Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.
Device attestation could detect devices with unauthorized or unsafe modifications.
A locked bootloader could prevent unauthorized modifications to protected operating system files.
Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.
|M1004||System Partition Integrity||
Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications.
On Android, Verified Boot can detect unauthorized modifications to the system partition. Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.