Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1726: Analytic 1726

The defender correlates supervised-device application posture and background execution context with network-side evidence that an app rejects enterprise inspection or performs certificate/public-key-bound trust behavior during TLS establishment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to network control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encrypted sessions inconsistent with baseline app behavior. Additional confidence comes from managed app identity, background execution context, and supervised device policy state.

MobileAN1726AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on iOS apps that may resist enterprise TLS inspection or use certificate/public-key-bound trust behavior, making their encrypted traffic harder for security teams to inspect. For leaders, the practical issue is not simply “pinning exists,” but whether the organization can distinguish expected privacy/security behavior from app traffic patterns that create monitoring blind spots on supervised devices.

Executive priority

Prioritize this as a visibility and assurance question for managed iOS environments. Executives should ask whether mobile security, network inspection, and compliance evidence can show which supervised devices and managed apps are creating repeated TLS inspection failures, destination-specific inspection bypasses, or persistent opaque encrypted sessions inconsistent with normal app behavior. This is especially relevant where mobile devices support regulated workflows, executive communications, or incident response investigations.

Technical view

For SOC and detection teams, validate whether iOS network telemetry can correlate supervised-device state, managed app identity, background execution context, and network control-plane effects. The analytic is anchored to repeated TLS handshake rejection under enterprise inspection, destination-specific bypass patterns, and persistent encrypted app-to-endpoint sessions that differ from baseline behavior. Because the supplied ATT&CK object notes weaker direct app-level observability on iOS and provides no official detection logic, teams should treat this as a correlation and baselining use case rather than a single deterministic alert.

Likely telemetry

  • iOS supervised device inventory and policy state
  • Managed app identity and posture data
  • Mobile device background execution context where available
  • TLS handshake failure or rejection events under enterprise inspection
  • Network inspection bypass logs by destination or application context

Detection direction

  • Validate that TLS inspection infrastructure records repeated handshake rejection and can distinguish inspection failure from general network instability.
  • Baseline expected encrypted destinations and session behavior for managed iOS apps before alerting on opaque or persistent sessions.
  • Correlate network-side events with supervised-device state and managed app identity to reduce false positives from unmanaged devices or approved bypass policies.
  • Review destination-specific inspection bypasses to confirm they are documented, risk-accepted, and not masking unexpected app behavior.
  • Account for iOS observability limits: absence of app-level pin-validation evidence should not be treated as absence of the behavior.

Mitigation priorities

  • Maintain accurate supervised iOS device and managed app inventory so network observations can be tied to accountable assets.
  • Document and govern enterprise TLS inspection bypass policies by app and destination.
  • Use baselining to identify managed apps whose encrypted traffic behavior changes materially over time.
  • Ensure incident response playbooks include mobile device policy state, app identity, and network inspection evidence collection.
  • Where monitoring gaps are accepted, record compensating controls and compliance rationale rather than assuming inspection coverage.
Analyst notes and limits

No tactics, relationships, or official detection logic were supplied for this ATT&CK analytic. The strongest supported interpretation is a defensive correlation strategy for iOS environments where direct app-level certificate pinning visibility is limited and network-side effects provide the primary evidence.

This take is limited to the supplied ATT&CK fields. It does not establish malicious use, attribution, impact, or guaranteed detectability. Local device management, network inspection architecture, app inventory, and approved bypass policies are required to determine relevance and alert quality.

Official MITRE ATT&CK definition

Analytic 1726

The defender correlates supervised-device application posture and background execution context with network-side evidence that an app rejects enterprise inspection or performs certificate/public-key-bound trust behavior during TLS establishment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to network control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encrypted sessions inconsistent with baseline app behavior. Additional confidence comes from managed app identity, background execution context, and supervised device policy state.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
bf8c0aabd3239aa5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle bf8c0aabd323…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1726
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use