cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json

{
    "type": "bundle",
    "id": "bundle--5bd5f78a-ca97-4f0c-ae12-875e27df8883",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-20T18:53:52.292Z",
            "name": "Steal Application Access Token",
            "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue.  \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "credential-access"
                }
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
            "created": "2022-04-01T15:12:50.740Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1635",
                    "external_id": "T1635"
                },
                {
                    "source_name": "Android-AppLinks",
                    "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
                    "url": "https://developer.android.com/training/app-links/index.html"
                },
                {
                    "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019",
                    "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.",
                    "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/"
                },
                {
                    "source_name": "Microsoft - OAuth Code Authorization flow - June 2019",
                    "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.",
                    "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow"
                },
                {
                    "source_name": "Microsoft Identity Platform Protocols May 2019",
                    "description": "Microsoft. (n.d.). Retrieved September 12, 2019.",
                    "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols"
                },
                {
                    "source_name": "IETF-OAuthNativeApps",
                    "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
                    "url": "https://tools.ietf.org/html/rfc8252"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}