T1635.001 URI Hijacking
Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.
Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.23
| Item | Value |
|---|---|
| ID | T1635.001 |
| Sub-techniques | T1635.001 |
| Tactics | TA0031 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 01 April 2022 |
| Last Modified | 20 March 2023 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Developers should use Android App Links6 and iOS Universal Links5 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE3 should be used to prevent use of stolen authorization codes. |
| M1006 | Use Recent OS Version | iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.2 Android 6 introduced App Links. |
| M1011 | User Guidance | Users should be instructed to not open links in applications they don’t recognize. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
| DS0042 | User Interface | System Notifications |
References
-
Android. (n.d.). Handling App Links. Retrieved December 21, 2016. ↩
-
L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020. ↩↩
-
N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. ↩↩
-
W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018. ↩
-
Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020. ↩
-
Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020. ↩