Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1743: Analytic 1743

Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resolved to a non-allowlisted handler package (logcat:IntentResolver), followed within a short window by that same package accessing token material via AccountManager/Keystore or reading application token caches under /data/data//(shared_prefs|databases) (logcat:AccountManager, logcat:Keystore, logcat:FileIO). Correlate on package/UID/profile and time proximity to indicate token acquisition.

MobileAN1743AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on a mobile identity failure mode: an Android app handling an OAuth/OIDC redirect when it is not on the expected allowlist, followed shortly by access to token-related storage or services. For leaders, the practical risk is not just a suspicious app event; it is potential misuse of mobile authentication flows that could affect account access, session integrity, and incident response decisions around compromised tokens.

Executive priority

Prioritize this where Android devices, mobile apps, or workforce identity flows are material to business operations. The key management question is whether the organization can prove which apps are allowed to handle authentication redirects and whether SOC or mobile security teams can correlate redirect handling with token access events. This supports identity assurance, mobile security governance, incident containment decisions, and compliance evidence around access control monitoring.

Technical view

Validate whether Android telemetry can observe ACTION_VIEW OAuth/OIDC redirects resolved by IntentResolver, identify the handler package, and compare it to an approved allowlist. Then correlate that same package, UID, and profile within a short time window against AccountManager, Keystore, and file access activity involving application token caches under /data/data/<pkg>/(shared_prefs|databases). Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic validation task rather than a complete threat scenario.

Likely telemetry

  • Android logcat IntentResolver events for ACTION_VIEW OAuth/OIDC redirect handling
  • Handler package, UID, user profile, and timestamp metadata
  • Allowlist or inventory of approved redirect handler packages
  • Android logcat AccountManager events associated with token material access
  • Android logcat Keystore events associated with token material access

Detection direction

  • Confirm that redirect-handler allowlists exist, are current, and map to the correct Android packages used by approved apps.
  • Tune correlation around package, UID, profile, and time proximity rather than relying on either redirect handling or token access alone.
  • Review false positives from legitimate app updates, multiple approved apps, work/personal profile separation, and expected token cache reads by the owning application.
  • Validate that logcat sources named in the analytic are actually available in the managed Android environment; absence of logcat or file access visibility is a major coverage blind spot.
  • Use this analytic to generate investigation leads, then confirm with local device, app, and identity evidence before declaring token acquisition.

Mitigation priorities

  • Maintain an approved inventory of Android applications and packages authorized to handle OAuth/OIDC redirects.
  • Harden mobile identity flows so redirect handling is restricted to expected applications where feasible.
  • Limit and monitor access to token material through platform-supported AccountManager and Keystore controls.
  • Ensure mobile telemetry collection supports correlation across IntentResolver, AccountManager, Keystore, and relevant file I/O events.
  • Prepare incident response playbooks for suspected mobile token exposure, including token/session review and containment decisions based on identity evidence.
Analyst notes and limits

The supplied object is a detection analytic for Android in the mobile ATT&CK domain. Its value comes from correlation: a non-allowlisted OAuth/OIDC redirect handler becomes more meaningful when followed by token-material access by the same package, UID, and profile. Detection engineering should focus on whether the required telemetry and allowlist data are present and trustworthy.

The ATT&CK object provides no official detection section, no tactics, and no relationship context. This take does not assert active exploitation, attribution, business impact, or guaranteed detection. Local Android management model, app architecture, telemetry access, and identity provider implementation will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 1743

Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resolved to a non-allowlisted handler package (logcat:IntentResolver), followed within a short window by that same package accessing token material via AccountManager/Keystore or reading application token caches under /data/data//(shared_prefs|databases) (logcat:AccountManager, logcat:Keystore, logcat:FileIO). Correlate on package/UID/profile and time proximity to indicate token acquisition.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
71f2a9cea7070e29...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 71f2a9cea707…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1743
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use