User Guidance
Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions |
Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately. |
| Mobile | T1517 | Access Notifications |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. |
|
| Mobile | T1640 | Account Access Removal |
Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it. |
|
| Mobile | T1429 | Audio Capture |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. |
|
| Mobile | T1616 | Call Control |
Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize. |
|
| Mobile | T1662 | Data Destruction |
Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
|
| Mobile | T1642 | Endpoint Denial of Service |
Users should be cautioned against granting administrative access to applications. |
|
| Mobile | T1627 | Execution Guardrails |
Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize. |
|
| .001 | Geofencing |
Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize. |
||
| Mobile | T1658 | Exploitation for Client Execution |
Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages. |
|
| Mobile | T1541 | Foreground Persistence |
If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies. |
|
| Mobile | T1643 | Generate Traffic from Victim |
Users should be advised that applications generally do not require permission to send SMS messages. |
|
| Mobile | T1628 | .001 | Hide Artifacts: Suppress Application Icon |
Users should be shown what a synthetic activity looks like so they can scrutinize them in the future. |
| Mobile | T1629 | Impair Defenses |
Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses. |
|
| .001 | Prevent Application Removal |
Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process. |
||
| .003 | Disable or Modify Tools |
Users should be taught the dangers of rooting or jailbreaking their device. |
||
| Mobile | T1630 | Indicator Removal on Host |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
|
| .001 | Uninstall Malicious Application |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
||
| .002 | File Deletion |
Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
||
| Mobile | T1417 | Input Capture |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
|
| .001 | Keylogging |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
||
| Mobile | T1516 | Input Injection |
Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission. |
|
| Mobile | T1430 | Location Tracking |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. |
|
| .001 | Remote Device Management Services |
Users should protect their account credentials and enable multi-factor authentication options when available. |
||
| Mobile | T1655 | Masquerading |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps. |
|
| .001 | Match Legitimate Name or Location |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps. |
||
| Mobile | T1644 | Out of Band Data |
Users should be instructed to not grant applications unexpected or unnecessary permissions. |
|
| Mobile | T1660 | Phishing |
Users can be trained to identify social engineering techniques and phishing emails. |
|
| Mobile | T1636 | Protected User Data |
Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. |
|
| .001 | Calendar Entries |
Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. |
||
| .002 | Call Log |
Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. |
||
| .003 | Contact List |
Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. |
||
| .004 | SMS Messages |
Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. |
||
| Mobile | T1663 | Remote Access Software |
Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility. |
|
| Mobile | T1458 | Replication Through Removable Media |
Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary. |
|
| Mobile | T1513 | Screen Capture |
Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. |
|
| Mobile | T1582 | SMS Control |
Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1] |
|
| Mobile | T1418 | Software Discovery |
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device. |
|
| .001 | Security Software Discovery |
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device. |
||
| Mobile | T1635 | Steal Application Access Token |
Users should be instructed to not open links in applications they don’t recognize. |
|
| .001 | URI Hijacking |
Users should be instructed to not open links in applications they don’t recognize. |
||
| Mobile | T1632 | Subvert Trust Controls |
Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). |
|
| .001 | Code Signing Policy Modification |
Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). |
||