Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1647: Analytic 1647

Defender correlates attempts to inventory installed apps via LaunchServices/URL-scheme probing or private APIs (e.g., LSApplicationWorkspace) with checks for high-value targets and quick persistence/egress. Chain: capability/attempt (URL scheme spray or LSWorkspace calls) → large scheme/app probe set → optional webview hits to brand domains → local inventory cache → small egress.

MobileAN1647AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting iOS behavior where an app tries to build an inventory of other installed apps, typically through URL-scheme probing, LaunchServices-style checks, or private APIs, and then pairs that discovery with signs of target selection, persistence, or small outbound data transfer. For leaders, the value is not just detecting “app enumeration”; it is understanding whether mobile devices may be leaking information about a user’s banking, messaging, enterprise, or other high-value app footprint.

Executive priority

Prioritize this as a mobile privacy, identity, and incident-readiness concern for managed iOS environments. App inventory can help an adversary tailor follow-on activity, identify valuable users, or decide what data to exfiltrate. Security leaders should ask whether mobile telemetry, MDM controls, app vetting, and incident response playbooks can distinguish normal app interoperability from suspicious broad probing and egress. This is especially relevant where mobile devices access corporate identity, messaging, SaaS, or regulated data.

Technical view

For SOC and mobile security teams, validate whether iOS telemetry can show the analytic chain described by MITRE: attempted app inventory through URL-scheme spray, LaunchServices or LSApplicationWorkspace-style calls, a large set of scheme or app probes, optional webview access to brand domains, creation of a local inventory cache, and small outbound egress. Because ATT&CK does not provide a separate detection statement for this object, coverage should be proven with local data sources and testable hypotheses rather than assumed from the analytic name alone.

Likely telemetry

  • iOS mobile device management or mobile threat defense events for suspicious app behavior
  • Application behavior logs showing URL-scheme probing or broad inter-app lookup attempts where available
  • Signals of private API usage or LaunchServices/LSApplicationWorkspace-style access where observable
  • Network telemetry for small outbound transfers following inventory activity
  • Webview or domain-access telemetry involving high-value brand domains where collected

Detection direction

  • Correlate multiple behaviors rather than alerting on a single URL-scheme check, since legitimate apps may query specific schemes for normal interoperability.
  • Look for unusually large or broad scheme/app probe sets, especially when followed by local caching and outbound network activity.
  • Tune for sequence and proximity: capability or attempt, broad probing, high-value target checks, local inventory cache, then small egress.
  • Separate expected enterprise app workflows from suspicious enumeration by baselining approved apps and common integrations.
  • Document telemetry gaps: many iOS environments may not expose private API use, webview details, or local cache artifacts to the SOC.

Mitigation priorities

  • Use mobile application governance to restrict or review apps that request or demonstrate broad app-discovery behavior.
  • Apply MDM or mobile security controls that limit unmanaged or untrusted apps on devices accessing enterprise resources.
  • Ensure app vetting considers URL-scheme probing, private API usage, local inventory storage, and unexpected egress patterns.
  • Strengthen conditional access and identity controls for mobile devices so suspicious app behavior can influence access decisions where supported.
  • Prepare mobile IR procedures for collecting relevant device, app, and network evidence without assuming desktop-style endpoint visibility.
Analyst notes and limits

This object is a mobile ATT&CK detection analytic for iOS, external ID AN1647, tied to MITRE detection strategy DET0600. No tactics, relationships, aliases, or separate official detection text were supplied. The strongest use is as a validation pattern for mobile telemetry correlation rather than a standalone rule specification.

The supplied ATT&CK fields do not identify related techniques, threat groups, malware, campaigns, or confirmed exploitation. Detection feasibility depends heavily on the organization’s iOS management model, mobile telemetry depth, app logging, and network visibility. This take should not be read as evidence of active exploitation or guaranteed detectability.

Official MITRE ATT&CK definition

Analytic 1647

Defender correlates attempts to inventory installed apps via LaunchServices/URL-scheme probing or private APIs (e.g., LSApplicationWorkspace) with checks for high-value targets and quick persistence/egress. Chain: capability/attempt (URL scheme spray or LSWorkspace calls) → large scheme/app probe set → optional webview hits to brand domains → local inventory cache → small egress.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
798c4161c70ec911...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 798c4161c70e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1647
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use