Deep links are a magical part of the mobile experience. They allow a user to click a link and be taken directly to a specific screen within your app, bypassing the home screen. For years, the standard way to do this was with a custom URI scheme, like myapp://products/123.
But this old method has a massive, critical security flaw: any app can register the same URI scheme. This means a malicious app could intercept your deep links, potentially stealing sensitive data or phishing your users. This is known as deep link hijacking. The modern, secure solution is to use Android App Links.
The Vulnerability of Custom URI Schemes
When a user clicks a link like myapp://..., the Android system looks for any installed app that has registered an intent filter for that scheme. If multiple apps have registered the same scheme, the user is presented with a disambiguation dialog asking them which app to use. An attacker can easily create a malicious app that registers your scheme.
myapp://reset?token=abc123. If a malicious app hijacks this link, it can steal the password reset token and take over the user's account.
The Solution: Verified Android App Links
Android App Links solve this problem by using standard http and https URLs that you own. You then create a verifiable link between your website and your app. This tells the Android system that only your app is the designated handler for links to your website.
When a user clicks a verified link like https://www.androshelf.com/products/123, the system opens your app directly, without showing a dialog. No other app can intercept it.
How the Verification Works: Digital Asset Links
The magic behind this is a file called assetlinks.json. You host this file on your website. When your app is installed, the Android system securely fetches this file and verifies two things:
- That the app trying to handle the links has the package name you specified in the file.
- That the app is signed with the same SHA-256 certificate fingerprint you specified in the file.
If both of these match, the link is considered verified, and your app becomes the default handler.
Step-by-Step Implementation
Step 1: Configure Your `AndroidManifest.xml`
In your manifest, add an intent filter for the https URLs you want to handle. The crucial part is adding android:autoVerify="true". This tells the system to perform the verification process when the app is installed.
<activity
android:name=".ProductActivity"
android:exported="true">
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:scheme="https"
android:host="www.androshelf.com"
android:pathPrefix="/products" />
</intent-filter>
</activity>Step 2: Generate Your `assetlinks.json` File
You need your app's SHA-256 certificate fingerprint. You can get this from the Play Console under "App signing" or by running the `signingReport` Gradle task.
Android Studio has a built-in tool to generate the file for you: Tools > App Links Assistant. Follow the wizard, and it will generate the JSON content.
Example `assetlinks.json`[{
"relation": ["delegate_permission/common.handle_all_urls"],
"target": {
"namespace": "android_app",
"package_name": "com.androshelf.app",
"sha256_cert_fingerprints":
["FA:C6:17:45:DC:09:03:78:6F:47:7A:89:33:8F:65:64:33:B4:2E:84:3E:19:02:95:98:34:32:6B:8C:8D:67:CE"]
}
}]Step 3: Host the File on Your Website
This is a critical step. The `assetlinks.json` file MUST be hosted at the following specific URL:
https://www.yourdomain.com/.well-known/assetlinks.json
Make sure your server serves it with a `Content-Type` of `application/json`, it's accessible over HTTPS, and it doesn't have any redirects.
Step 4: Test Your Implementation
Once you've uploaded the file, you can test the verification using ADB:
adb shell am start -a android.intent.action.VIEW \
-c android.intent.category.BROWSABLE \
-d "https://www.androshelf.com/products/123"If everything is configured correctly, this command will open your app directly to the `ProductActivity`. If not, it will open the URL in the browser.
By migrating to verified Android App Links, you close a major security hole and provide a more seamless experience for your users. It's a win-win that should be a standard practice for every modern Android app.