Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Keylogging) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. GUI Input Capture).

ID: T1417
Sub-techniques:  T1417.001, T1417.002
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-31, AUT-13
Version: 2.2
Created: 25 October 2017
Last Modified: 11 April 2022


ID Mitigation Description
M1012 Enterprise Policy

When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[1] An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1006 Use Recent OS Version

The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.[2]

M1011 User Guidance

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.


Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.