Protected User Data

Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s Info.plist file.

In almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user.

If the device has been jailbroken or rooted, an adversary may be able to access Protected User Data without the user’s knowledge or approval.

ID: T1636
Sub-techniques:  T1636.001, T1636.002, T1636.003, T1636.004
Tactic Type: Post-Adversary Device Access
Tactic: Collection
Platforms: Android, iOS
MTC ID: APP-13
Version: 1.1
Created: 01 April 2022
Last Modified: 20 March 2023

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

OS feature updates often enhance security and privacy around permissions.

M1011 User Guidance

Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as RECEIVE_SMS, could receive additional scrutiny.

DS0042 User Interface System Settings

The user can view permissions granted to an application in device settings.