Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1757: Analytic 1757

Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

MobileAN1757AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about whether an organization can identify iOS devices that are jailbroken or applications that contain indicators of privilege-escalation behavior or references to known password-store locations. For leaders, the practical issue is mobile trust: if corporate access depends on iOS device integrity, security teams need evidence that compromised or risky devices and apps can be identified before they become an access, data protection, or compliance problem.

Executive priority

Prioritize this where iOS devices are used for business access, privileged workflows, regulated data, or executive communications. The decision value is not simply “can a tool detect jailbreaks,” but whether mobile security, application vetting, identity access policy, and incident response processes agree on what happens when a device or app is flagged. Leaders should ask whether mobile-device integrity is part of access decisions, audit evidence, and incident triage, and whether unmanaged or lightly managed iOS devices create a blind spot.

Technical view

ATT&CK supplies this as a mobile iOS detection analytic with no specific tactic, detection logic, or relationship context. SOC, mobile security, and IR teams should validate that mobile security products can report jailbroken iOS devices and that application vetting can inspect app packages for known privilege-escalation exploits and strings associated with known password-store locations. Because the official detection field is not provided, teams should treat this as a coverage-validation prompt rather than a ready-to-deploy detection rule.

Likely telemetry

  • Mobile security or mobile threat defense alerts for jailbroken iOS devices
  • MDM or device compliance status for iOS integrity posture where available
  • Application vetting results for known privilege-escalation exploit content
  • Static application package inspection findings, including strings correlated with known password-store locations
  • Identity or access-control logs showing whether device compliance influences access decisions

Detection direction

  • Confirm which iOS populations are covered: managed, unmanaged, BYOD, contractor, and executive devices may differ materially.
  • Validate that jailbreak detections are surfaced to SOC or mobile operations workflows with enough device, user, app, and timestamp context for triage.
  • Test whether application vetting findings are retained and actionable, especially for privilege-escalation indicators and sensitive-location string matches.
  • Tune response procedures to distinguish confirmed compromise indicators from policy exceptions, testing devices, research devices, or incomplete enrollment states.
  • Check for blind spots where access is granted without current device-integrity evidence or where mobile alerts do not correlate with identity and access logs.

Mitigation priorities

  • Define policy for how jailbroken iOS devices affect corporate access, especially for sensitive applications and privileged users.
  • Use mobile security or MDM compliance controls where available to enforce or alert on device-integrity failures.
  • Apply application vetting before approving internally developed, third-party, or sideloaded applications for business use.
  • Integrate mobile findings with SOC and IR workflows so device-risk events can trigger containment, user notification, and access review.
  • Maintain compliance evidence showing mobile integrity checks, app vetting outcomes, exceptions, and remediation decisions.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique description. It identifies iOS as the platform and describes potential detection through mobile security products and application vetting services. No tactics, relationships, or official detection logic are supplied, so the strongest use is as a validation checklist for mobile detection coverage and access-governance readiness.

This take uses only the supplied official fields and references. It does not establish active exploitation, adversary attribution, guaranteed detection, or applicability beyond iOS. Local tooling, enrollment model, telemetry retention, and access-control architecture determine whether this analytic is operationally useful.

Official MITRE ATT&CK definition

Analytic 1757

Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a7c052124102fcb5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a7c052124102…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1757
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use