Deep Linking Vulnerabilities
Deep linking overview
Deep linking is a mechanism that processes specific types of links and sends users directly to an app, for example, to a particular activity. Android allows developers to create two types of links:
Deep link
Android App Link
Deep link
Deep link is a URL that takes users directly to specific content in an app. For example, the example://myapp
deep link can be used to start MainActivity
.
Deep links are set up by adding intent filters and users are driven to the right activity based on the data extracted from incoming intents. Therefore, several apps are able to handle the same deep links (intents). In this case, users might not go directly to a particular app and they need to select an app, see the Intent resolution section.
The following XML snippet shows an example of an intent filter in a manifest for deep linking, where the example://myapp
URI is resolved to the MainActivity
:
Android app link
Android App Links is a special type of deep link that allows website URLs to immediately open the corresponding content in an app (without requiring the user to select the app). If the user doesn't want the app to be the default handler, they can override this behavior from their device's system settings.
Android App Links are set up by adding intent filters that open an app content using http/https
URLs and verifying that an app is allowed to open these website URLs. The verifying is required the following steps:
Request automatic app link verification in a manifest. This signals to the Android system that it should verify an app belongs to the URL domain used in intent filters.
Declare the relationship between a website and intent filters by hosting a Digital Asset Links JSON file at the following location:
If the system successfully verifies that an app is allowed to open a URL, the system automatically routes this URL intents to the app.
The following XML snippet shows an example of an intent filter in a manifest for app linking, where the https://example.com
URI is resolved to the MainActivity
:
The difference between deep links and app links
Intent URL scheme
http
, https
, or a custom scheme
Requires http
or https
Intent action
Any action
Requires android.intent.action.VIEW
Intent category
Any category
Requires android.intent.category.BROWSABLE
and android.intent.category.DEFAULT
Link verification
None
User experience
May show a disambiguation dialog for the user to select which app to open the link
No dialog; an app opens to handle website links
Compatibility
All Android versions
Android 6.0 and higher
Security issues
Access arbitrary components
An app can implement its own intent parser to handle deeplinks using JSON objects, strings or byte arrays that may expand Serializable and Parcelable objects and allow to set insecure flags.
For example, the following deeplink parser converts a byte array to Parcel and read an intent from it:
App link misconfiguration
Deeplinks as well as app links can use the https
scheme, and developers can configure an intent filter for deeplinks instead of app links. As a result, you can create an app that will handle the same deeplinks and intercept intents:
References:
Arbitrary URL opening in WebView
If an app opens URL in WebView based on parameters from a deeplink you can try to bypass a URL validation and open arbitrary URLs. This can be used to execute arbitrary JavaScript, steal sensitive data, access arbitrary components and chain with other weaknesses.
References:
Bypass local authentication
Apps can handle deeplinks before local authentication (passcode/biometrics) and sometimes this can lead to a direct user being pushed into an activity without local authentication. This may require you to simply follow a deeplink, or abuse parameters / functionality, trying to get exceptional conditions, such as failing validation or interrupting a flow in the middle.
References:
Insecure parameter handling
Deeplinks allows users to provide parameters to an application that can be used as parameters when performing local actions, requests to API, etc. Therefore, if these parameters are not properly validated, an attacker can use them for profit (up to RCE).
For instance, suppose an application opens local files based on http/https URLs by the next flow:
A user send the link
https://website.com/file.pdf
An application parses the URL and retrieves the URL path:
file.pdf
An application joins a hard-coded temp folder with
file.pdf
:/data/data/com.vulnerable-app/temp-files/file.pdf
An application downloads the PDF file from
https://website.com/file.pdf
and save them to/data/data/com.vulnerable-app/temp-files/file.pdf
An application opens downloaded file for a user
In such case, an attacker is able to rewrite an arbitrary file within the package using path traversal: https://website.com/x/..%2F..%2Fdatabases/secret.db
.
References:
Perform unsafe actions without confirmation
Sometimes apps allow users to perform unsafe actions through deeplinks, such as modifying data, doing a call, buying a subscription and etc. If these actions do not require additional confirmation from a user, you can perform a CSRF-like attack.
For example, if an app allows authenticated users to change their email through the myapp://user?email=<email>
deeplink, you can change the victim's email to your own by making them visit the following page:
References:
References
Last updated