URL Scheme Hijacking

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application[1][2]. This technique, for example, could be used to capture OAuth authorization codes[3] or to phish user credentials[4].

ID: T1415
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Credential Access
Platforms: iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019


Mitigation Description
Application Vetting

Check for potential malicious definitions of URL schemes when vetting applications. Also, when examining apps for potential vulnerabilities, encourage use of universal links as an alternative to URL schemes. When examining apps that use OAuth, encourage use of best practices.[5][6]