Skip to content

DET0626 Detection of URI Hijacking

Item Value
ID DET0626
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1635.001 (URI Hijacking)

Analytics

Android

AN1693

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app’s signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.

Log Sources
Data Component Name Channel
API Calls (DC0112) Application Vetting None
System Notifications (DC0117) User Interface None
Mutable Elements
Field Description

iOS

AN1694

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app’s signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.

Log Sources
Data Component Name Channel
API Calls (DC0112) Application Vetting None
System Notifications (DC0117) User Interface None
Mutable Elements
Field Description