Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1682: Analytic 1682

Defender observes an application establishing recurrent HTTPS or APNS-related communications exhibiting structured cadence, abnormal session persistence, or notification-triggered network bursts inconsistent with user interaction patterns or declared application behavior.

MobileAN1682AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it points to iOS apps whose network behavior does not match normal user activity or the app’s declared purpose. Recurrent HTTPS or Apple Push Notification service-related bursts can be legitimate, but abnormal cadence, persistent sessions, or notification-triggered traffic may indicate a mobile app behavior that deserves validation before it becomes an unmanaged business, privacy, or incident-response blind spot.

Executive priority

Security leaders should treat this as a mobile visibility and assurance question: can the organization explain which iOS apps are communicating persistently, why they do so, and whether that behavior aligns with business use and policy? The priority is highest where iOS devices access sensitive business data, regulated information, executive communications, or operational workflows, because unexplained mobile network persistence can complicate incident scoping, audit evidence, and containment decisions.

Technical view

For SOC, detection engineering, and IR teams, this analytic should be validated against iOS network telemetry that can show recurring HTTPS or APNS-related communications over time. The key task is not to flag all push notification or HTTPS traffic, but to baseline expected app behavior and identify structured cadence, abnormal session persistence, or bursts tied to notifications that are inconsistent with observed user interaction or declared application behavior. No ATT&CK tactic or relationship context was supplied, so this should be handled as a behavior-focused detection analytic rather than mapped to a specific intrusion phase.

Likely telemetry

  • iOS application network connection metadata, including destination, protocol, timing, and session duration
  • HTTPS flow records or proxy/VPN/security gateway logs where available for managed iOS devices
  • APNS-related connection or notification timing metadata where available
  • Mobile device management or mobile threat defense inventory showing installed applications and declared/approved business use
  • User interaction or device activity context sufficient to compare network bursts against expected app use

Detection direction

  • Baseline normal HTTPS and APNS communication patterns for approved iOS applications before alerting on cadence alone.
  • Correlate recurrent traffic with app identity, user interaction timing, and expected application purpose to reduce false positives from legitimate background refresh, messaging, collaboration, or notification-heavy apps.
  • Prioritize anomalies involving abnormal session persistence, highly structured periodicity, or notification-triggered bursts that cannot be explained by normal app behavior.
  • Validate whether current mobile, network, or MDM telemetry can attribute traffic to a specific iOS application; lack of app-level attribution is a major blind spot.
  • Because no official detection logic is provided, convert this into environment-specific analytics using local baselines and documented exceptions rather than relying on generic indicators.

Mitigation priorities

  • Establish or review approved iOS application inventory and expected network behavior for business-critical or sensitive-user groups.
  • Ensure managed iOS devices route sufficient telemetry through approved mobile security, network, or management controls where privacy and policy allow.
  • Document exceptions for legitimate persistent or notification-heavy apps so SOC teams can distinguish expected behavior from unexplained recurrence.
  • Use investigation outcomes to refine mobile app allowlisting, configuration standards, and incident response playbooks for suspicious mobile network behavior.
  • For compliance readiness, retain evidence showing how mobile app behavior is monitored, reviewed, and tied to business justification where required.
Analyst notes and limits

The supplied object is a MITRE ATT&CK mobile detection analytic for iOS. It describes observable network behavior but provides no official detection logic, no tactic mapping, and no relationship context. The most useful Glexia framing is therefore around mobile telemetry readiness, behavioral baselining, and incident triage discipline rather than a specific adversary technique or campaign.

This take is limited to the official STIX fields provided. It does not assert active exploitation, attribution, affected organizations, guaranteed detectability, or platforms beyond iOS. Local device management model, privacy constraints, network architecture, and app inventory will determine whether the behavior can be observed and actioned.

Official MITRE ATT&CK definition

Analytic 1682

Defender observes an application establishing recurrent HTTPS or APNS-related communications exhibiting structured cadence, abnormal session persistence, or notification-triggered network bursts inconsistent with user interaction patterns or declared application behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
bedd70c67cd383ae...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle bedd70c67cd3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1682
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use