App links

How App links Works

  User Clicks URL (e.g., ad)
           │
           ▼
+-------------------------+
│   Android OS Intercept  │
+-------------------------+
           │
           ▼
┌─────────────────────────┐
│  Check for Verified App │
│    for the URL's Domain │
└─────────────────────────┘
           │
           ├─ YES (App Link Verified) → Open App Directly to Content
           │
           └─ NO (Verification Fails) → Open URL in Web Browser

App Links provide a secure mechanism to connect web URLs to an Android application, preventing other apps from intercepting those links. The core of this system is a trust relationship established between a website and an app. When a user clicks a link, the Android operating system checks if any installed app has claimed to handle that specific URL pattern.

Domain Ownership Verification

For an App Link to work, the app developer must prove they own the web domain in the URL. This is done by hosting a special JSON file, named `assetlinks.json`, at a specific location on the web server (`/.well-known/assetlinks.json`). Before designating the app as the official handler, the Android OS fetches this file. The file contains the app’s package name and its unique cryptographic signature (SHA256 certificate fingerprint), proving the website owner has vouched for the app.

Intent Filter with Auto-Verification

Within the app’s manifest file, the developer declares its association with the website using an intent filter. This filter specifies the URL structure (scheme, host, path) that the app can handle. Crucially, this intent filter includes the `android:autoVerify=”true”` attribute. This command instructs the Android system to perform the verification process by checking for the `assetlinks.json` file on the specified domain. If verification is successful, the OS will automatically direct matching URLs to the app without showing the user a dialog box to choose between the browser and the app. This seamless transition is key to its security function.

Secure Fallback and Traffic Routing

If the verification process fails—either because the `assetlinks.json` file is missing, incorrect, or the app is not installed—the system’s behavior changes. Instead of opening an app, the URL is simply opened in the user’s default web browser. This secure fallback mechanism ensures that a user is never directed to a malicious or unverified app claiming to handle the link. For advertisers, this guarantees that clicks on their ads either go to the verified app experience or the intended website, preventing click hijacking and ensuring traffic integrity.

Diagram Breakdown

User Clicks URL: This is the entry point, typically an ad click from a web page or another app.

Android OS Intercept: The operating system intercepts the request to open the URL before passing it to a browser or app.

Check for Verified App: The OS checks its records for any app that has a verified App Link for the domain in the URL. This involves checking that the `assetlinks.json` file was successfully validated for that app.

YES (App Link Verified): If a verified app exists, the OS bypasses the browser and launches the app directly, passing the URL data to it so it can display the correct content.

NO (Verification Fails): If no app is verified for the domain, the OS proceeds with the default action, which is to open the link in a standard web browser.

🧠 Core Detection Logic

Example 1: Digital Asset Link Verification

This is the fundamental logic for App Links. Before attributing an install or in-app event to a click, the system verifies that the click came through a verified App Link. It checks that the Android OS confirmed the association between the domain of the clicked URL and the app’s package name by successfully fetching the assetlinks.json file. Traffic from unverified links can be flagged as potentially fraudulent.

FUNCTION HandleIncomingClick(click_data):
  // Check if the click was opened via a verified App Link
  is_verified_app_link = AndroidOS.isVerified(click_data.source_url)

  IF is_verified_app_link == TRUE:
    // Trust the source, app ownership is confirmed
    ProcessAttribution(click_data)
    Log("Traffic from verified source.")
  ELSE:
    // Link is a standard deep link or web URL, not a secure App Link
    FlagAsPotentiallyHijacked(click_data)
    Log("WARNING: Traffic source not verified. Potential for hijacking.")
  END IF
END FUNCTION

Example 2: Mismatch Detection between Click and Install

This logic cross-references the domain that initiated the click with the app that was installed or opened. In a legitimate App Link flow, the source domain of the ad click must match the domain declared and verified in the installed app’s manifest. A mismatch indicates that the click was likely redirected or that a different app intercepted the intent.

FUNCTION ValidateInstallSource(click_domain, installed_app_package):
  // Get the verified domains associated with the installed app package
  verified_domains = getVerifiedDomainsForPackage(installed_app_package)

  IF click_domain IN verified_domains:
    // The click source is a verified owner of the app
    RETURN "Install is Legitimate"
  ELSE:
    // The click came from a domain not associated with the app
    RETURN "Install is Suspicious: Domain Mismatch"
  END IF
END FUNCTION

Example 3: Blocking Non-HTTPS Traffic

App Link verification requires the `assetlinks.json` file to be hosted on an HTTPS server. Ad traffic protection systems can enforce this by automatically flagging or discarding any purported “App Link” clicks that do not use the HTTPS scheme. This prevents downgrade attacks where an attacker might try to intercept traffic on an insecure connection.

FUNCTION FilterByScheme(click_event):
  url_scheme = getScheme(click_event.url)

  // Android App Links must use HTTP/HTTPS URLs, with verification over HTTPS
  IF url_scheme != "https":
    Log("FRAUD_ATTEMPT: Non-HTTPS scheme used for App Link. Blocking.")
    RETURN FALSE
  END IF

  RETURN TRUE
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Integrity: Ensures that paid traffic from ad campaigns is directed exclusively to the official app, preventing competitors or fraudsters from stealing installs through malicious redirects.
• Secure User Onboarding: Protects users who click on ads or promotional links by guaranteeing they land within the legitimate app environment, safeguarding them from phishing or data theft attempts.
• Accurate Attribution: Provides a reliable signal for attribution platforms. Since App Links are verified, it confirms that the click and the resulting install or event belong to the genuine brand owner, leading to cleaner data.
• Preventing Organic Poaching: Stops fraudulent apps from intercepting organic traffic intended for the official app, ensuring that users searching for a brand are not diverted to a malicious third party.

Example 1: Ad Campaign Traffic Filtering Rule

This pseudocode defines a rule within a traffic filtering system. It only allows clicks to be attributed to a campaign if the click was routed through a verified App Link, ensuring ad spend is not wasted on hijacked traffic.

RULE ad_traffic_filter:
  WHEN incoming_click.source_type == "AdCampaign"
  IF NOT incoming_click.is_verified_app_link:
    ACTION:
      block_attribution(incoming_click.id)
      log_event("Blocked unverified click from Campaign " + incoming_click.campaign_id)
  ELSE:
    ACTION:
      approve_attribution(incoming_click.id)
END RULE

Example 2: Geofencing with App Link Verification

This logic combines geographic checks with App Link verification. It flags traffic as highly suspicious if it originates from an unexpected region and also fails the App Link verification, a common pattern in bot-driven fraud.

FUNCTION process_mobile_event(event):
  is_verified = event.is_app_link_verified
  is_geo_valid = check_geolocation(event.ip, event.campaign_target_countries)

  // Suspicious if from a bad location AND not a verified app link
  IF is_verified == FALSE AND is_geo_valid == FALSE:
    SCORE event.fraud_score += 50
    REASON.add("Unverified app source from invalid geography")
  ELSE IF is_verified == FALSE:
    SCORE event.fraud_score += 10
    REASON.add("Unverified app source")
  END IF
END FUNCTION

🐍 Python Code Examples

This example simulates checking a hosted `assetlinks.json` file to verify if an app’s package name and certificate fingerprint are authorized by a domain owner. This is a crucial step in preventing a malicious app from associating itself with a legitimate website.

import json
import hashlib

# Mock assetlinks.json content hosted on a server
ASSET_LINKS_CONTENT = """
[{
  "relation": ["delegate_permission/common.handle_all_urls"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example.officialapp",
    "sha256_cert_fingerprints":
    ["14:6D:E9:83:C5:73:06:50:D8:EE:B9:95:2F:34:FC:64:16:A0:83:42:E6:1D:BE:A8:8A:04:96:B2:3F:CF:44:E5"]
  }
}]
"""

def verify_app_link_association(domain, package_name, certificate_fingerprint):
    """
    Simulates fetching and verifying the assetlinks.json file.
    """
    # In a real scenario, this would be a network request to https://{domain}/.well-known/assetlinks.json
    try:
        hosted_data = json.loads(ASSET_LINKS_CONTENT)
        for association in hosted_data:
            target = association.get("target", {})
            if (target.get("namespace") == "android_app" and
                target.get("package_name") == package_name and
                certificate_fingerprint in target.get("sha256_cert_fingerprints", [])):
                print(f"VERIFIED: {package_name} is a trusted handler for {domain}.")
                return True
    except json.JSONDecodeError:
        print("ERROR: Invalid JSON in assetlinks file.")
        return False

    print(f"FAILED: {package_name} is NOT a trusted handler for {domain}.")
    return False

# --- Simulation ---
# Legitimate app trying to prove ownership
verify_app_link_association(
    "example.com",
    "com.example.officialapp",
    "14:6D:E9:83:C5:73:06:50:D8:EE:B9:95:2F:34:FC:64:16:A0:83:42:E6:1D:BE:A8:8A:04:96:B2:3F:CF:44:E5"
)
# Fraudulent app trying to associate with the same domain
verify_app_link_association(
    "example.com",
    "com.malicious.fakeapp",
    "AA:BB:CC:DD:..."
)

This code simulates a server-side check to flag clicks that are not coming from verified App Links. Traffic protection systems use such logic to score incoming clicks, where clicks failing this verification are marked as suspicious because they are vulnerable to interception.

class ClickEvent:
    def __init__(self, url, was_os_verified):
        self.url = url
        self.was_os_verified = was_os_verified # This boolean is set by the Android OS
        self.fraud_score = 0
        self.reasons = []

def analyze_click_authenticity(click_event):
    """
    Analyzes a click to determine if it's from a verified source.
    """
    if not click_event.was_os_verified:
        click_event.fraud_score += 25
        click_event.reasons.append("Click did not originate from a verified App Link.")
        print(f"SUSPICIOUS: Click for {click_event.url} is not verified.")
    else:
        print(f"OK: Click for {click_event.url} is verified.")
    return click_event

# --- Simulation ---
# A click that the OS confirmed was from a verified App Link
legit_click = ClickEvent("https://example.com/product/123", was_os_verified=True)
analyze_click_authenticity(legit_click)

# A click from a regular URL or unverified deep link
suspicious_click = ClickEvent("http://some-other-site.com/product/123", was_os_verified=False)
analyze_click_authenticity(suspicious_click)

Types of App links

• Verified App Links: These are standard HTTP/S links that have been cryptographically verified to belong to a specific app. The verification happens when the Android OS successfully validates the `assetlinks.json` file on the web domain, making this the most secure type for preventing click fraud.
• Standard Deep Links: These use a custom URL scheme (e.g., `myapp://content`) to open an app. They are not automatically verified and can be claimed by multiple apps, creating a security risk where malicious apps can intercept clicks intended for a legitimate app.
• Web Links: These are regular HTTP/S URLs that have not been associated with an app via the App Link verification process. When clicked, they typically open in a web browser, but a dialog may appear if multiple apps claim they can handle the link, creating ambiguity.
• Deferred Deep Links: This is a marketing technology, not a link type itself. It allows a user who clicks a link but doesn’t have the app installed to be first taken to the app store, and then, after installation, be redirected to the specific in-app content from the original click.

🛡️ Common Detection Techniques

• Digital Asset Link Validation: This is the core technique. It involves programmatically checking that the `assetlinks.json` file on the click’s source domain correctly authorizes the destination app’s package and signature. A failed validation indicates a high risk of hijacking.
• Package Name and Domain Mismatch: This technique compares the app package name that received the click against the verified domains it is allowed to handle. If an app receives a click from a domain it doesn’t own, it’s a strong indicator of fraud.
• Scheme Enforcement: Fraud detection systems can enforce that all legitimate app-bound traffic uses `https`. Since App Link verification requires HTTPS, any attempt to use an unencrypted `http` link is flagged as a potential attempt to bypass security.
• AutoVerify Flag Check: Within the app’s manifest, the `android:autoVerify=”true”` flag signals the intent for secure linking. Security tools can inspect an app’s manifest to ensure this flag is present, flagging apps that don’t enforce verification as less secure.
• Redirection Chain Analysis: This technique analyzes the series of redirects between the initial ad click and the final destination. Legitimate App Links open directly, while fraudulent paths often involve multiple, unnecessary redirects through unverified domains.

🧰 Popular Tools & Services

Tool	Description	Pros	Cons
Google Play Protect	A built-in malware protection service for Android that scans apps for malicious behavior. It helps prevent the installation of apps designed to perform click fraud or hijack intents.	Built directly into the Android ecosystem; scans apps from any source; provides real-time alerts.	Focuses on app-level threats, not click-level analysis; sophisticated malware can still find ways to bypass scans.
Adjust	A mobile measurement and fraud prevention suite that helps advertisers track user acquisition and filter out fraudulent traffic. It can differentiate between legitimate deep links and suspicious activity.	Provides detailed attribution and cohort analysis; detects a wide range of fraud types like click injection and SDK spoofing.	Can be complex to configure; requires SDK integration; cost may be a factor for smaller businesses.
AppsFlyer	An attribution platform that offers a fraud protection solution called Protect360. It uses machine learning to detect and block ad fraud in real-time, including install hijacking and bots.	Multi-layered protection (before, during, and after install); identifies new fraud patterns with large-scale data analysis.	Primarily focused on attribution data; full feature set may require a premium subscription; relies on their SDK being integrated.
Branch	A mobile linking platform that specializes in creating reliable deep links. It helps ensure that links work correctly across all channels and provides analytics to track their performance and security.	Excellent at handling complex linking scenarios and edge cases; provides robust fallback mechanisms; helps ensure a seamless user experience.	Core focus is on linking, with fraud detection as a secondary benefit; can be overkill if only basic fraud protection is needed.

📊 KPI & Metrics

Tracking the performance of App Links requires monitoring both their technical implementation and their business impact. These metrics help ensure that the security benefits of App Links translate into cleaner traffic, lower costs, and a better return on ad spend.

Metric Name	Description	Business Relevance
Verified Link Ratio	The percentage of incoming app clicks that are successfully verified by the Android OS as a secure App Link.	A high ratio indicates that security measures are working correctly and traffic is originating from trusted, owned web properties.
Click-to-Install Time (CTIT)	The time elapsed between a user clicking an ad and the app being installed and opened.	Unusually short times (<10 seconds) can indicate click injection, while App Links help ensure the click source is legitimate.
Attribution Rejection Rate	The percentage of installs or events that are rejected by the attribution system due to failed App Link verification or other fraud signals.	Directly measures the volume of fraudulent traffic being blocked, demonstrating the ROI of the security system.
Conversion Rate from Verified vs. Unverified Links	A comparison of conversion rates (e.g., sign-ups, purchases) between traffic from verified App Links and other link types.	Helps prove that verified traffic is higher quality and more valuable, justifying investment in secure linking infrastructure.

These metrics are typically monitored through a combination of mobile attribution platforms, internal logging, and ad network dashboards. Real-time alerts can be configured for sudden drops in the Verified Link Ratio or spikes in rejections, allowing fraud teams to investigate and update filtering rules promptly to protect ad budgets.

🆚 Comparison with Other Detection Methods

Accuracy and Reliability

App Links offer very high reliability for a specific type of fraud: link hijacking. The detection logic is binary—either the link is cryptographically verified by the OS or it is not. This is more definitive than behavioral analytics, which relies on probabilities and can have false positives. However, App Links do not detect other fraud types like bots or install farms. Behavioral analysis is broader but less precise for source verification.

Real-Time vs. Batch Processing

App Link verification happens in real-time at the moment of the click, enforced by the Android OS itself. This makes it an effective real-time prevention method. In contrast, many fraud detection methods, like analyzing click-to-install time distributions or identifying anomalous retention rates, often happen in batches after the events have already occurred. This makes them detection and refund-oriented rather than preventative.

Effectiveness Against Specific Threats

App Links are purpose-built to stop interception and redirection of traffic by malicious apps. They are extremely effective against this specific vector. Signature-based methods, which look for known bad IP addresses or device fingerprints, are effective against known bots but can be easily circumvented by new ones. App Links are effective regardless of whether the user is a human or a bot; they only care about whether the app is the legitimate owner of the domain.

Ease of Integration

Implementing App Links requires action from the developer to create and host the `assetlinks.json` file and configure the app manifest. This can be more work than simply integrating a third-party fraud detection SDK. However, once set up, the protection is handled by the OS, requiring little ongoing maintenance. SDK-based solutions are often easier to drop into an app but may require continuous updates and rule-tuning from the advertiser’s side.

⚠️ Limitations & Drawbacks

While effective for verifying URL ownership, App Links are not a complete fraud solution. Their security benefits are highly specific and they do not address many common types of ad fraud, meaning they must be used as one layer in a multi-faceted security strategy.

• Platform Specificity – App Links are exclusive to Android, offering no protection for iOS, web, or other platforms. iOS uses a similar but separate technology called Universal Links.
• Does Not Stop Bots – App Links verify the app’s ownership of a domain, but they do not verify the nature of the user. A bot using a real device can still generate a valid, verified click.
• Implementation Complexity – Proper implementation requires web server access to host the `assetlinks.json` file and correct configuration in the Android manifest, which can be a barrier for some developers.
• No Protection for Non-URL Traffic – Many ad interactions, such as in-app rewards or server-to-server-based clicks, do not originate from a standard web URL click and are therefore outside the scope of App Link protection.
• Vulnerable to Misconfiguration – If the `assetlinks.json` file is misconfigured, contains an old certificate fingerprint, or is inaccessible, the verification will fail, causing legitimate traffic to be treated as unverified.
• Limited to App-Install Context – The primary benefit is securing the path from a web click to an app. It offers little protection against post-install fraud, such as faked in-app events or account takeovers.

Therefore, App Links are best complemented with behavioral analysis and other fraud detection techniques to cover a wider range of threats.

❓ Frequently Asked Questions

How do App Links differ from regular deep links?

Regular deep links use custom schemes (e.g., `myapp://`) and are not verified, meaning any app can claim to handle them. App Links are standard web URLs (`https://…`) that are cryptographically verified by the Android OS to ensure they open only in the official, developer-owned app, which prevents malicious hijacking.

Can App Links prevent all types of click fraud?

No. App Links are highly effective at preventing click hijacking, where traffic is diverted to an unauthorized app. However, they do not prevent other major types of fraud like clicks generated by bots on real devices (install farms) or clicks from users who have no intention of engaging (incentivized traffic).

Is there an equivalent to App Links on iOS?

Yes, the equivalent on iOS is called Universal Links. They serve the same purpose: securely associating a web domain with an app to ensure links open directly and safely in the correct application. Both rely on a file hosted on the website for verification.

What happens if a user clicks an App Link but doesn’t have the app installed?

If the app is not installed, the Android operating system will simply open the standard HTTP URL in the user’s default web browser. This provides a seamless user experience and a graceful fallback, ensuring the user always reaches the intended content on the website.

Does using App Links impact attribution?

Yes, positively. By providing a verifiable signal that the click originated from a brand-owned domain, App Links improve the accuracy of attribution. Fraud detection systems can give higher trust to clicks from verified App Links, resulting in cleaner data and more reliable campaign performance metrics.

🧾 Summary

App Links are a security feature in Android that create a verified connection between a website and a mobile app. By using a domain-validated `assetlinks.json` file, they ensure that only the legitimate app can handle specific web URLs, preventing malicious apps from hijacking ad clicks. This is crucial for digital ad security as it guarantees traffic integrity, enhances user safety, and provides a reliable signal for fraud detection and attribution systems.

🔗 Related Articles

• Handling Android App Links | App architecture – Android Developers – https://developer.android.com/studio/write/app-link-indexing
• Verify Android App Links | App architecture – Android Developers – https://developer.android.com/training/app-links/verify-site-associations
• Unsafe use of deep links | Security – Android Developers – https://developer.android.com/privacy-and-security/risks/deep-links
• What are Android App Links? – Adjust – https://www.adjust.com/glossary/android-app-links/
• Mobile ad fraud metrics explained: CTIT, VTIT, and CTCT – MyTracker – https://mytracker.io/blog/mobile-ad-fraud-metrics-explained-ctit-vtit-and-ctct/