Mobile Hacking Conference Talks

Deeplinks, URIs, and WebViews:
Common URI Validation Pitfalls and Their Consequences

By Lyes Mouloudi

Android apps increasingly rely on deep links and WebViews to handle navigation and render web content —

but these mechanisms come with a mineeld of subtle security pitfalls that developers routinely miss and

attackers actively exploit.

In this talk, we take a look at the attack surface formed by the intersection of URI handling and WebViews.

We'll walk through the most common mistakes in deep links that route into WebViews, covering custom

URI scheme abuse, URL confusion across popular parsers, and WebView takeover bugs , showing how to

spot them, exploit them, escalate them, and mitigate them.

Topics covered include:

  • Custom URI schemes: risks and common miscongurations.
  • URL parsing confusion, how popular parsers disagree and how to exploit the gaps.
  • Various WebView takeover/abuse techniquesReal-world examples from high-impact bug bounty submissions.


Whether you're a mobile security researcher, a penetration tester, or a developer who wants to understand

how these bugs are found and fixed, this talk will be an entrypoint into the world of webview-related bugs.

Thank you!
Bio

Lyes Mouloudi

Lyes is an experienced Security Researcher and Bug Bounty Hunter specialized in Android.

He is in the top 5 on HackerOne in the mobile apps category.
Write your awesome label here.

Register here: