|
1 | 1 | ## Scenario: Pramod can intercept credentials through misdirection because the app is vulnerable to attacks like Tapjacking, StrandHogg and/or URL scheme hijacking |
2 | 2 |
|
| 3 | +Pramod notices that Ade’s mobile application does not properly validate exported activities or incoming intents. The app allows deep links for authentication flows but fails to verify their origin. |
| 4 | + |
| 5 | +By launching a tapjacking overlay, Pramod places a transparent malicious layer over Ade’s login screen. The user believes they are interacting with the legitimate application, but their credentials are actually being captured by Pramod’s hidden interface. |
| 6 | + |
| 7 | +In another scenario, Pramod exploits StrandHogg by registering a malicious activity that mimics Ade’s login page. When the victim enters their username and password, the credentials are intercepted before the user is redirected back to the real app to avoid suspicion. |
| 8 | + |
| 9 | +If URL schemes are not properly validated, Pramod can also hijack authentication callbacks and intercept sensitive tokens during redirection flows. |
| 10 | + |
3 | 11 | ### Example |
4 | 12 |
|
| 13 | +Ade proudly launches a new feature that allows users to log in through a deep link received via email. Unfortunately, she forgets to validate which application handles the callback. Pramod registers the same URL scheme on his malicious app. When the user completes authentication, the token is sent directly to Pramod instead of Ade’s app. The login appears successful, but the attacker now has full access to the user’s account. |
| 14 | + |
5 | 15 | ## Threat Modeling |
6 | 16 |
|
7 | 17 | ### STRIDE |
8 | 18 |
|
| 19 | +This scenario falls under the **Spoofing** category in the STRIDE threat modeling framework. |
| 20 | + |
| 21 | +Pramod impersonates a trusted application interface or authentication handler to trick users into submitting credentials or tokens. The system fails to verify the authenticity of the interacting application, allowing the attacker to act as a legitimate entity. |
| 22 | + |
9 | 23 | ### What can go wrong? |
10 | 24 |
|
11 | | -### What are we going to do about it? |
| 25 | +If activity hijacking, tapjacking overlays, or unvalidated deep links are allowed, attackers may intercept authentication credentials or tokens. This can lead to account compromise, session hijacking, and unauthorized access to sensitive information. |
| 26 | + |
| 27 | +### What are we going to do about it? |
| 28 | + |
| 29 | +- Disable or strictly control exported activities unless absolutely required. |
| 30 | +- Validate the origin and integrity of incoming intents and deep links. |
| 31 | +- Use protections against overlay attacks such as secure window flags. |
| 32 | +- Implement tapjacking detection mechanisms. |
| 33 | +- Enforce strict validation of URL schemes and authentication callbacks. |
| 34 | +- Follow OWASP MASVS guidance for secure authentication and intent handling. |
0 commit comments