T1635 Steal Application Access Token
Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue.
Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).2 OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft’s Authorization Code Grant flow.43 An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.
| Item | Value |
|---|---|
| ID | T1635 |
| Sub-techniques | T1635.001 |
| Tactics | TA0031 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 01 April 2022 |
| Last Modified | 20 March 2023 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Developers should use Android App Links7 and iOS Universal Links6 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE8 should be used to prevent use of stolen authorization codes. |
| M1006 | Use Recent OS Version | iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.9 Android 6 introduced App Links. |
| M1011 | User Guidance | Users should be instructed to not open links in applications they don’t recognize. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
| DS0042 | User Interface | System Notifications |
References
-
Android. (n.d.). Handling App Links. Retrieved December 21, 2016. ↩
-
Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. ↩
-
Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019. ↩
-
W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018. ↩
-
Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020. ↩
-
Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020. ↩
-
N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. ↩
-
L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020. ↩