Full Report
Jetpack Compose is a new way for building UIs in Android, replacing the fragments style. Now, navigation between screens represents composable functions. Hence, the Jetpack Navigation library is used for navigating users between screens as well. A developer can do this using deeplinks in Android. In previous research, it was discovered that somebody can route to arbitrary pages on the application if these are controlled, even if the app doesn't support any. The JackPack navigation library has some implicit deep links. Internally, it will assign deep links to each created route that the dev isn't even aware of. As a result, a malicious application on the device can execute the handler. The recommendation to the users is to simple NOT use this library. An example exploit was bypassing a pin screen on the app but force browsing to a different screen. Good post!
Analysis Summary
# Vulnerability: Implicit Deep Link Routing in Jetpack Navigation
## CVE Details
- **CVE ID**: Not Assigned (The vendor, Google, currently disputes this as a "feature" or "intended behavior" rather than a security flaw).
- **CVSS Score**: Estimated 7.5 (High) - [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N]
- **CWE**: CWE-285: Improper Authorization, CWE-912: Hidden Functionality.
## Affected Systems
- **Products**: Android applications utilizing the Jetpack Navigation library, specifically the Compose extension.
- **Versions**: All current versions of `androidx.navigation:navigation-compose`.
- **Configurations**: Applications using `NavHost` where the developer has defined routes via `composable` functions, even if no explicit deep links are defined in the Manifest or the navigation graph.
## Vulnerability Description
The Jetpack Navigation library automatically generates "implicit" deep links for every route defined within a navigation graph. Internally, the library assigns a URI pattern to each route (e.g., `android-app://androidx.navigation/route_name`).
Because the library is designed to handle navigation globally, a malicious application on the same device can send an Intent targeting these internal URIs. This allows an attacker to "force-browse" to any registered screen, bypassing the intended application flow (such as login screens, PIN entry, or onboarding) and directly accessing internal screens that the developer assumed were unreachable without prior authentication.
## Exploitation
- **Status**: PoC available; demonstrated in research by PT SWARM.
- **Complexity**: Low.
- **Attack Vector**: Local (A malicious app installed on the same device sends a crafted Intent).
## Impact
- **Confidentiality**: High. Attackers can access screens displaying sensitive user data or web content.
- **Integrity**: High. Potential for session hijacking if the target screen accepts arguments (like URLs) that are used to load data with the user's headers/tokens.
- **Availability**: Low.
## Remediation
### Patches
- **No official patch available**: As of the report date, Google maintains this is intended functionality. The library continues to auto-generate these routes.
### Workarounds
- **Mandatory Conditional Navigation**: Developers must implement authorization checks on *every* individual screen/composable, rather than relying on a single entry point (like a Splash or PIN screen).
- **Manual Intent Filtering**: Validate incoming Intents manually to ensure they originated from a trusted source, though this is difficult within the Jetpack Compose navigation abstraction.
- **Alternative Libraries**: The researcher's primary recommendation is to avoid using the Jetpack Navigation library for security-sensitive applications until a mechanism to disable implicit deep links is provided.
## Detection
- **Indicators of Compromise**: Presence of Intents with the scheme `android-app://androidx.navigation/` in device logs.
- **Detection Methods**: Security researchers should audit the compiled `NavGraph` to identify all registered routes. Static analysis tools can be used to check if sensitive screens lack internal authorization logic.
## References
- **Original Research**: hxxps[://]swarm[.]ptsecurity[.]com/android-jetpack-navigation-go-even-deeper/
- **Related Vulnerability**: hxxps[://]swarm[.]ptsecurity[.]com/android-jetpack-navigation-deep-links-handling-exploitation/
- **Official Documentation (Warning added)**: hxxps[://]developer[.]android[.]com/guide/navigation/design/deep-link#explicit