DET0626: Detection of URI Hijacking
URI hijacking matters because mobile apps often rely on URI redirects for workflows such as single sign-on and app-to-app handoffs. If a malicious or unaut...
Analyst context for executives and security teams
URI hijacking matters because mobile apps often rely on URI redirects for workflows such as single sign-on and app-to-app handoffs. If a malicious or unauthorized app can register the same URI pattern as a legitimate app, sensitive redirect data may be intercepted. For leaders, the practical issue is whether mobile app security, identity flows, and SOC processes can prove that redirect handling is controlled and monitored.
Executive priority
Prioritize this as a mobile identity and application assurance concern, especially where Android or iOS apps support authentication redirects or other sensitive app-link workflows. The key business questions are: which mobile apps depend on URI-based redirects, whether ownership and uniqueness of those handlers are validated, and whether incident responders can investigate suspected interception of mobile authentication or data handoff events.
Technical view
ATT&CK provides this as a detection strategy for the mobile technique T1635.001, URI Hijacking, but does not provide official detection logic, tactics, or platforms on the detection-strategy object itself. Detection and validation should therefore be driven by the related technique context: Android and iOS applications registering URI handlers that could intercept redirects intended for a genuine app. SOC, mobile security, and IR teams should inventory registered URI schemes/app links, review mobile application configuration and signing/ownership controls, and validate whether mobile authentication redirects generate logs that can support investigation.
Likely telemetry
- Mobile application manifest, entitlement, or configuration data showing registered URI schemes, app links, or universal links
- Mobile device management or enterprise mobility inventory of installed applications on Android and iOS devices
- Mobile application security testing results for redirect and deep-link handling
- Identity provider and single sign-on redirect logs where mobile URI callbacks are used
- Mobile app runtime, crash, or security telemetry that can indicate unexpected redirect handling
Detection direction
- Confirm which business-critical mobile apps use URI-based redirects, especially for authentication or sensitive data handoff.
- Validate whether multiple applications can claim the same URI scheme or redirect target in the supported mobile environments.
- Tune detections around unexpected or newly installed applications registering handlers associated with enterprise apps or identity flows.
- Correlate identity-provider redirect events with mobile device and application inventory where available; gaps here are a common blind spot.
- Account for false positives from legitimate companion apps, test builds, regional app variants, or recently changed mobile app configurations.
Mitigation priorities
- Inventory mobile apps and authentication flows that depend on URI redirects before selecting controls.
- Strengthen mobile app governance around deep links, app links, universal links, signing, and release validation.
- Use enterprise mobility controls to reduce unauthorized or unmanaged applications on devices that access sensitive business apps.
- Include URI/deep-link abuse cases in mobile application security testing and pre-release review.
- Ensure identity and incident response teams can obtain the logs needed to reconstruct mobile redirect flows during an investigation.
Analyst notes and limits
This take is based on MITRE detection strategy DET0626 and its relationship to T1635.001 URI Hijacking in the mobile ATT&CK domain. The relationship provides the useful defensive context: URI registration can allow an adversary-controlled application to intercept data intended for a legitimate mobile application. Local app architecture and identity-flow design determine materiality.
The supplied detection-strategy object has no official description, no official detection guidance, no tactics, and no platforms specified. Android and iOS are supported only through the related URI Hijacking technique. No claim is made about active exploitation, actor attribution, customer exposure, or guaranteed detection coverage.
Detection of URI Hijacking
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1635.001 | URI Hijacking Sub-technique | This object detects URI Hijacking. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8473e824d612… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0626Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.