T1416 URI Hijacking
Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.
Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.12
| Item | Value |
|---|---|
| ID | T1416 |
| Sub-techniques | |
| Tactics | TA0031 |
| Platforms | Android, iOS |
| Version | 2.0 |
| Created | 25 October 2017 |
| Last Modified | 01 October 2020 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Developers should use Android App Links5 and iOS Universal Links6 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE2 should be used to prevent use of stolen authorization codes. |
| M1005 | Application Vetting | When vetting applications for potential security weaknesses, the vetting process could look for insecure use of intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app’s signing certificate, or the App Links feature added in Android 6.0). For mobile applications using OAuth, encourage use of best practice.34 |
| M1006 | Use Recent OS Version | iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.1 |
References
-
L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020. ↩↩
-
N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. ↩↩
-
W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018. ↩
-
Android. (n.d.). Handling App Links. Retrieved December 21, 2016. ↩
-
Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020. ↩
-
Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020. ↩