No way to limit or block Android "intent" links from opening arbitrary apps

pdg137 commented 2 years ago

Description

Brave supports "intents", an obscure* feature of Android that can automatically launch arbitrary apps. The issue is that this is done without the user's explicit permission, and there is no way to limit or disable the feature. Even though this is a standard feature of Android, and Chrome has marked their corresponding issue WontFix, this is a security and privacy risk, and it subverts the user's intentions. There's not even any way to figure out what feature of Brave caused the app to launch, and it's easy to confuse with other features like App Links and Instant Apps. (Actually I'm not even sure if these are different.) Brave should provide more control over intents.

* It's hard to find even an example intent URL anywhere, and the intent: URI scheme is not listed among the hundreds registered with the IANA.

Steps to reproduce

Make sure the YouTube app is installed on your Android device.
Click the following link from Brave: https://tinyurl.com/n5dw497t (this redirects to intent://TeVbYCIFVa8/#Intent;scheme=vnd.youtube;package=com.google.android.youtube;end;, but GitHub does not support the intent URL scheme.)

Actual result

The YouTube app launches automatically and starts playing a video.

Problems with this result:

The user has absolutely no way to avoid opening the app (even uninstalling the app is not possible in the case of YouTube.)
Any app with a security issue can potentially be exploited by malicious websites.
Following an intent link could cause a logged-in app to record activity under his account that he intended to keep anonymous. Examples: YouTube view history, LinkedIn profile view notifications, Twitch streams showing connected users...
Brave privacy settings and ad blocking will not be respected in the app.

Expected result

A prompt should appear asking something like "A website wants to open the app: YouTube. Proceed?"

Issue reproduces how often

One very common place this occurs is in Google search results for YouTube videos. In another instance, Facebook.com seems to use intents to redirect users to Facebook Messenger.

Version/Channel Information:

Can you reproduce this issue with the current Play Store version? Yes
Can you reproduce this issue with the current Play Store Beta version? Unknown
Can you reproduce this issue with the current Play Store Nightly version? Unknown

Device details

Install type (ARM, x86): ARM
Device type (Phone, Tablet, Phablet): Pixel 3 XL
Android version: 12

Brave version

Brave 1.34.80, Chromium 97.0.4692.71

Website problems only

Does the issue resolve itself when disabling Brave Shields?

No

Does the issue resolve itself when disabling Brave Rewards?

No

Is the issue reproducible on the latest version of Chrome?

Yes

Additional information

I originally filed this as #13310 but didn't understand what feature of Brave was triggering the problem, and the issue was closed.

srirambv commented 2 years ago

Seems like an upstream issue as its repro'd on Chrome as well.

cc: @samartnik

pdg137 commented 2 years ago

This is still an issue on Brave 1.39.115, Chromium 102.0.5005.78, Android 12. Surely we don't want links to open arbitrary apps without permission!

brave / brave-browser