Skip to content

T1417 Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Keylogging) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. GUI Input Capture).

Item Value
ID T1417
Sub-techniques T1417.001, T1417.002
Tactics TA0035, TA0031
Platforms Android, iOS
Version 2.3
Created 25 October 2017
Last Modified 20 March 2023

Mitigations

ID Mitigation Description
M1012 Enterprise Policy When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.1 An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features.
M1006 Use Recent OS Version The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.2
M1011 User Guidance Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Detection

ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings

References

  1. Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019. 

  2. Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.