5

Android introduced the App Links with Android 6.0 Marshmallow to provide a more secure way of launching a specific app from a (https) link.

Further, I thought Android App Links covers main vulnerabilities exposed by Custom Schemes.

One of the major vulnerability is that a malicious app waiting to intercept the same URL with a similar intent filter. And then the OS will show the Ambiguous Dialog to the user to select which app to open the link.

See: Measuring the Insecurity of Mobile Deep Links of Android

The App Link URL should take the user straight to the app if the App Link has been setup properly as per the documentation for the Android AppLinks.

However, I found that this may not always be the case. For some devices, the "Ambiguous Dialog" could be shown for the first usage of the App Link URL.

Why ?

There is this strange setting called "Go to supported URLs" under the App setting -> Set as default below App Links sub heading which App Link depend upon. This setting allows the user to change the App Link behaviour. It gives three options as below.

  • In this app
  • Always ask
  • In other app

The strangest thing is that the default for this setting will be different from each vendors devices.

If the setting is not "In this app" then the OS will show the Ambiguous Dialog with at least your own app and browser.

Question?

  1. Is there a way of preventing the setting being changed (prevent URL being intercepted by any other app)?
  2. Is there a way of setting the default to 'In this app' or change the setting programatically to 'In this app' to prevent being intercepted by other apps?
GAJJE82
  • 1,427
  • 1
  • 10
  • 7
  • _Is there a way to explicitly control this setting?_ This would allow malicious apps to intercept your specific link, so I doubt you could control this setting. – Zun Sep 14 '18 at 08:02
  • Actually, I think @GAJJE82 is trying to prevent malicious apps from intercepting the links. – C B J Sep 17 '18 at 03:33
  • @ZUNJAE, I'm trying to prevent my App Link being intercepted by any other app. But with this setting it can be exposed. Trying to find a solution to cover this loophole. Thanks. – GAJJE82 Sep 17 '18 at 04:54
  • @CJames, Yes, that's exactly what I'm after. Thanks. – GAJJE82 Sep 17 '18 at 04:55
  • It goes both ways. If YOU want to prevent it from happening, then someone else can also prevent it from happening. – Zun Sep 17 '18 at 07:04
  • @Gajje82 Found another link which explains similar problem: https://android.stackexchange.com/questions/37549/force-link-to-open-in-app-not-my-default-browser?noredirect=1&lq=1 – Learners Den Sep 18 '18 at 04:02
  • @ZUNJAE I guess it always one way. I'm trig to control a setting in own app, not any other app. This setting is under individual app setting. So from the code trying to control you own app setting to prevent security vulnerability. – GAJJE82 Sep 19 '18 at 02:14
  • What prevents other apps from preventing your app from changing this setting? – Zun Sep 19 '18 at 07:38
  • @GAJJE82 did you find any solution to this. I am facing the same issue. Its varying from vendor to vendor. – Aditi Jan 21 '22 at 10:28

0 Answers0