3. Deep links — Vulnerabilities and Recommendations
Now that we understand what a Deep link is and the types of Deep link across Android and iOS, it is time to talk about common vulnerabilities around them. Why? Deep link is not a standard like a hyperlink (RFC 8288 of IETF). Therefore the variation in implementation combined with lack of controls during build and deployment will cause negative impact either to you as a Mobile developer, Product owner, Business sponsor or as an end user, who is unaware of the “What if?” scenarios that could go wrong when using Deep links.
In my career, I have done Threat modeling for many cloud native architectures, especially Mobile architectures. Threat modeling is nothing but asking the questions “What could go wrong?”, “What if this happens?” or “What if this does not happen?” . These questions, when pointed between two components in an architecture, which cybersecurity calls Trust Boundaries, will reveal great insights on the gaps in implemented feature, but will bring up all security non-functional requirements (NFRs) that were either implemented or not. I will write a detailed blog on what Threat Modeling really is in the near future, but for now let us focus on what could go wrong while implementing Deep links.
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something…
