User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

ID: M1011
Version: 1.0
Created: 18 October 2019
Last Modified: 18 October 2019

Techniques Addressed by Mitigation

Domain ID Name Use
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.

Mobile T1517 Access Notifications

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications.

Mobile T1640 Account Access Removal

Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.

Mobile T1429 Audio Capture

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output.

Mobile T1616 Call Control

Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.

Mobile T1662 Data Destruction

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Mobile T1521 .003 Encrypted Channel: SSL Pinning

Users should be advised to not trust or install self-signed certificates.

Mobile T1642 Endpoint Denial of Service

Users should be cautioned against granting administrative access to applications.

Mobile T1627 Execution Guardrails

Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.

.001 Geofencing

Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.

Mobile T1658 Exploitation for Client Execution

Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages.

Mobile T1541 Foreground Persistence

If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.

Mobile T1643 Generate Traffic from Victim

Users should be advised that applications generally do not require permission to send SMS messages.

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.

Mobile T1629 Impair Defenses

Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.

.001 Prevent Application Removal

Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.

.003 Disable or Modify Tools

Users should be taught the dangers of rooting or jailbreaking their device.

Mobile T1630 Indicator Removal on Host

Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.

.001 Uninstall Malicious Application

Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.

.002 File Deletion

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Mobile T1417 Input Capture

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

.001 Keylogging

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Mobile T1516 Input Injection

Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.

Mobile T1430 Location Tracking

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available.

.001 Remote Device Management Services

Users should protect their account credentials and enable multi-factor authentication options when available.

Mobile T1655 Masquerading

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

.001 Match Legitimate Name or Location

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Mobile T1644 Out of Band Data

Users should be instructed to not grant applications unexpected or unnecessary permissions.

Mobile T1660 Phishing

Users can be trained to identify social engineering techniques and phishing emails.

Mobile T1636 Protected User Data

Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them.

.001 Calendar Entries

Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar.

.002 Call Log

Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs.

.003 Contact List

Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list.

.004 SMS Messages

Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages.

Mobile T1663 Remote Access Software

Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.

Mobile T1458 Replication Through Removable Media

Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.

Mobile T1513 Screen Capture

Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required.

Mobile T1582 SMS Control

Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1]

Mobile T1418 Software Discovery

iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.

.001 Security Software Discovery

iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.

Mobile T1635 Steal Application Access Token

Users should be instructed to not open links in applications they don’t recognize.

.001 URI Hijacking

Users should be instructed to not open links in applications they don’t recognize.

Mobile T1632 Subvert Trust Controls

Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).

.001 Code Signing Policy Modification

Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).

References