Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Keylogging) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. GUI Input Capture).
| ID | Name | Description |
|---|---|---|
| S1126 | Phenakite |
Phenakite has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy |
When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[2] An EMM/MDM can use the Android |
| M1006 | Use Recent OS Version |
The |
| M1011 | User Guidance |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. |
| DS0042 | User Interface | System Settings |
The user can view and manage installed third-party keyboards. |