11 replies

Expo Client Deep Link Security: Preventing Session Hijacking

I understand the typical sign-in flow when using the Expo Client looks like this:

1. A user visits

/sign-in

/sign-in

in their browser.
2. They are redirected to

accounts.google.com

accounts.google.com

.
3. After successful authentication, they are sent back to

/callback

/callback

.
4. The

/callback

/callback

endpoint uses a deep link to return to the mobile app and deliver the session cookie.

My concern is that anyone can register the same deep link. For example, if I run

example-service.com

example-service.com

and register

example-service://

example-service://

in my own app, couldn’t my app hijack the callback and steal the session cookie from the legitimate app?

* Am I misunderstanding something about how deep links work?
* Is there a built-in mechanism to ensure only the genuine app can receive the cookie?
* How do you prevent malicious or clone apps from intercepting the Expo Client’s authentication flow?

Thanks in advance for any insights!

Better Auth•8mo ago•

11 replies

kukuku

Expo Client Deep Link Security: Preventing Session Hijacking

I understand the typical sign-in flow when using the Expo Client looks like this:

1. A user visits

/sign-in

/sign-in

in their browser.
2. They are redirected to

accounts.google.com

accounts.google.com

.
3. After successful authentication, they are sent back to

/callback

/callback

.
4. The

/callback

/callback

endpoint uses a deep link to return to the mobile app and deliver the session cookie.

My concern is that anyone can register the same deep link. For example, if I run

example-service.com

example-service.com

and register

example-service://

example-service://

Expo Client Deep Link Security: Preventing Session Hijacking

Similar Threads

Expo Client Deep Link Security: Preventing Session Hijacking

Similar Threads

Similar Threads

Similar Threads