Deep-C

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/KishorBal/deep-C
• Blog Title: Deep-C
• Suggested Section: Mobile Pentesting → Android Applications Pentesting (likely under/near: Custom URI Handlers / Deeplinks, Intent Injection, and/or WebView Attacks). Add a subsection on deep link security testing + adb intent PoC patterns, and optionally reference Deep-C as an automation tool.

🎯 Content Summary

Deep-C is an Android Deep Link Exploitation Framework focused on finding and validating real-world exploitable deep link issues by automatically decompiling APKs, enumerating externally reachable entry points, correlating them with risky code patterns (notably WebView.loadUrl flows and weak URL validation), and generating copy/paste (and optionally auto-executed) adb Proof-of-Concept commands.🔧 Technical Details

Externally reachable deep link entry points via intent-filters: Any Android Activity with an intent-filter that accepts Intent.ACTION_VIEW and includes BROWSABLE (and is exported) can be invoked from outside the app using a crafted URI (custom schemes like myapp:// or app links like https://...). This makes deep link handlers a remote attack surface because the attacker controls the incoming URI and any parsed parameters.

Bypassing weak URL/host validation in deep link handlers: Deep link security often fails when apps validate destinations using weak string checks such as contains, endsWith, or permissive regex. Depending on how URLs are parsed/decoded, these checks can be bypassed using crafted hostnames/subdomains and encoding tricks, allowing open redirects, unintended routing, or acceptance of attacker-controlled destinations in sensitive flows.

...

🤖 Agent Actions

Summary:

• Expanded the Android deep links section with security-testing guidance: identifying exported+browsable entry points, weak host validation patterns, WebView loadUrl sinks, and multiple adb PoC templates (including javascript: variants).
• Added operational tips and automation note for Deep-C to quickly enumerate exploitable deep links and generate PoCs.
• Updated references to include the Deep-C framework repository.

Tests:

• Not run (not applicable for documentation changes).

References:

• https://github.com/KishorBal/deep-C

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/KishorBal/deep-C

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting → Android Applications Pentesting (likely under/near: Custom URI Handlers / Deeplinks, Intent Injection, and/or WebView Attacks). Add a subsection on deep link security testing + adb intent PoC patterns, and optionally reference Deep-C as an automation tool.".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0