Deep Link Exploitation
Description
Custom URL schemes and universal/app links route users into specific app screens. Without strict validation and authorization checks, crafted links can bypass normal navigation, inject parameters, or trigger privileged actions.
Examples
Invoke Privileged Action via Android Intent
Test deep link handling directly:
adb shell am start -a android.intent.action.VIEW \
-d "myapp://reset-password?user=alice&token=abcd" com.example/.MainActivity
If the app executes the action without verifying session state or token integrity, the link is exploitable.
iOS Universal Link Test
xcrun simctl openurl booted "https://myapp.example.com/reset-password?user=alice&token=abcd"
Observe whether authentication is required and parameters are validated.
Remediation
- Strict URI allow‑listing and validation
- Define exact patterns; reject unknown paths/params; validate token formats and expiries.
- Enforce authentication and state
- Require an active session; confirm with CSRF‑style nonces for sensitive actions.
- Lock origin and handlers
- Use Android App Links/iOS Universal Links; verify association files and set
android:autoVerify="true". - Avoid exported handlers for sensitive links; verify caller when applicable.
- Use Android App Links/iOS Universal Links; verify association files and set