The sub-techniques beta is now live! Read the release blog post for more info.

User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

ID: M1011
Version: 1.0
Created: 18 October 2019
Last Modified: 18 October 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Mobile T1427 Attack PC via USB Connection

Advise users to only connect mobile devices to PCs when a justified need exists (e.g., mobile app development and debugging).

Mobile T1475 Deliver Malicious App via Authorized App Store

Encourage developers to protect their account credentials and enable multi-factor authentication if available. Encourage developers to protect their signing keys.

Mobile T1476 Deliver Malicious App via Other Means

iOS 9 and above requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store. Users should be encouraged to not agree to installation of applications signed with enterprise distribution keys unless absolutely certain of the source of the application. On Android, the "Unknown Sources" setting must be enabled for users to install apps from sources other than an authorized app store (such as the Google Play Store), so users should be encouraged not to enable that setting.

Mobile T1458 Exploit via Charging Station or PC

Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.

Mobile T1417 Input Capture

Users should be weary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration and accessibility permissions requests.

Mobile T1516 Input Injection

Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.

Mobile T1478 Install Insecure or Malicious Configuration

Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).

Mobile T1444 Masquerade as Legitimate Application

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Mobile T1470 Obtain Device Cloud Backups

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Mobile T1468 Remotely Track Device Without Authorization

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Mobile T1469 Remotely Wipe Data Without Authorization

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Mobile T1513 Screen Capture

Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required.