Rahul Kankrale & Yogesh Anil Tantak


Talk Title :

Deep Links can be Friends of Spyware - Analysis The Dangerous Role Of Deep Links


Abstract :

App developers set up android deep links to navigate users in the app's specific part or feature in order to create sophisticated campaigns while providing a better user experience. Deep links can be triggered from any website (web browser) or other applications, thus potentially increasing the app attack surface and causing unauthorised execution of app components.

In smartphone Camera, microphone and location are considered as dangerous permissions and always being targeted by hackers to spy on users, so recently I have researched Samsung’s stock/pre-installed Camera app and It was found that the implementation of deep links as well as deep link handler activity were not protected by permission, so any arbitrary android application/website could have used those deep links to record the capture the image, record the video, get GPS location from photo meta and turn on/off flash, etc without dangerous/any permission, user interaction and even device is in locked state which could have affected or affecting billions of users because patch is rolling out model and country wise and currently received on multiple devices.

These vulnerabilities can be categorised into two types of attack scenarios: attacking by arbitrary android apps and attacking by websites (web browser). For example,

  1. invoke video recording deep link with the help of intent from the arbitrary app.
  2. creating ads on a webpage to auto invoke video recording deep link. Finally, pre-installed camera stores captured and recorded data on external storage so it can be easily retrieved with read external storage permission.

Spyware creators always looking for less user Interaction, minimum code for exploitation and most importantly without dangerous permissions hence using this type of sensitive deep links vulnerability can help spyware to become trusted app. Activity which handles sensitive deep links should be protected by custom permission with the signature protectionLevel so only app which has signed with same certificate would be allowed to invoke sensitive deep link.

Bio :

A passionate security professional with experience of hunting for vulnerabilities with companies who provide responsible disclosures, I particularly enjoy working in teams and building tools that speed-up the time cycle of code review. For the past few years I have been focusing on Android security research.

Achievement :

  1. Unique Bug Of The Year award by Bug Bounty Village(OWASP Seasides 2020)
  2. AndroidHackingMonth Award by Hackerone
  3. Top Scorer (Rank 4) at BountyCon2019 CTF organized by Facebook & Google.
  4. 1733 vulnerabilities reported on OpenBugBounty Platform to multiple websites and helped fix 1292 vulnerabilities.
My published findings : https://servicenger.com

Want to connect with Rahul Kankrale?

Yogesh Tantak is a security Architect in TechMahindra and he has 7 years of experience in bug bounties. He is very passionate about web application security & Android application security. Yogesh was in the Facebook Top 10 researchers list F.Y.2016. Also he has secured the global 3rd Rank at BountyCon CTF 2019 Jointly organized by Facebook & Google at Singapore.

Want to connect with Yogesh Anil Tantak?