T1635.001 URI Hijacking
Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.
Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.23
Item | Value |
---|---|
ID | T1635.001 |
Sub-techniques | T1635.001 |
Tactics | TA0031 |
Platforms | Android, iOS |
Version | 1.1 |
Created | 01 April 2022 |
Last Modified | 20 March 2023 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1013 | Application Developer Guidance | Developers should use Android App Links6 and iOS Universal Links5 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE3 should be used to prevent use of stolen authorization codes. |
M1006 | Use Recent OS Version | iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.2 Android 6 introduced App Links. |
M1011 | User Guidance | Users should be instructed to not open links in applications they don’t recognize. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0041 | Application Vetting | API Calls |
DS0042 | User Interface | System Notifications |
References
-
Android. (n.d.). Handling App Links. Retrieved December 21, 2016. ↩
-
L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020. ↩↩
-
N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. ↩↩
-
W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018. ↩
-
Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020. ↩
-
Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020. ↩