MOB-IOS-URL-SCHEMEInitial Access

iOS URL Scheme Hijack

Multiple apps register the same URL scheme — attacker app handles a callback intended for the legit app (OAuth code, password reset).

§ Where this technique fits

MOB-IOS-URL-SCHEME is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

iOS URL scheme hijack → OAuth code theft
Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.
step 2 / 6

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

iOS URL scheme hijack → OAuth code theft

§ What commonly comes next