Description

App developers set up android deep links to navigate users in the app’s specific part or feature in order to create sophisticated campaigns while providing a better user experience. Deep links can be triggered from any website (web browser) or other applications, thus potentially increasing the app attack surface and causing unauthorized execution of app components.

In smartphone Camera, microphone and location are considered as dangerous permissions and always being targeted by hackers to spy on users, so recently I have researched Samsung’s stock/pre-installed Camera app and It was found that the implementation of deep links as well as deep link handler activity were not protected by permission, so any arbitrary android application/website could have used those deep links to record the voice, the capture the image, record the video, get GPS location from photo meta and turn on/off flash, etc without dangerous/any permission, user interaction and even device is in locked state which could have affected billions of users.

These vulnerabilities can be categorised into two types of attack scenarios: attacking by arbitrary android apps and attacking by websites (web browser). For example, 1) invoke voice recording deep links with the help of intent from the arbitrary app. 2) creating ads on a webpage to auto invoke video recording deep links. Finally, a pre-installed camera stores captured and recorded data on external storage so it can be easily retrieved with read external storage permission.

Spyware creators are always looking for less user Interaction, minimum code for exploitation and most importantly without dangerous permissions hence using this type of sensitive deep links vulnerability can help spyware to become a trusted app.

Presentation outtakes:

• Introduction to key terms
• Finding vulnerabilities
• Attack Surfaces
• Live Demos
• Countermeasures
• The Responsible Disclosure