T1635.001: URI Hijacking

URI Hijacking matters because mobile apps often rely on operating-system URI handling for sign-in and redirection workflows, including single sign-on. If a malicious or unwanted app can register a URI intended for a legitimate app, sensitive authentication material such as OAuth authorization codes or tokens may be exposed, creating a path toward unauthorized access to protected resources and SaaS/cloud applications.

Executive priority

Treat this as a mobile identity and application-security risk, not only a device issue. Leaders should ask whether business-critical Android and iOS apps use secure redirect patterns, whether mobile OS versions are kept current, and whether application teams follow current OAuth/native-app guidance such as PKCE. This is especially relevant for organizations that depend on mobile access to cloud services, SSO, or customer-facing apps, because weak URI handling can undermine identity controls and complicate incident response evidence gathering.

Technical view

For SOC, IR, mobile security, and appsec teams, validate exposure around Android and iOS apps that register URI handlers for authentication or sensitive workflows. ATT&CK does not provide official detection text for this sub-technique, but the relationship to DET0626 indicates a detection strategy exists for URI Hijacking. Engineering review should focus on URI scheme registration, redirect handling, OAuth/native-app flows, and whether protected resources could be accessed if authorization codes or tokens are intercepted. Because this is a sub-technique of Steal Application Access Token, detection and response should be tied to suspicious token use, unexpected app handoff behavior, and mobile app inventory context.

Likely telemetry

Mobile application inventory showing installed apps and registered URI/app-link handling where available
Mobile OS version and patch posture for Android and iOS devices
Application authentication logs for OAuth or SSO flows involving mobile clients
Cloud/SaaS access logs showing token-based access to protected resources
Mobile device management or mobile threat defense events related to risky or suspicious applications

Detection direction

Confirm whether DET0626-style URI Hijacking detection logic is available and mapped to Android and iOS mobile telemetry in the local environment.
Review high-value mobile apps for overlapping or ambiguous URI handler registrations, especially where SSO or OAuth redirects are used.
Correlate mobile sign-in events with unusual token use against protected resources, while recognizing that legitimate app-to-app redirects can create false positives.
Tune investigation playbooks to capture installed app lists, OS version, affected URI schemes, authentication event timelines, and cloud/SaaS access following the redirect.
Do not assume network monitoring alone will expose this behavior; the decisive evidence may sit in mobile device state, app design, identity logs, and user interaction context.

Mitigation priorities

Prioritize application developer guidance for mobile apps that use URI redirects, OAuth, or SSO, including secure native-app OAuth patterns and PKCE where applicable from the cited standards.
Maintain recent Android and iOS versions, since the ATT&CK mitigation relationship notes that newer mobile OS versions can include security architecture improvements and resilience against observed techniques.
Provide user guidance for mobile login prompts, unexpected app handoff behavior, and risky application installation decisions.
Use mobile app inventory and governance to reduce exposure from untrusted or unnecessary applications on devices that access business resources.
Align identity, mobile, and appsec teams so that token theft scenarios are included in incident response and access-revocation procedures.

Analyst notes and limits

This object consolidates prior URL/URI scheme hijacking concepts, including revoked techniques T1415 and T1416, and applies to Android and iOS. Its parent context is Steal Application Access Token, so the most important defensive question is whether URI handling could expose OAuth authorization codes or tokens used to access cloud-based applications, SaaS, or other protected resources.

ATT&CK provides no official detection text and no tactic value for this object. The supplied data supports Android and iOS only. Local confirmation requires app architecture review, mobile telemetry availability, identity logs, and knowledge of which business apps use URI-based authentication or redirection.

Official MITRE ATT&CK definition

URI Hijacking

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1416	URI Hijacking	URI Hijacking revoked by this object.
Mobile	T1415	URL Scheme Hijacking	URL Scheme Hijacking revoked by this object.
Mobile	T1635	Steal Application Access Token	This object subtechnique of Steal Application Access Token.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1013: Application Developer Guidance Mobile revoked by · Technique T1416: URI Hijacking Mobile mitigates · Mitigation M1011: User Guidance Mobile revoked by · Technique T1415: URL Scheme Hijacking Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile detects · Detection Strategy DET0626: Detection of URI Hijacking Mobile subtechnique of · Technique T1635: Steal Application Access Token Mobile

Mitigations

Mitigation direction

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Apr 1, 2022, 15:15 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: fcbfc1de01ed8817...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`fcbfc1de01ed…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Trend Micro iOS URL Hijacking

L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.
Open source URL
[2]
IETF-PKCE

N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.
Open source URL
[3]
Android-AppLinks

Android. (n.d.). Handling App Links. Retrieved December 21, 2016.
Open source URL
[4]
IETF-OAuthNativeApps

W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.
Open source URL
[5]
mitre-attack T1635.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams