URL Scheme Hijacking - T1415 (8f142a25-f6c3-4520-bd50-2ae3ab50ed3e)

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
URL Scheme Hijacking - T1415 (8f142a25-f6c3-4520-bd50-2ae3ab50ed3e)	Attack Pattern	URI Hijacking - T1635.001 (789ef15a-34d9-4b32-a779-8cbbc9eb32f5)	Attack Pattern	1
Steal Application Access Token - T1635 (233fe2c0-cb41-4765-b454-e0087597fbce)	Attack Pattern	URI Hijacking - T1635.001 (789ef15a-34d9-4b32-a779-8cbbc9eb32f5)	Attack Pattern	2