I was just about to go through different ressources of "Android Deeplink". Here i have a question regarding the security of it.
As i understood i can create an intent-filter, lets say for www.myapp.de/goto. This will put a user into my app, if he clickes a link.
As well i am the owner of www.myapp.de.
How can a different developer be prevented from using a deeplink in his app, opening his app, even if the domain is mine?
So in this case i could register an intent-filter for www.google.de/open/ which will cause android to open my developed app?
This makes no sense to me. What am i getting wrong about deeplinks.
CodePudding user response:
Other developers can create a deep link for your URL and there is nothing you can do about it.
If multiple apps can handle the same URL as a deep link, the android OS will ask userswith which apps they want to open it.
You can upgrade a deeplink to an app link. You can upload the public signature of your app to your URL. This way android can verify the owner of a deep link URL.
Apps that use app links will automatically open a URL for a verified URL. Therefore they will be the preferred option even if other apps are installed that handle the same URL.
CodePudding user response:
Create a Digital Asset Links json and put your package name and sha256_cert_fingerprints in the file like in the documentation.
If you have different package names for your release and debug builds then you need for both an entry in json with corresponding package name and sha_256 fingerprint to ensure the functionality on both debug and release build.
If you enabled Google Play App Signing then you must put the sha_256 fingerprint of googles certificate into your digital assets json for release builds. You can find the fingerprint in google play console in section app integrity. There is also an automatically created Digital Asset Links-JSON file for your app, which you can directly use.