3

I am trying to implement app links into my app to make sure that other malicious apps cannot register for my URL.

I read the guide on app links here https://developer.android.com/training/app-links/verify-site-associations.html and I have mostly understood it. But one thing which is not clear to me is how can I prevent malicious apps from receiving my domain links if my app is not installed.

Consider this scenario. 1. My app is not installed on the user's device 2. Some malicious app is and it knows the URL that my app handles

Wouldn't this launch the malicious app and it can intercept my URL if the user selects that app from the disambiguation dialog? Is there any way to prevent it?

I understand that android:autoVerify="true" will trigger the domain verification when the app is installed, but what if the app is not installed?

Aakash Anuj
  • 3,773
  • 7
  • 35
  • 47

2 Answers2

0

Whether the user has the app installed or not, the "illegal" app won't be able to handle your links since it has not access to your domain in order to save there the needed JSON file. Am I clear?

Joaquin Iurchuk
  • 5,499
  • 2
  • 48
  • 64
0

There is a JSON file that is required during App Link configuration, that has to be uploaded to your server (that includes your app ID), through which your web-app basically says to the Android OS 'this is my counterpart on Android devices, I authorise it to handle these URLs'. Since app IDs are unique, there is no way another app can meet those conditions.

To quote the docs:

An Android App Link is a deep link based on your website URL that has been verified to belong to your website.

So, although an app may register an <intent-filter> it ALSO has to be verified by the website whose URL it's trying to handle. And this happens on the server, so, out of the reach of a mobile client.

See also HERE for a more detailed explanation.

barmacki
  • 31
  • 6