💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Deep linking overview
  • Deep link
  • Android app link
  • The difference between deep links and app links
  • Security issues
  • Access arbitrary components
  • App link misconfiguration
  • Arbitrary URL opening in WebView
  • Bypass local authentication
  • Insecure parameter handling
  • Perform unsafe actions without confirmation
  • References
  1. Android Application
  2. Intent Vulnerabilities

Deep Linking Vulnerabilities

PreviousIntent VulnerabilitiesNextWebView Vulnerabilities

Last updated 2 years ago

Deep linking overview

Deep linking is a mechanism that processes specific types of links and sends users directly to an app, for example, to a particular activity. Android allows developers to create two types of links:

  • Deep link

  • Android App Link

Deep link

Deep link is a URL that takes users directly to specific content in an app. For example, the example://myapp deep link can be used to start MainActivity.

Deep links are set up by adding and users are driven to the right activity based on the data extracted from incoming intents. Therefore, several apps are able to handle the same deep links (intents). In this case, users might not go directly to a particular app and they need to select an app, see the section.

The following XML snippet shows an example of an intent filter in a manifest for deep linking, where the example://myapp URI is resolved to the MainActivity:

<activity android:name="MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "example://myapp -->
        <data android:scheme="example"
              android:host="myapp" />
    </intent-filter>
</activity>

Android app link

Android App Links is a special type of deep link that allows website URLs to immediately open the corresponding content in an app (without requiring the user to select the app). If the user doesn't want the app to be the default handler, they can override this behavior from their device's system settings.

  • https://domain.name/.well-known/assetlinks.json

If the system successfully verifies that an app is allowed to open a URL, the system automatically routes this URL intents to the app.

The following XML snippet shows an example of an intent filter in a manifest for app linking, where the https://example.com URI is resolved to the MainActivity:

<activity android:name="MainActivity">
    <intent-filter android:autoVerify="true">
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <!-- Accepts URIs that begin with "https://example.com/ -->
        <data android:scheme="https" 
              android:host="example.com" />
    </intent-filter>
</activity>

The difference between deep links and app links

#
Deep links
App links

Intent URL scheme

http, https, or a custom scheme

Requires http or https

Intent action

Any action

Requires android.intent.action.VIEW

Intent category

Any category

Requires android.intent.category.BROWSABLE and android.intent.category.DEFAULT

Link verification

None

User experience

May show a disambiguation dialog for the user to select which app to open the link

No dialog; an app opens to handle website links

Compatibility

All Android versions

Android 6.0 and higher

Security issues

Access arbitrary components

An app can implement its own intent parser to handle deeplinks using JSON objects, strings or byte arrays that may expand Serializable and Parcelable objects and allow to set insecure flags.

For example, the following deeplink parser converts a byte array to Parcel and read an intent from it:

Uri deeplinkUri = getIntent().getData();
if (deeplinkUri.toString().startsWith("deeplink://handle/")) {
    byte[] handle = Base64.decode(deeplinkUri.getQueryParameter("param"), 0);
    Parcel parcel = Parcel.obtain();
    parcel.unmarshall(handle, 0, handle.length);
    startActivity((Intent) parcel.readParcelable(getClassLoader()));
}

App link misconfiguration

Deeplinks as well as app links can use the https scheme, and developers can configure an intent filter for deeplinks instead of app links. As a result, you can create an app that will handle the same deeplinks and intercept intents:

<intent-filter android:priority="999">
	<action android:name="android.intent.action.VIEW" />
	<category android:name="android.intent.category.DEFAULT" />
	<category android:name="android.intent.category.BROWSABLE" />
	<data android:scheme="https" />
	<data android:host="myapp.link" />
</intent-filter>

References:

Arbitrary URL opening in WebView

If an app opens URL in WebView based on parameters from a deeplink you can try to bypass a URL validation and open arbitrary URLs. This can be used to execute arbitrary JavaScript, steal sensitive data, access arbitrary components and chain with other weaknesses.

References:

Bypass local authentication

Apps can handle deeplinks before local authentication (passcode/biometrics) and sometimes this can lead to a direct user being pushed into an activity without local authentication. This may require you to simply follow a deeplink, or abuse parameters / functionality, trying to get exceptional conditions, such as failing validation or interrupting a flow in the middle.

References:

Insecure parameter handling

Deeplinks allows users to provide parameters to an application that can be used as parameters when performing local actions, requests to API, etc. Therefore, if these parameters are not properly validated, an attacker can use them for profit (up to RCE).

For instance, suppose an application opens local files based on http/https URLs by the next flow:

  1. A user send the link https://website.com/file.pdf

  2. An application parses the URL and retrieves the URL path: file.pdf

  3. An application joins a hard-coded temp folder with file.pdf: /data/data/com.vulnerable-app/temp-files/file.pdf

  4. An application downloads the PDF file from https://website.com/file.pdf and save them to /data/data/com.vulnerable-app/temp-files/file.pdf

  5. An application opens downloaded file for a user

In such case, an attacker is able to rewrite an arbitrary file within the package using path traversal: https://website.com/x/..%2F..%2Fdatabases/secret.db.

References:

Perform unsafe actions without confirmation

Sometimes apps allow users to perform unsafe actions through deeplinks, such as modifying data, doing a call, buying a subscription and etc. If these actions do not require additional confirmation from a user, you can perform a CSRF-like attack.

For example, if an app allows authenticated users to change their email through the myapp://user?email=<email> deeplink, you can change the victim's email to your own by making them visit the following page:

<!DOCTYPE html>
<html>
    <script>location.href = "myapp://user?email=attacker@attacker-website.com";</script>
</html>

References:

References

Android App Links are set up by adding that open an app content using http/https URLs and verifying that an app is allowed to open these website URLs. The verifying is required the following steps:

Request in a manifest. This signals to the Android system that it should verify an app belongs to the URL domain used in intent filters.

Declare the relationship between a website and intent filters by hosting a JSON file at the following location:

Requires a file served on a website with HTTPS

automatic app link verification
Digital Asset Links
Report: Account takeover intercepting magic link for Arrive app
Report: [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure
Writeup: Breaking The Facebook For Android Application
Writeup: When Equal is Not, Another WebView Takeover Story
Report: Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)
Writeup: RCE IN ADOBE ACROBAT READER FOR ANDROID(CVE-2021-40724)
Report: Periscope android app deeplink leads to CSRF in follow action
Report: CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction
Android Developers: Handling Android App Links
Oversecured: Android Access to app protected components
Digital Asset Links
Intent Vulnerabilitiescheat-sheets
WebView Vulnerabilities: Bypass URL validation
intent filters
Intent resolution
intent filters
Logo