React Native using Android Verifiable App Links


Our application has recently undergone pen testing and on of the issues highlighted was " OAuth Account Takeover by hijacking custom schemes".

" The vulnerability arises from the application’s use of a custom scheme in the redirect_uri parameter during OAuth authentication.

In a typical OAuth scenario, redirect_uri should be guaranteed to belong to the client application (identified by client_id) that requests data from an identity provider (Google, Facebook, Github…). Using a custom scheme breaks that premise as it can be claimed by the application on the user’s device.

An example attack scenario is when a malicious app claims the custom scheme used by some OAuth client application and triggers an OAuth authentication flow to the target app, once the user successfully performs login and consents they’ll be redirected to the malicious app with the authentication token generated from the OAuth flow, allowing the malicious app to take over their account.

Attackers can bypass user interaction by leveraging certain techniques like express authentication flow or use OAuth parameters that are meant to skip the consent prompt if the user gave their consent before."

Their recommendation was to use Android’s verifiable app links, however, I am not seeing any docs for getting this setup with react native. I saw it mentioned in the native android docs, however, following the instructions did not work. I added the keystore fingerprints to the auth0 application through the portal and changed our auth0Scheme manifest placeholder to https. However, after the change, the app no longer redirects.

I was looking at the node package and thought this was causing this issue


so I removed it (monkey patched) and now the app will go back to the app but it does not authenticate at all. It just brings the app to the foreground as if nothing happened.

Any advice on this? We are using the universal web login for our app.

You’ll need to modify your AndroidManifest.xml to include intent filters with android:autoVerify="true" and host a JSON file on your website for verification.

I have already attempted to update the manifest, that’s where I ran into the issue where it doesn’t authenticate. It just brings the app to the foreground unchanged.