Steal Application Access Token

Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system "Open With" dialogue.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).[1] OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.[2][3] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.

ID: T1635
Sub-techniques:  T1635.001
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.1
Created: 01 April 2022
Last Modified: 20 March 2023

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Developers should use Android App Links[4] and iOS Universal Links[5] to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE[6] should be used to prevent use of stolen authorization codes.

M1006 Use Recent OS Version

iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.[7] Android 6 introduced App Links.

M1011 User Guidance

Users should be instructed to not open links in applications they don’t recognize.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.[8][9]

DS0042 User Interface System Notifications

On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.

References