DET0621: Detection of Stored Application Data
DET0621 is a mobile ATT&CK detection strategy for identifying behavior related to Stored Application Data (T1409): attempts to access and collect applicati...
Analyst context for executives and security teams
DET0621 is a mobile ATT&CK detection strategy for identifying behavior related to Stored Application Data (T1409): attempts to access and collect application data already resident on Android or iOS devices. The business issue is not just “mobile malware”; it is whether sensitive business data handled by mobile apps is protected when stored on the device, especially where apps use unprotected external storage, insecure internal file permissions, or the device is rooted.
Executive priority
Treat this as a mobile data-protection and visibility question. Leaders should ask whether managed and BYOD mobile devices have enough control evidence to show that business applications do not expose stored data through weak storage practices, insecure permissions, or rooted devices. This is relevant to incident scoping, compliance evidence, mobile app risk reviews, and prioritizing mobile security controls where employees use messaging, email, collaboration, or social applications for business activity.
Technical view
The ATT&CK object provides no official detection logic and no direct platform or tactic fields, but it detects T1409, which is defined for Android and iOS. SOC, IR, and detection teams should validate whether they can observe the three ATT&CK-described enabling conditions: application files stored in unprotected external storage, internal application data directories with insecure permissions such as 777, and devices with root permissions. Detection content should focus on evidence of risky storage locations, permission misconfiguration, and root-state context rather than assuming all access to app data is malicious.
Likely telemetry
- Mobile device management or enterprise mobility management inventory and compliance state
- Mobile threat defense or mobile EDR alerts, where deployed
- Device root status or integrity posture
- Application inventory and application risk assessment data
- Mobile application file storage location evidence, especially use of external storage
Detection direction
- Confirm whether mobile security tooling can report rooted devices and preserve that context for SOC triage.
- Validate whether application security testing or mobile app assessments identify use of unprotected external storage and insecure file permissions.
- Tune detections to distinguish risky application storage design from confirmed adversary collection activity; the supplied ATT&CK object does not provide a behavioral analytic.
- Prioritize monitoring and review for applications that handle business communications or data, while recognizing ATT&CK only names popular apps as common targets in the related technique description.
- Account for blind spots: mobile OS sandboxing limits visibility, BYOD privacy restrictions may reduce telemetry, and many environments lack file-level mobile monitoring.
Mitigation priorities
- Start with mobile asset and application inventory so teams know which Android and iOS devices and apps are in scope.
- Enforce or assess controls that identify rooted devices before granting access to business applications or data.
- Review mobile applications for storage of files in unprotected external storage and for insecure internal directory permissions.
- Use mobile app security testing and configuration review as preventive evidence, since the ATT&CK detection strategy itself does not provide a ready-made analytic.
- Ensure incident response procedures include mobile device triage and preservation steps appropriate to the organization’s privacy, legal, and management model.
Analyst notes and limits
This take is based on the DET0621 detection strategy object and its relationship to T1409 Stored Application Data. The strongest decision value is in validating mobile storage security posture and root-state visibility, because the official detection strategy fields do not include a description, detection text, tactics, or platforms.
ATT&CK provides no official detection logic for DET0621 in the supplied fields. Any production detection must be based on local mobile tooling, app assessment data, device management coverage, and legal/privacy constraints. This summary does not assert active exploitation, attribution, or guaranteed coverage.
Detection of Stored Application Data
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1409 | Stored Application Data | This object detects Stored Application Data. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1258732ec47e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0621Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.