AN1705: Analytic 1705
Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations. Mobile security products can potentially detect jailbroken devices.
Analyst context for executives and security teams
This analytic is about using mobile application vetting and mobile security checks to reduce iOS risk from apps that may contain known privilege-escalation exploit content or references to sensitive password-store locations, and from devices that may be jailbroken. For leaders, the value is not a single alert; it is assurance that mobile apps and iOS device posture are being assessed before they become a gap in identity, data protection, or incident response readiness.
Executive priority
Prioritize this where iOS devices are used for business access, privileged workflows, or regulated data. The key executive question is whether the organization can prove that risky mobile apps and jailbroken devices are identified before they access sensitive services. This supports control prioritization for mobile security, compliance evidence, and incident decision-making, especially where mobile access is part of identity and remote-work risk.
Technical view
For SOC, mobile security, and IR teams, validate whether iOS application vetting can identify application packages containing known privilege-escalation exploit indicators or strings associated with known password-store locations. Also validate whether mobile security tooling can identify jailbroken iOS devices. Because no ATT&CK detection logic or relationship context is supplied, teams should treat this as a control-validation analytic rather than a ready-to-run detection rule.
Likely telemetry
- Mobile application vetting results for iOS applications
- Application package inspection findings, including suspicious strings or known exploit indicators
- Mobile device posture data indicating jailbreak status
- Mobile security product alerts or compliance states for iOS devices
- Device inventory and application inventory for managed iOS endpoints
Detection direction
- Confirm that application vetting is actually performed for iOS apps used in the environment, not only for officially managed apps if unmanaged app risk is in scope.
- Validate that vetting content is maintained for known privilege-escalation exploit indicators and password-store location strings, since stale content can create a false sense of coverage.
- Tune response handling for jailbreak detections to account for authorized testing devices, lab devices, or other approved exceptions.
- Correlate app-vetting findings with device inventory and mobile access policy so detections can inform access decisions and incident triage.
- Document visibility gaps where personal, unmanaged, or partially managed iOS devices are allowed to access business services.
Mitigation priorities
- Establish or validate an iOS application vetting process for apps that can access enterprise data or credentials.
- Use mobile security or device posture controls capable of identifying jailbroken iOS devices where business access is permitted.
- Tie risky app and jailbreak findings to access governance, escalation workflows, and incident response playbooks.
- Maintain exception handling and audit evidence for approved test devices or special-use cases.
- Review mobile access policies if telemetry is unavailable for devices that can reach sensitive services.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for the mobile domain and explicitly names iOS. Its description focuses on application vetting for known privilege-escalation exploit content, strings correlated to known password-store locations, and mobile security product detection of jailbroken devices. No tactics, detection logic, or relationships were supplied, so this take emphasizes defensive validation and governance rather than specific alert engineering.
Official detection content is not provided, and no relationships to techniques, mitigations, malware, tools, or groups were supplied. Local tooling capabilities, device management scope, app inventory, and mobile access policies are required to determine actual coverage.
Analytic 1705
Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations. Mobile security products can potentially detect jailbroken devices.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d5927793432d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1705Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.