vetting procedures can search for apps that use the android.os.Build class, but these procedures could potentially be evaded and are likely not practical in this case, as many apps are likely to use this functionality as part of their legitimate behavior.

Mobile T1422 System Network Configuration Discovery

Application vetting could be used to analyze applications to determine whether they access this information, including determining whether the application requests the Android ACCESS_NETWORK_STATE permission (required in order to access NetworkInterface information) or the READ_PHONE_STATE permission (required in order to access TelephonyManager information).

Mobile T1421 System Network Connections Discovery

During application vetting, applications could be examined to see if they have this behavior, and extra scrutiny could potentially be given to applications that do.

Mobile T1509 Uncommonly Used Port

Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs.

Mobile T1576 Uninstall Malicious Application

Application vetting services could look for use of the accessibility service or features that typically require root access.

Mobile T1415 URL Scheme Hijacking

Check for potential malicious definitions of URL schemes when vetting applications. Also, when examining apps for potential vulnerabilities, encourage use of universal links as an alternative to URL schemes. When examining apps that use OAuth, encourage use of best practices.[2][3]

References