0

I have a simple requirement. Native app A needs to start an Activity in native app B. Per Google Dev docs there are two ways to do it: 1. Use Implicit Intents 2. Use App Links

Which is a better approach from security standpoint?

Sai
  • 2,089
  • 3
  • 19
  • 30
  • Pretty much equal. The big problem with either is you can never be assured that the recipient will actually be your app and not a malicious actor, so don't pass anything sensitive via either. – Gabe Sechan Sep 09 '19 at 19:44

1 Answers1

1

From a security standpoint App Links would be the better approach. With app links you setup a url that links to a domain you own. That url is configured in both your client app and on the server that hosts the domain. If the user doesn't have the app installed, that supports the app link, then you are directed to the website instead of the app.

With Implicit Intents, any app can register that intent. If more than one app has that intent registered, then an app chooser is displayed, for the user to decide which app should open that intent. Also, if no app is installed that is registered for that intent, then you need to check for that otherwise an exception will be thrown indicating that there is no app to handle your intent execution.

The downside to App Link is that it's only supported on Android 6.0 (API level 23) and higher and it requires an extra configuration on the website domain.

Jason Grife
  • 1,197
  • 11
  • 14
  • With implicit intents, can't you solve the security issue with custim permissions? Only your app and the partner app would know the custom permission in this case. – Sai Sep 09 '19 at 21:38
  • You can, but beware of the ["first one in wins"](https://commonsware.com/blog/2014/02/12/vulnerabilities-custom-permissions.html) vulnerability. – Jason Grife Sep 09 '19 at 21:53