Skip to content

T1635.001 URI Hijacking

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.23

Item Value
ID T1635.001
Sub-techniques T1635.001
Tactics TA0031
Platforms Android, iOS
Version 1.1
Created 01 April 2022
Last Modified 20 March 2023


ID Mitigation Description
M1013 Application Developer Guidance Developers should use Android App Links6 and iOS Universal Links5 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE3 should be used to prevent use of stolen authorization codes.
M1006 Use Recent OS Version iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.2 Android 6 introduced App Links.
M1011 User Guidance Users should be instructed to not open links in applications they don’t recognize.


ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0042 User Interface System Notifications