Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1688: Analytic 1688

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

MobileAN1688AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1688 is an iOS mobile detection analytic focused on two practical warning signs: mobile security products may identify rogue Wi‑Fi activity when traffic decryption is attempted with an untrusted SSL certificate, and application vetting should closely review apps that request VPN access. For leaders, the value is not the analytic name itself; it is whether the organization can see when mobile users are being pushed through untrusted network paths or unusual VPN-capable apps.

Executive priority

Treat this as a mobile security and assurance coverage question. Security leaders should ask whether iOS app vetting flags VPN access requests, whether mobile security tooling can surface untrusted SSL certificate conditions tied to suspicious Wi‑Fi behavior, and whether responders know how to verify registered or active VPN services on devices. This supports business continuity and compliance evidence by showing that mobile network interception and unusual VPN capabilities are not ignored blind spots.

Technical view

This object is scoped to iOS and has no ATT&CK tactic or official detection logic supplied. SOC, mobile security, and IR teams should validate whether mobile security products generate alerts for untrusted SSL certificates in suspected rogue Wi‑Fi scenarios, and whether application vetting workflows identify and heavily scrutinize applications requesting VPN access. IR playbooks should include checking device settings for registered VPN services and confirming whether a VPN indicator is active in the status bar when relevant.

Likely telemetry

  • Mobile security product alerts involving untrusted SSL certificates
  • Application vetting records showing apps that request VPN access
  • Device settings evidence of registered VPN services
  • User or responder observations of active VPN status indicators on iOS devices

Detection direction

  • Validate that mobile security tooling can surface untrusted SSL certificate events relevant to suspected rogue Wi‑Fi access points.
  • Review app vetting criteria so VPN access requests are rare, explainable, and escalated for scrutiny.
  • Tune review processes to avoid treating all VPN-capable apps as malicious; business-approved VPN use may be legitimate.
  • Account for blind spots where users approve VPN access or encounter certificate warnings outside centrally monitored workflows.
  • Because no official detection logic is provided, convert this analytic into local test cases based on available iOS mobile security and app vetting data.

Mitigation priorities

  • Maintain a clear allow/approval process for applications that require VPN functionality.
  • Scrutinize new or unexpected iOS applications requesting VPN access during application vetting.
  • Ensure users and responders know where to verify registered VPN services and active VPN indicators on the device.
  • Investigate untrusted SSL certificate alerts in mobile contexts where rogue Wi‑Fi is plausible.
  • Document mobile security and app vetting evidence for audit, incident review, and control validation.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and no relationship context is provided. The official description emphasizes mobile security products, application vetting, user consent for VPN functionality, visible VPN indicators, and device settings review. Glexia’s interpretation is therefore focused on coverage validation and response readiness rather than attribution or threat activity.

No official detection logic, tactics, related techniques, adversary relationships, or implementation details were supplied. The object platform is iOS, although the description also mentions Android generally. Local tooling capabilities and device management visibility determine whether this analytic can be operationalized.

Official MITRE ATT&CK definition

Analytic 1688

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1a7723daf8dff080...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1a7723daf8df…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1688
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use