Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the
If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.
|S0316||Pegasus for Android|
Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar.
On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for
android.permission.WRITE_CALENDAR in an Android application’s manifest, or
NSCalendarsUsageDescription in an iOS application’s
Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.