2017-11-13 09:08:48 -05:00
{
2018-10-23 10:22:31 -04:00
"type" : "bundle" ,
2026-04-27 15:19:48 -04:00
"id" : "bundle--051cb9b8-8321-4b67-ba18-c68cc13fcfca" ,
2018-10-23 10:22:31 -04:00
"spec_version" : "2.0" ,
2017-11-13 09:08:48 -05:00
"objects" : [
{
2022-07-07 10:13:21 -05:00
"type" : "attack-pattern" ,
2025-04-21 21:48:43 -05:00
"id" : "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e" ,
2022-07-07 10:13:21 -05:00
"created" : "2017-10-25T14:48:17.533Z" ,
"created_by_ref" : "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" ,
2021-11-10 11:45:33 -05:00
"revoked" : true ,
2017-11-13 09:08:48 -05:00
"external_references" : [
{
2025-10-27 14:36:06 -04:00
"source_name" : "mitre-attack" ,
2021-04-30 11:00:10 -04:00
"url" : "https://attack.mitre.org/techniques/T1415" ,
"external_id" : "T1415"
2017-11-13 09:08:48 -05:00
} ,
{
2021-04-29 09:02:49 -04:00
"source_name" : "FireEye-Masque2" ,
2021-04-30 11:00:10 -04:00
"description" : "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016." ,
2019-10-24 08:50:11 -04:00
"url" : "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"
2017-11-13 09:08:48 -05:00
} ,
{
2025-10-27 14:36:06 -04:00
"source_name" : "MobileIron-XARA" ,
"description" : "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016." ,
"url" : "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
2017-11-13 09:08:48 -05:00
} ,
{
2021-04-29 09:02:49 -04:00
"source_name" : "IETF-PKCE" ,
2021-04-30 11:00:10 -04:00
"description" : "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." ,
2019-10-24 08:50:11 -04:00
"url" : "https://tools.ietf.org/html/rfc7636"
2017-11-13 09:08:48 -05:00
} ,
{
2025-10-27 14:36:06 -04:00
"source_name" : "Dhanjani-URLScheme" ,
"description" : "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016." ,
"url" : "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
} ,
{
"source_name" : "NIST Mobile Threat Catalogue" ,
"url" : "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html" ,
"external_id" : "AUT-10"
2017-11-13 09:08:48 -05:00
}
] ,
2025-04-21 21:48:43 -05:00
"object_marking_refs" : [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
] ,
2025-10-27 14:36:06 -04:00
"modified" : "2025-09-08T16:36:02.126Z" ,
2022-07-07 10:13:21 -05:00
"name" : "URL Scheme Hijacking" ,
"description" : "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA)." ,
"kill_chain_phases" : [
{
"kill_chain_name" : "mitre-mobile-attack" ,
"phase_name" : "credential-access"
}
] ,
2025-10-27 14:36:06 -04:00
"x_mitre_attack_spec_version" : "3.3.0" ,
2025-05-06 07:57:26 -05:00
"x_mitre_deprecated" : false ,
2025-04-21 21:48:43 -05:00
"x_mitre_domains" : [
"mobile-attack"
] ,
2025-05-06 07:57:26 -05:00
"x_mitre_is_subtechnique" : false ,
2022-07-07 10:13:21 -05:00
"x_mitre_modified_by_ref" : "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" ,
2025-04-21 21:48:43 -05:00
"x_mitre_platforms" : [
"iOS"
] ,
"x_mitre_version" : "1.1" ,
2022-07-07 10:13:21 -05:00
"x_mitre_tactic_type" : [
"Post-Adversary Device Access"
2025-05-06 07:57:26 -05:00
]
2017-11-13 09:08:48 -05:00
}
2018-10-23 10:22:31 -04:00
]
2017-11-13 09:08:48 -05:00
}
