The app was found to declare unverified deep links.
Deep links are URIs of any scheme that take users directly to specific content in an app. An app can set up deep links by adding intent filters on the Android Manifest and extracting data from incoming intents to navigate users to the correct activity.
Using unverified deep links can cause a significant issue- any other apps installed on a user's device can declare and try to handle the same intent, which is known as deep link collision. Any arbitrary application can declare control over the exact same deep link belonging to another application.
In recent versions of Android this results in a so-called disambiguation dialog shown to the user that asks them to select the application that should handle the deep link. The user could make the mistake of choosing a malicious application instead of the legitimate one.
Evaluation Criteria:
The evidence table contains the activities that are associated with unverified deep links. You should inspect all these activities and check if they handle sensitive information. If so, this should be considered a vulnerability.
Steps to Reproduce
This test looks for deep links declared in the Android Manifest that employ a URL custom scheme or use HTTP/HTTPS and doesn't explicitly set android:autoVerify="true".
Business Impact
This flaw can potentially lead to a number of different exploits:
XSS using WebView
Open Redirect
Sensitive data exposure
Session hijacking
Account takeover
Remediation Resources
In order to solve the deep link collision issue, Android 6.0 (API Level 23) introduced Android App Links, which are verified deep links based on a website URL explicitly registered by the developer. Clicking on an App Link will immediately open the app if it's installed.
In order for Android to handle your deep links as App Links, you have to:
Set the android:autoVerify="true" in any of the web URL intent filters of your app.
Ensure that you do not have any custom scheme in your intent filter, but only http or https.
Include a so-called Digital Asset Links file with the name assetlinks.json which must be accessible over an HTTPS connection, regardless of whether your app's intent filters declare HTTPS as the data scheme. The assetlinks.json file must be published to the host specified by android:host within the intent filter and be readable by anyone.
For example, if you have the following intent filter:
The value of "package_name" should match your app's package name, "com.example.puppies.app" in this example, and the sha256_cert_fingerprints should match the fingerprints of your app's signing certificate.
Evidence
#### Unverified Deep Links
| Activity | Scheme | Host |
|---|---|---|
| com.instagram.barcelona.settingsdeeplinkhandleractivity.SettingsDeeplinkHandlerActivity | barcelona | settings |
| com.instagram.barcelona.mainactivity.BarcelonaActivity | barcelona | media |
| com.instagram.barcelona.mainactivity.BarcelonaActivity | barcelona | user |
... and 2 more
Finding Description
The app was found to declare unverified deep links.
Deep links are URIs of any scheme that take users directly to specific content in an app. An app can set up deep links by adding intent filters on the Android Manifest and extracting data from incoming intents to navigate users to the correct activity.
Using unverified deep links can cause a significant issue- any other apps installed on a user's device can declare and try to handle the same intent, which is known as deep link collision. Any arbitrary application can declare control over the exact same deep link belonging to another application.
In recent versions of Android this results in a so-called disambiguation dialog shown to the user that asks them to select the application that should handle the deep link. The user could make the mistake of choosing a malicious application instead of the legitimate one.
Evaluation Criteria:
The evidence table contains the activities that are associated with unverified deep links. You should inspect all these activities and check if they handle sensitive information. If so, this should be considered a vulnerability.
Steps to Reproduce
This test looks for deep links declared in the Android Manifest that employ a URL custom scheme or use HTTP/HTTPS and doesn't explicitly set
android:autoVerify="true"
.Business Impact
This flaw can potentially lead to a number of different exploits:
Remediation Resources
In order to solve the deep link collision issue, Android 6.0 (API Level 23) introduced Android App Links, which are verified deep links based on a website URL explicitly registered by the developer. Clicking on an App Link will immediately open the app if it's installed.
In order for Android to handle your deep links as App Links, you have to:
android:autoVerify="true"
in any of the web URL intent filters of your app.http
orhttps
.assetlinks.json
which must be accessible over an HTTPS connection, regardless of whether your app's intent filters declare HTTPS as the data scheme. Theassetlinks.json
file must be published to the host specified byandroid:host
within the intent filter and be readable by anyone.For example, if you have the following intent filter:
The
assetlinks.json
file must reside inhttps://www.nowsecure.com/.well-known/assetlinks.json
and should look like this:The value of
"package_name"
should match your app's package name,"com.example.puppies.app"
in this example, and thesha256_cert_fingerprints
should match the fingerprints of your app's signing certificate.Risk and Regulatory Information
Severity: info
Policy Category: Review Required
Application
See more detail in the NowSecure Report
Evidence
#### Unverified Deep Links | Activity | Scheme | Host | |---|---|---| | com.instagram.barcelona.settingsdeeplinkhandleractivity.SettingsDeeplinkHandlerActivity | barcelona | settings | | com.instagram.barcelona.mainactivity.BarcelonaActivity | barcelona | media | | com.instagram.barcelona.mainactivity.BarcelonaActivity | barcelona | user | ... and 2 more