What starting position does this attack require?

The first step is Sideload / TestFlight to victim (T1078) — a initial access primitive. Assumed environment: target app uses an OAuth flow that returns to a custom URL scheme (myapp://oauth/callback).

What is the final impact of this kill-chain?

The final step lands on Build rogue app with matching scheme (MOB-IOS-URL-SCHEME), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

iOS URL scheme hijack → OAuth code theft

Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Sideload / TestFlight to victim

T1078 · Valid Accounts

Execution

Victim initiates OAuth — callback hits rogue

T1204 · User Execution

Lateral Movement

Exchange code for tokens at provider

T1550 · Use Alternate Authentication Material

Credential Access

Capture authorisation code

W-OAUTH-MISCONFIG · OAuth — redirect_uri Misconfig

Reconnaissance

Identify target's URL scheme

MOB-APK-REVERSE · APK Reverse Engineering

Initial Access

Build rogue app with matching scheme

MOB-IOS-URL-SCHEME · iOS URL Scheme Hijack

§ Context

Assumed environment: target app uses an OAuth flow that returns to a custom URL scheme (myapp://oauth/callback). A rogue app declares the same scheme. iOS < 14 doesn't disambiguate.

§ Steps

01
Sideload / TestFlight to victimInitial Access
T1078— Valid Accounts
02
Victim initiates OAuth — callback hits rogueExecution
T1204— User Execution
03
Exchange code for tokens at providerLateral Movement
T1550— Use Alternate Authentication Material
04
Capture authorisation codeCredential Access
W-OAUTH-MISCONFIG— OAuth — redirect_uri Misconfig
05
Identify target's URL schemeReconnaissance
MOB-APK-REVERSE— APK Reverse Engineering
06
Build rogue app with matching schemeInitial Access
MOB-IOS-URL-SCHEME— iOS URL Scheme Hijack

§ References

T1078Valid Accounts
T1204User Execution
T1550Use Alternate Authentication Material

§ Frequently asked

What is the "iOS URL scheme hijack → OAuth code theft" attack path?: Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Sideload / TestFlight to victim (T1078) — a initial access primitive. Assumed environment: target app uses an OAuth flow that returns to a custom URL scheme (myapp://oauth/callback).
What is the final impact of this kill-chain?: The final step lands on Build rogue app with matching scheme (MOB-IOS-URL-SCHEME), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

iOS URL scheme hijack → OAuth code theft

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

OAuth redirect_uri misconfig → account takeover

Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

SAML signature wrapping (XSW) → impersonate admin

BLE eavesdrop + replay → smart lock open

Malicious browser extension → cookie harvest → ATO

Deeplink abuse → in-app account takeover