Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1738: Analytic 1738

Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment.

MobileAN1738AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because some iOS apps or payloads may stay quiet until the device, user, network, location, locale, or timing matches a desired condition. For leaders, the practical risk is not just the eventual behavior, but the false sense of safety created when testing, review, or monitoring sees inactivity while the same app later changes behavior in a target context.

Executive priority

Prioritize this as a mobile detection and assurance problem where iOS devices, mobile apps, or sensitive user populations are in scope. The key decision is whether the organization can prove it collects enough mobile lifecycle, sensor-permission, device-state, and network evidence to distinguish benign context-aware app behavior from suspicious feature suppression followed by higher-risk activity. This is relevant to incident response readiness, mobile security governance, and compliance evidence where mobile access to business systems is material.

Technical view

For SOC, detection engineering, and IR teams, validate whether iOS telemetry can support correlation across three patterns described by the analytic: access to constrained environment signals, prolonged inactivity or feature suppression despite available permissions, and abrupt higher-risk behavior when the expected context appears. Because the object notes weaker direct visibility into runtime decision logic on iOS, detection should emphasize observable lifecycle changes, permission/sensor access patterns, context alignment, and downstream network effects rather than assuming the decision logic itself will be visible.

Likely telemetry

  • iOS application lifecycle events and foreground/background activity
  • Mobile app permission state and use of constrained signals such as location, locale, network context, device state, or interaction timing
  • Device state and user interaction timing evidence where available
  • Network connection metadata and destination changes following context changes
  • Mobile device management or mobile security logs where available

Detection direction

  • Test whether telemetry can correlate context-signal access with later behavior changes, not just alert on either event independently.
  • Tune for abrupt initiation of higher-risk network or application behavior after target-condition alignment, while accounting for legitimate context-aware app features.
  • Review blind spots created by limited iOS visibility into runtime decision logic; prioritize observable lifecycle, sensor, and network effects.
  • Compare behavior across contexts such as location, locale, network environment, and device state to identify suppressed functionality that only appears under specific conditions.
  • Document false-positive drivers from legitimate apps that change functionality based on region, network, permissions, or user interaction patterns.

Mitigation priorities

  • Start by inventorying iOS apps and sensitive mobile use cases where conditional behavior would create business or compliance risk.
  • Ensure mobile logging, MDM/mobile security telemetry, and network metadata are retained long enough to compare inactive periods with later activation.
  • Apply least-privilege review to app permissions for constrained signals such as location and device context where operationally feasible.
  • Include context-variation testing in mobile app assessment and incident response workflows, rather than testing only from one location, network, or device state.
  • Use findings to improve mobile detection runbooks, escalation criteria, and evidence packages for audit or incident review.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for iOS in the mobile domain. It describes a correlation strategy for conditional execution, but does not provide a separate official detection section, tactics, relationships, malware associations, or procedure examples. The Glexia take therefore focuses on defensive validation and evidence requirements rather than attribution or exploitation claims.

Assessment depends heavily on local iOS telemetry, app inventory, network logging, and the organization’s ability to observe context changes. The object does not specify tactics, related techniques, relationships, or concrete detection logic, so teams must translate the analytic into environment-specific queries and test cases.

Official MITRE ATT&CK definition

Analytic 1738

Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
4bb9e50bcf80bb34...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 4bb9e50bcf80…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1738
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use