{"description": "Mobile techniques mitigated by User Guidance, ATT&CK mitigation M1011 (v1.0)", "name": "User Guidance (M1011)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1626", "showSubtechniques": true}, {"techniqueID": "T1626.001", "comment": "Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1517", "comment": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1640", "comment": "Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1662", "comment": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.003", "comment": "Users should be advised to not trust or install self-signed certificates.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1642", "comment": "Users should be cautioned against granting administrative access to applications.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1627", "comment": "Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1627.001", "comment": "Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1658", "comment": "Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1541", "comment": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1643", "comment": "Users should be advised that applications generally do not require permission to send SMS messages.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "comment": "Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "Users should be taught the dangers of rooting or jailbreaking their device.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "comment": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "comment": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1430.001", "comment": "Users should protect their account credentials and enable multi-factor authentication options when available. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1655", "comment": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1644", "comment": "Users should be instructed to not grant applications unexpected or unnecessary permissions. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "Users can be trained to identify social engineering techniques and phishing emails.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "comment": "Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1636.001", "comment": "Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1663", "comment": "Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1458", "comment": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1513", "comment": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1451", "comment": "The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1418.001", "comment": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1635", "comment": "Users should be instructed to not open links in applications they don\u2019t recognize.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1635.001", "comment": "Users should be instructed to not open links in applications they don\u2019t recognize.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1632", "comment": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1632.001", "comment": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1670", "comment": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by User Guidance", "color": "#66b1ff"}]}