Android "App Link Verification" Tester

Tool that helps with checking if an Android application has successfully completed the "App Link Verification" process for Android App Links.

You can see more info about this process here.

How does it work?

This tool supports 6 operation modes:

• list-all: simple enumeration, lists all deep links registered by the application regardless of format
• list-applinks: lists all Android App Links registered by the application
• verify-applinks: for each App Link, displays checklist with each of the necessary steps for verification, indicates if they've been completed successfully
• adb-test: uses adb to open all of the application's App Links and allows you to check if they're being automatically opened by the intended application
• build-poc: creates an HTML page with links to all of the registered Android App Links, in order to simplify the process of testing their verification process
• launch-poc: sends the HTML page created on the previus mode to a connected device (via adb), and opens it with Chrome

It also supports 3 additional flags:

• clear: removes the decompiled directory after execution
• verbose: prints additional information about the execution
• ci-cd: ideal for running in CI/CD pipelines, exits with 1 if any of the App Links are not correctly verified; automatically runs with clearand verbose flags

Installation

python3 -m pip install -r requirements.txt

Important Notes

1. If you want to provide an .apk file instead of the AndroidManifest.xml and strings.xml, then you need to have apktool installed and accessible on the $PATH;
2. If you want to use the adb-test or launch-poc operation modes, you need to have adb installed and accessible on the $PATH;
3. If you want to use the verify-applinks operation mode or if you want to be able to install the package on the device, you must use the -apk option instead of the manifest+strings file combination.
4. If you want to use the verify-applinks operation mode, you need to have keytool installed and accessible on the $PATH;
5. If you want to use the adb-test, launch-poc or verify-applinks operation modes you must specify the -p option.

Usage

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py --help
usage: deeplink_analyser.py [-h] [-apk FILE] [-m FILE] [-s FILE] -op OP
                            [-p PACKAGE] [-v] [-c]

optional arguments:
  -h, --help            show this help message and exit
  -apk FILE             Path to the APK (required for `verify-applinks`
                        operation mode)
  -m FILE, --manifest FILE
                        Path to the AndroidManifest.xml file
  -s FILE, --strings FILE
                        Path to the strings.xml file
  -op OP, --operation-mode OP
                        Operation mode: "list-all", "list-applinks", "verify-
                        applinks", "build-poc", "launch-poc", "adb-test".
  -p PACKAGE, --package PACKAGE
                        Package identifier, e.g.: "com.myorg.appname"
                        (required for some operation modes)
  -v, --verbose         Verbose mode
  --clear               Whether or not the script should delete the decompiled
                        directory after running (default: False)
  --ci-cd               Ideal for running in CI/CD pipelines (default: False)

Examples

Use an APK to list all registered deep links

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py \
-op list-all \
-apk <path-to-apk>

Use the manifest+strings file to list all registered Android App links

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py \
-op list-applinks \
-m <path-to-android-manifest> \
-s <path-to-strings-file>

Note that the strings.xml file is typically under /res/values/strings.xml.

Use an APK to check for DALs for all App Links

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py \
-op verify-applinks \
-apk <path-to-apk> \
-p <package-name>

Note that you can also specify the -v flag to print the entire DAL file.

An example output for the Twitter Android app would be:

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py \
-apk com.twitter.android_2021-10-22.apk \
-p com.twitter.android \
-op verify-applinks

[...]

The APK's signing certificate's SHA-256 fingerprint is: 
0F:D9:A0:CF:B0:7B:65:95:09:97:B4:EA:EB:DC:53:93:13:92:39:1A:A4:06:53:8A:3B:04:07:3B:C2:CE:2F:E9

[...]

Checking http://mobile.twitter.com/.*

✓ includes autoverify=true
✓ includes VIEW action
✓ includes BROWSABLE category
✓ includes DEFAULT category
✓ DAL verified

  Relations: 
    - [Standard] delegate_permission/common.get_login_creds
    - [Standard] delegate_permission/common.handle_all_urls
    - [Custom]   delegate_permission/common.use_as_origin

Checking http://twitter.com/.*

✓ includes autoverify=true
✓ includes VIEW action
✓ includes BROWSABLE category
✓ includes DEFAULT category
✓ DAL verified

  Relations: 
    - [Standard] delegate_permission/common.get_login_creds
    - [Standard] delegate_permission/common.handle_all_urls
    - [Custom]   delegate_permission/common.use_as_origin

[...]

Read more about relation strings here: https://developers.google.com/digital-asset-links/v1/relation-strings

Use an APK to automatically test all of the App Links using ADB

~ python3 Android-App-Link-Verification-Tester/deeplinks_analyser.py \
-op adb-test \
-apk <path-to-apk> \
-p <package-name>

Note that the package was not installed on the phone previously, so the script installed the APK using adb.

Use the manifest+strings file to create a local POC

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py \
-op build-poc \
-m <path-to-android-manifest> \
-s <path-to-strings-file>

Use an APK to send the POC to the device via adb

~ python3 Android-App-Link-Verification-Tester/deeplink_analyser.py \
-op launch-poc \
-apk <path-to-apk> \
-p <package-name>

As a result, your Android device should display something like this:

Then, you can manually click on each of the links: if the OS prompts you to choose between Chrome and one or more apps, then the App Link Verification process is not correctly implemented.