保護DataHogo
Security Encyclopedia/Mobile Security (Advanced)
mediumCWE-926A01:2021

Deep Link Hijacking

Custom URL schemes without host verification let malicious apps intercept your app's deep links and steal OAuth tokens or sensitive parameters.

How It Works

When you register a URL scheme like myapp://, any app can claim that scheme. If your OAuth flow redirects to myapp://callback?token=xyz, a malicious app registered with the same scheme intercepts it first and steals the token. Android and iOS both allow multiple apps to handle the same scheme.

Vulnerable Code
// BAD: custom scheme with no host verification — interceptable by any app
// app.json (Expo)
{
  "scheme": "myapp"  // any app can intercept myapp:// links
}
Secure Code
// GOOD: use universal links (HTTPS) which are domain-verified
// app.json (Expo)
{
  "scheme": "myapp",
  "intentFilters": [{
    "action": "VIEW",
    "data": [{ "scheme": "https", "host": "myapp.com" }]
    // iOS: requires apple-app-site-association file on your domain
  }]
}

Real-World Example

CVE-2019-14801 demonstrated deep link hijacking in multiple popular Android apps. Attackers published apps with matching URL schemes to the Play Store, intercepting OAuth tokens from legitimate apps.

How to Prevent It

  • Use Universal Links (iOS) and App Links (Android) with HTTPS instead of custom URL schemes for OAuth
  • Validate the redirect URI server-side against a whitelist of allowed URIs
  • Use PKCE (Proof Key for Code Exchange) in OAuth flows to bind tokens to the initiating app
  • Never pass tokens or sensitive data in URL parameters — use server-side sessions

Affected Technologies

React Nativeiosandroid

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Clipboard Exposure

low

Sensitive data copied to the clipboard (passwords, tokens, card numbers) persists there indefinitely and can be read by any app.

CWE-312A02:2021

Screenshot Not Prevented

low

Banking and payment screens without screenshot protection allow sensitive data to be captured by malware or appear in Android's recent apps screen.

CWE-200A02:2021

Certificate Pinning Missing

high

Without certificate pinning, attackers on the same network can intercept your app's HTTPS traffic with a rogue certificate authority.

CWE-295A05:2021

Root/Jailbreak Detection Missing

medium

Running a financial or health app on a rooted or jailbroken device means all security controls can be bypassed by the device owner.

CWE-919A08:2021