Skip to content

DET0656 Detection of Steal Application Access Token

Item Value
ID DET0656
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1635 (Steal Application Access Token)

Analytics

Android

AN1743

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app’s signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.

Log Sources
Data Component Name Channel
API Calls (DC0112) Application Vetting None
System Notifications (DC0117) User Interface None
Mutable Elements
Field Description

iOS

AN1744

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app’s signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.

Log Sources
Data Component Name Channel
API Calls (DC0112) Application Vetting None
System Notifications (DC0117) User Interface None
Mutable Elements
Field Description