Protected User Data: Calendar Entries

Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the EventKit framework.

If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.

ID: T1636.001
Sub-technique of:  T1636
Tactic: Collection
Platforms: Android, iOS
MTC ID: APP-13
Version: 1.1
Created: 01 April 2022
Last Modified: 16 March 2023

Procedure Examples

ID Name Description
S0405 Exodus

Exodus Two can exfiltrate calendar events.[1]

S0408 FlexiSpy

FlexiSpy can collect the device calendars.[2]

S0407 Monokle

Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.[3]

S0316 Pegasus for Android

Pegasus for Android accesses calendar entries.[4]

S0328 Stealth Mango

Stealth Mango uploads calendar events and reminders.[5]

S1082 Sunbird

Sunbird can exfiltrate calendar information.[6]

Mitigations

ID Mitigation Description
M1011 User Guidance

Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services could look for android.permission.READ_CALENDAR or android.permission.WRITE_CALENDAR in an Android application’s manifest, or NSCalendarsUsageDescription in an iOS application’s Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.

DS0042 User Interface System Settings

On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.

References