Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1720: Analytic 1720

From the defender view: an app accesses UIPasteboard contents, sometimes repeatedly, including in background or immediately after another app copies sensitive text. iOS 14+ shows user notifications when pasting cross-app; unified logs reflect pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access → optional cross-app notification → local write (cache/DB) and/or network egress within a short window.

MobileAN1720AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because iOS pasteboard access can expose sensitive business data users copy between apps, such as credentials, tokens, customer data, or internal text. The ATT&CK object focuses on a defender pattern: an app reading UIPasteboard contents, sometimes repeatedly, in the background, or shortly after another app copies sensitive text, with possible local storage or network egress soon after. For leaders, the decision value is whether mobile security monitoring and incident response can prove which app accessed copied data and whether that data was retained or transmitted.

Executive priority

Treat this as a mobile privacy and data-loss validation issue for iOS environments. Security leaders should ask whether managed mobile devices provide enough evidence to investigate suspicious pasteboard access, whether risky apps are governed through mobile app controls, and whether incident responders can connect user notifications, device logs, local writes, and network activity into an audit-ready timeline. This is most relevant to mobile security, identity protection, compliance evidence, and executive risk decisions around sensitive data handled on iOS devices.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into iOS 14+ pasteboard notifications and unified logs that may show pasteboard access. The analytic concept is correlation-based: pasteboard access followed by an optional cross-app paste notification, then local persistence such as cache or database writes and/or network egress within a short time window. Because ATT&CK provides no separate official detection text and no relationship context for this object, teams should test this against approved enterprise apps and normal user workflows before treating events as suspicious.

Likely telemetry

  • iOS unified logs related to UIPasteboard access
  • iOS 14+ user notifications for cross-app paste activity
  • Mobile device management or mobile security inventory identifying the accessing app
  • Local app storage indicators such as cache or database writes where available
  • Device or network telemetry showing outbound connections after pasteboard access

Detection direction

  • Validate whether iOS pasteboard access and cross-app paste notifications are actually collected, retained, and searchable for managed devices.
  • Build correlation around short-window sequences: pasteboard access, optional user notification, local write, and/or network egress.
  • Tune for common benign behavior, because many legitimate apps access the pasteboard during normal copy/paste workflows.
  • Prioritize unusual patterns such as repeated access, background access, access immediately after another app copies sensitive text, or access followed by persistence or egress.
  • Document blind spots where unmanaged devices, limited iOS logging, missing network visibility, or lack of local storage access prevent confident triage.

Mitigation priorities

  • Start with mobile app governance: restrict or review apps allowed on managed iOS devices that handle sensitive business data.
  • Ensure mobile logging, MDM, and network telemetry retention are sufficient for incident reconstruction.
  • Educate users and support teams that iOS paste notifications can be useful investigation signals, not proof of compromise by themselves.
  • For sensitive workflows, reduce unnecessary copy/paste of credentials, tokens, and regulated data where practical.
  • Use incident response playbooks that verify app identity, timing, local persistence, and egress before escalating business impact.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for iOS in the mobile domain. It describes a defender-side correlation pattern but does not provide explicit official detection logic, tactics, aliases, labels, or relationship context. Glexia interpretation therefore emphasizes validation of telemetry, correlation design, and investigation readiness rather than asserting maliciousness.

No active exploitation, attribution, affected organizations, ATT&CK technique relationships, or guaranteed detection coverage are supplied. Local device management, iOS logging availability, user behavior, app inventory, and network visibility will determine whether this analytic is actionable in a specific environment.

Official MITRE ATT&CK definition

Analytic 1720

From the defender view: an app accesses UIPasteboard contents, sometimes repeatedly, including in background or immediately after another app copies sensitive text. iOS 14+ shows user notifications when pasting cross-app; unified logs reflect pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access → optional cross-app notification → local write (cache/DB) and/or network egress within a short window.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ad1db3ac924c8ae3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle ad1db3ac924c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1720
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use