attack-stix-data icon indicating copy to clipboard operation
attack-stix-data copied to clipboard
verified publisher icon mitre-attack

Difference between data component "Permissions Request" and "Permissions Requests" in Mobile ATT&CK

Open rubinatorz opened this issue 1 month ago • 1 comments

Hi there,

In the Mobile ATT&CK STIX data there are two similar looking data components:

{
    "type": "x-mitre-data-component",
    "spec_version": "2.1",
    "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
    "created": "2023-03-13T20:00:08.487Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "revoked": false,
    "external_references": [
        {
            "source_name": "mitre-attack",
            "url": "https://attack.mitre.org/datacomponents/DC0114",
            "external_id": "DC0114"
        }
    ],
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "modified": "2025-10-21T15:10:28.402Z",
    "name": "Permissions Requests",
    "description": "Permissions declared in an application's manifest or property list file",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "x_mitre_deprecated": false,
    "x_mitre_domains": [
        "mobile-attack"
    ],
    "x_mitre_version": "2.0",
    "x_mitre_attack_spec_version": "3.3.0",
    "x_mitre_log_sources": [
        {
            "name": "Application Vetting",
            "channel": "None"
        }
    ]
}

And:

{
    "type": "x-mitre-data-component",
    "spec_version": "2.1",
    "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
    "created": "2023-03-13T20:47:24.038Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "revoked": false,
    "external_references": [
        {
            "source_name": "mitre-attack",
            "url": "https://attack.mitre.org/datacomponents/DC0116",
            "external_id": "DC0116"
        }
    ],
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "modified": "2025-10-21T15:10:28.402Z",
    "name": "Permissions Request",
    "description": "System prompts triggered when an application requests new or additional permissions",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "x_mitre_deprecated": false,
    "x_mitre_domains": [
        "mobile-attack"
    ],
    "x_mitre_version": "2.0",
    "x_mitre_attack_spec_version": "3.3.0",
    "x_mitre_log_sources": [
        {
            "name": "User Interface",
            "channel": "None"
        }
    ]
}

What's the exact difference between the two?

rubinatorz avatar Dec 05 '25 14:12 rubinatorz

Although the names are similar, the two Data Components have different Log Sources: DC0114 has a Log Source of Application Vetting, while DC0116 has a Log Source of User Interface. The Mobile and Defensive teams are working on improving the Mobile detections for a future release. Stay tuned!

jondricek avatar Dec 08 '25 21:12 jondricek