Fix guide · low · android_assetlinks_exposed

Android Asset Links file exposed

Why it matters

Android App Links require a JSON document at /.well-known/assetlinks.json that proves an Android app is authorised to handle URLs from your domain. Standard shape:

[{
  "relation": ["delegate_permission/common.handle_all_urls"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example.myapp",
    "sha256_cert_fingerprints": ["AA:BB:CC:..."]
  }
}]

What's revealed:

• package_name — your APK identifier. Useful for an attacker doing app-fingerprinting or building a typosquat that looks similar in the Play Store.
• sha256_cert_fingerprints — your APK signing certificate fingerprints. These are PUBLIC IDENTIFIERS, not secrets — anyone with your APK can extract the same fingerprint via apksigner verify --print-certs your.apk. But seeing them on the well-known endpoint confirms which certificate is currently authoritative for your domain.

In real audits we've seen:

• Old signing certificates (rotated months ago) still listed.
• Staging variants with different package names left in the production assetlinks file.
• Multiple apps listed when only one is in use.

Again, not a vulnerability — a hygiene check.

How to fix it

1. Confirm package_name matches your production app's package.
2. Confirm sha256_cert_fingerprints matches your current production signing certificate. If you've rotated, remove the old fingerprint.
3. If you list multiple apps, confirm each is intentional and in active use.
4. Validate with Google's tester: https://digitalassetlinks.googleapis.com/v1/statements:list?source.web.site=https://example.com&relation=delegate_permission/common.handle_all_urls.
5. If the file is exposed but you don't run an Android app, find the subsystem serving it — likely a Firebase Dynamic Links or App Indexing integration — and disable it if unused.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.