Deep links in financial apps are high-value targets. A compromised deep link could redirect a payment to the wrong recipient, expose account data, or trick a user into authorizing a fraudulent transaction. This guide covers the specific security measures fintech apps should implement for deep links.<\/p>\n\n\n\n
For general deep link security, see Deep Linking Security: Preventing Hijacking and Abuse<\/a>. For fintech compliance, see Fintech Compliance and Deep Links<\/a>.<\/p>\n\n\n\n A malicious app registers to handle the same URL scheme as your app. When the user taps a deep link, the malicious app opens instead of yours.<\/p>\n\n\n\n Mitigation<\/strong>: Use Universal Links (iOS) and App Links (Android) exclusively. These verify domain ownership through AASA and assetlinks.json, preventing other apps from claiming your URLs. Never use custom URL schemes ( An attacker modifies the deep link parameters before the user taps it:<\/p>\n\n\n\n Mitigation<\/strong>: Use signed URLs. Include an HMAC signature that covers all critical parameters:<\/p>\n\n\n\n The app verifies the signature before showing the payment form:<\/p>\n\n\n\n An attacker captures a valid payment deep link and uses it again:<\/p>\n\n\n\n Mitigation<\/strong>:<\/p>\n\n\n\n An attacker intercepts the deep link in transit (e.g., via a compromised Wi-Fi network).<\/p>\n\n\n\n Mitigation<\/strong>: HTTPS only. Universal Links and App Links already require HTTPS. Ensure your AASA and assetlinks.json files are also served over HTTPS without redirects.<\/p>\n\n\n\n An attacker sends a deep link that looks like it goes to your app but actually leads to a phishing page:<\/p>\n\n\n\n Mitigation<\/strong>:<\/p>\n\n\n\n Even if the user is "logged in," verify the session is still valid before processing a financial deep link:<\/p>\n\n\n\n For deep links to financial screens, require a fresh authentication if the last authentication was more than a set period ago:<\/p>\n\n\n\n Never trust data from a URL. Validate all parameters server-side before processing:<\/p>\n\n\n\n Deep link parameters could contain malicious payloads:<\/p>\n\n\n\n Sanitize all string parameters before rendering them in the UI:<\/p>\n\n\n\n In React Native and Flutter, the UI frameworks typically handle this automatically (no HTML rendering), but be cautious if you're using WebViews or HTML rendering.<\/p>\n\n\n\nThreat Model<\/h2>\n\n\n\n
1. Link Hijacking<\/h3>\n\n\n\n
yourapp:\/\/<\/code>) for financial flows.<\/p>\n\n\n\n2. Parameter Tampering<\/h3>\n\n\n\n
Original: https:\/\/go.yourapp.com\/pay?to=merchant_abc&amount=42.50\nTampered: https:\/\/go.yourapp.com\/pay?to=attacker_xyz&amount=42.50\n<\/code><\/pre>\n\n\n\nfunction createSignedPaymentLink(recipient, amount, note) {\n const data = `${recipient}|${amount}|${note}|${Date.now()}`;\n const signature = hmacSha256(data, SECRET_KEY);\n const exp = Date.now() + 3600000; \/\/ 1 hour\n\n return `https:\/\/go.yourapp.com\/pay?to=${recipient}&amount=${amount}¬e=${encodeURIComponent(note)}&exp=${exp}&sig=${signature}`;\n}\n<\/code><\/pre>\n\n\n\nfunction verifyPaymentLink(url) {\n const params = Object.fromEntries(new URL(url).searchParams);\n\n \/\/ Check expiration\n if (parseInt(params.exp) < Date.now()) {\n throw new Error('Link expired');\n }\n\n \/\/ Verify signature\n const data = `${params.to}|${params.amount}|${params.note}|${params.exp}`;\n const expectedSig = hmacSha256(data, SECRET_KEY);\n\n if (params.sig !== expectedSig) {\n throw new Error('Invalid signature');\n }\n\n return params;\n}\n<\/code><\/pre>\n\n\n\n3. Replay Attacks<\/h3>\n\n\n\n
User sends $25 to Jane via deep link.\nAttacker captures the link.\nAttacker sends the same link to the user again.\nUser taps it and accidentally sends $25 to Jane again.\n<\/code><\/pre>\n\n\n\n\n
function createOneTimePaymentLink(recipient, amount) {\n const nonce = generateNonce(); \/\/ Random, unique\n await storeNonce(nonce, { recipient, amount, expiresAt: Date.now() + 3600000 });\n\n return `https:\/\/go.yourapp.com\/pay?nonce=${nonce}`;\n}\n\nfunction processPaymentLink(nonce) {\n const data = await consumeNonce(nonce); \/\/ Returns data and marks as used\n\n if (data === null) {\n throw new Error('Link already used or expired');\n }\n\n return data;\n}\n<\/code><\/pre>\n\n\n\n4. Man-in-the-Middle<\/h3>\n\n\n\n
5. Phishing via Deep Links<\/h3>\n\n\n\n
Fake: https:\/\/go.yourapp-secure.com\/login (looks similar, different domain)\nReal: https:\/\/go.yourapp.com\/login\n<\/code><\/pre>\n\n\n\n\n
Authentication Requirements<\/h2>\n\n\n\n
Always Authenticate for Financial Actions<\/h3>\n\n\n\n
const REQUIRES_AUTH = [\n '\/pay\/',\n '\/transfer\/',\n '\/send\/',\n '\/withdraw\/',\n '\/settings\/security',\n '\/account\/close',\n];\n\nfunction handleDeepLink(url) {\n const path = new URL(url).pathname;\n\n if (REQUIRES_AUTH.some(prefix => path.startsWith(prefix))) {\n if (user.isAuthenticated === false) {\n pendingDeepLink.save(url);\n navigation.navigate('BiometricAuth');\n return;\n }\n }\n\n processDeepLink(url);\n}\n<\/code><\/pre>\n\n\n\nSession Validation<\/h3>\n\n\n\n
async function processFinancialDeepLink(url) {\n \/\/ Validate session with server\n const sessionValid = await validateSession();\n\n if (sessionValid === false) {\n \/\/ Session expired, re-authenticate\n pendingDeepLink.save(url);\n navigation.navigate('Login');\n return;\n }\n\n \/\/ Additional biometric check for high-value actions\n const amount = parseAmount(url);\n if (amount > HIGH_VALUE_THRESHOLD) {\n const bioAuth = await requestBiometric();\n if (bioAuth === false) return;\n }\n\n handleRoute(url);\n}\n<\/code><\/pre>\n\n\n\nTime-Bound Sessions<\/h3>\n\n\n\n
const MAX_AUTH_AGE = 5 * 60 * 1000; \/\/ 5 minutes\n\nfunction requireFreshAuth() {\n const lastAuth = authStore.lastAuthTimestamp;\n return (Date.now() - lastAuth) > MAX_AUTH_AGE;\n}\n<\/code><\/pre>\n\n\n\nInput Validation<\/h2>\n\n\n\n
Validate Every Parameter<\/h3>\n\n\n\n
function validatePaymentParams(params) {\n const errors = [];\n\n \/\/ Amount: must be a positive number within limits\n const amount = parseFloat(params.amount);\n if (isNaN(amount) || amount <= 0) {\n errors.push('Invalid amount');\n } else if (amount > DAILY_LIMIT) {\n errors.push('Amount exceeds daily limit');\n }\n\n \/\/ Recipient: must exist and be active\n if (params.to && isValidIdentifier(params.to) === false) {\n errors.push('Invalid recipient');\n }\n\n \/\/ Note: sanitize for XSS\n if (params.note) {\n params.note = sanitizeText(params.note);\n }\n\n return { valid: errors.length === 0, errors, params };\n}\n<\/code><\/pre>\n\n\n\nPrevent Injection<\/h3>\n\n\n\n
https:\/\/go.yourapp.com\/search?q=<script>steal(document.cookie)<\/script>\n<\/code><\/pre>\n\n\n\nfunction sanitizeParam(value) {\n return value\n .replace(\/<\/g, '<')\n .replace(\/>\/g, '>')\n .replace(\/"\/g, '"')\n .replace(\/'\/g, ''');\n}\n<\/code><\/pre>\n\n\n\nSecure AASA and assetlinks.json<\/h2>\n\n\n\n
AASA Security<\/h3>\n\n\n\n
\n
*<\/code> for everything)<\/li>\n<\/ul>\n\n\n\nassetlinks.json Security<\/h3>\n\n\n\n
\n
Monitoring and Alerting<\/h2>\n\n\n\n
What to Monitor<\/h3>\n\n\n\n