Hello Folks, Today we will learn about Deep Links in Android, and how to exploit them. So let’s begin.
What is Deep Link
Deep links are basically a URL when clicked will lead you to a specific destination in the android application. You must have encountered these URLs while using an android application. (refer to picture below)
There are usually the following 3 things that going to happen when a user clicked on these types of links. In the above picture, the user has been given the option to open the links in the application of his choice (Third option)
- Open the user’s preferred app that can handle the URI, if one is designated.
- Open the only available app that can handle the URI.
- Allow the user to select an app from a dialog.
Now we will look at the structure of deep links by using the below AndroidManifest File.
<activity android:name="com.example.android.GizmosActivity" android:label="@string/title_gizmos" > <intent-filter android:label="@string/filter_view_http_gizmos"> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <!-- Accepts URIs that begin with "http://www.example.com/gizmos” --> <data android:scheme="http" android:host="www.example.com" android:pathPrefix="/gizmos" /> <!-- note that the leading "/" is required for pathPrefix--> </intent-filter> <intent-filter android:label="@string/filter_view_example_gizmos"> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <!-- Accepts URIs that begin with "example://gizmos” --> <data android:scheme="example" android:host="gizmos" /> </intent-filter> </activity>
Let’s start with the data tag in the file. There are three data tags present in the file, android:scheme, android:host, and android:pathPrefix. These tags will define what type of URI will be handled by the application. For example, in the last, the data tags will form a URL like “example://gizmos” and the starting data tag will form a URL like “http://www.example.com/gizmos”. If any browser will make a request to these two URLs, then the URL can be opened in that application.
Now let’s come to the intent filter part. The “action” intent filter specifies what type of action you want to perform when URI will be clicked, it can be ACTION_VIEW, ACTION_EDIT, and so on. android.intent.action.VIEW in the AndroidManifests file will allow the user to view the activity “GizmosActivity”.
The category part in the AndroidManifest file will give you additional information about the kind of component that should handle the intent. In this case, the “BROWSABLE” category means that the target activity allows itself to be started by a web browser to display data referenced by a link. Without it, clicking a link in a browser cannot resolve your app. Also, specified the “DEFAULT” category because, without this, the activity can be started only if the intent specifies your app component name
Let me give you the whole idea of what is going on here one more time.
- As we have the “BROWSABLE” category, it means the URI will be available on search engines, so while browsing the internet, the user clicked on the link (example://gizmos )
- Because the URI is one of the deep links, then the android system will do the three things, specified above. In this scenario, let’s assume that the user has the application installed but did not set any preferences.
- The user will be given the option to open the URI, in the browser or application or whatever.
- In that particular URI perspective, the VIEW action has been set, which means the application will open the “gizmos” activity.
How Deep Link is different from App Link
App link is a special type of Deep link that only supports “http” and “https” types of scheme and when clicked, the android OS will open only the specified application, no other option will be given to the user in case of an App link. If you want to read more about how the App link work, you check out this blog.
Deep Link Exploitation
This was all about Deep Links. Let’s move on to the exploitation part. For Demonstration purpose I will be using InsecureShop Vulnerable Lab, which you can download from here.
Let’s Start digging from AndroidManifest File. If you observe, there is one deep link associated with the manifest file and “com.insecureshop.WebViewActivity” and “com.insecureshop.LoginActivity” are the activities which are going to handle the deep link URI. According to the scheme in the manifest file, the URI format will be “insecureshop://com.insecureshop”.
On observing the WebViewActivity , you will find that it is first checking whether “uri” (deep link) is present or not , If it present then it is checking for paths “/web” and “/webview”. If path “/web” is present , then it is checking for the query “url” and if the query is present , then it is being saved in the variable”data”, after that the “data” variable is directly used in the “webview.loadurl()” without any sanitization, and webview.loadurl() will load the URL in the webview , that is being controlled by a user. In this case, we can craft something like this “insecureshop://com.insecureshop/web?url=http://divyanshudiwakar.com to check if it is vulnerable or not. For checking this, we can use the ADB tool as shown below in the picture.
You can even view the local files stored in the Android Storage using the deep links, as shown below.
Following is the result of misconfigured Deep Links Impact:
- Phishing
- Open Redirection
- Local File Reading
- Remote Code Execution
It will be not good if I say, I didn’t take help from any reference for understanding Deep Links. Following are some good references.
- Breaking The Facebook For Android Application (ash-king.co.uk)
- Exploiting Deep Links in Android – Part 1 (inesmartins.github.io)
- Exploiting Deep Links in Android – Part 2 (inesmartins.github.io)
- Exploiting Deep Links in Android – Part 3 (inesmartins.github.io)
- Deep Links in Android: Getting Started | raywenderlich.com
That’s all about Exploiting Deep Links. Hope You guys liked it. Feedback/Recommendations are always welcome.