• caglararli@hotmail.com
  • 05386281520

Possibility of eavesdropping on app-server comms after redirect to deep link

Çağlar Arlı      -    39 Views

Possibility of eavesdropping on app-server comms after redirect to deep link

I'm being asked to investigate a possible attack vector that I don't understand and I don't want to take action that is useless or even negatively affects users if it isn't going to address something real.

The current interaction is:

  1. Attacker creates mybadsite.com
  2. Attacker signs up to MyApp and obtains a real deep link that points to https://myapp.com/invite/12345
  3. Hacker embeds deep link in mybadsite.com?redirect=https://myapp.com/invite/12345 and then gets an innocent-looking link from a URL shortener
  4. Hacker sends shortened link to lots of MyApp customers
  5. Customer clicks shortened link, browser visits shortener, then mybadsite.com
  6. mybadsite.com does something, starts tracking (something, somehow)
  7. mybadsite.com redirects browser to https://myapp.com/invite/12345
  8. myapp.com server responds with data for deep linking
  9. OS tells MyApp to open and interaction between customer, customer's app and server is somehow logged

Is this a real possibility?

I imagined that the worst possibility would be phishing from a site that looks like myapp.com, but that is not what the person asking me is worried about. They are specifically talking about "spying".

I can see how step 6 above could lead to something being added to the browser. What could be added?

When MyApp is finally opened, what data from the browser is passed on to the app? Would it include anything malicious from step 6? Have I understood how deep links work correctly?

If in step 9 the interaction between the customer and MyApp includes signing in via a webview, what (if any) "bad tracking thing" could possibly reach the webview?

Is there a possibility of the myapp.com web server preventing redirection from unrecognised sites in step 8? Would that prevent the links being shared inside chat apps that rewrite URLs for tracking purposes?