Post by Microsoft’s 365 Defender research team on an access control issue in TikTok’s Android app. The problem focuses on WebViews and how they interact with deeplinks, which are special hyperlinks that Android supports that applications can setup hooks for. They’re commonly used for internal app communication and routing. WebViews have a “bridge” functionality where a Java bridge class can be exposed and it’s methods can be published and called through the WebView. You can consider the attack that’s detailed as two issues.

One problem is in the deeplink handler for https://m.tiktok[.]com/redirect, which would take a query parameter to redirect the user. It’s possible to trigger internal deeplinks through the query parameter to call into non-exported activities. This expands the attack surface, though TikTok considers this acceptable.

The more critical issue is in one of the internal schemes [redacted-internal-scheme]://webview?url=<website>, which would take a URL and load it into the WebView. TikTok has filters in-place to prevent untrusted hosts from being loaded, however, this filtering was somewhat flimsy, and was bypassed by adding two additional parameters to the deeplink. Unfortunately, the Defender team doesn’t go into any more detail here.