Unsafe use of deep links

OWASP category: MASVS-PLATFORM: Platform Interaction

Overview

The security risks associated with deep links stem from their core capability of enabling seamless navigation and interaction within mobile applications. Deep link vulnerabilities arise from weaknesses in the implementation or handling of deep links. These flaws can be exploited by malicious actors to gain access to privileged functions or data, potentially resulting in data breaches, privacy violations, and unauthorized actions. Attackers can exploit these vulnerabilities through various techniques, such as deep link hijacking and data validation attacks.

Impact

The lack of a proper deep link validation mechanism, or the unsafe use of deeplinks, can aid malicious users in performing attacks such as host validation bypass, cross-app scripting, and remote code execution within the permissions context of the vulnerable application. Depending on the nature of the application, this can result in unauthorized access to sensitive data or functions.

By design, Android allows multiple apps to register intent filters for the same deep link URI. To prevent malicious apps from intercepting deep links intended for your app, implement the android:autoVerify attribute in intent-filter within the application's AndroidManifest. This allows users to select their preferred app for handling deep links, ensuring the intended operation and preventing malicious applications from automatically interpreting them.

Android 12 introduced stricter handling of web intents to improve security. Apps must now be verified to handle links from specific domains, either through Android App Links or user selection in system settings. This prevents apps from hijacking links they shouldn't handle.

To enable link handling verification for your app, add intent filters that match the following format (this example is taken from the Verify Android App Links documentation):

  <!-- Make sure you explicitly set android:autoVerify to "true". -->
  <intent-filter android:autoVerify="true">
      <action android:name="android.intent.action.VIEW" />
      <category android:name="android.intent.category.DEFAULT" />
      <category android:name="android.intent.category.BROWSABLE" />
  
      <!-- If a user clicks on a shared link that uses the "http" scheme, your
           app should be able to delegate that traffic to "https". -->
      <data android:scheme="http" />
      <data android:scheme="https" />
  
      <!-- Include one or more domains that should be verified. -->
      <data android:host="..." />
  </intent-filter>

Deep links can include additional parameters that are served to the target intent, for example, to perform further actions. The foundation of secure deep link handling is stringent data validation. All incoming data from deep links should be meticulously validated and sanitized by developers to prevent malicious code or values from being injected within the legitimate application. This can be implemented by checking the value of any deep link parameter against a predefined allowlist of expected values.

Apps should check other relevant internal states, such as authentication state, or authorization, before exposing sensitive information. An example might be a reward for completing a level of a game. In this case it's worth validating the precondition of having completed the level, and redirecting to the main screen if not.

Resources