URL Scheme Hijacking

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application[1][2]. This technique, for example, could be used to capture OAuth authorization codes[3] or to phish user credentials[4].

ID: T1415

Tactic Type:  Post-Adversary Device Access

Tactic: Credential Access

Platform:  iOS

MTC ID:  AUT-10

Version: 1.1

Mitigations

MitigationDescription
Application VettingCheck for potential malicious definitions of URL schemes when vetting applications. Also, when examining apps for potential vulnerabilities, encourage use of universal links as an alternative to URL schemes. When examining apps that use OAuth, encourage use of best practices.[5][6]

References