Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content

App Lounge hijacks all links to f-droid.org even ones it can't handle

If you click a random link to f-droid.org in a browser, it gets opened with App Lounge that has registered for this domain and since it is a pre-installed app, it circumvents the OS domain verification system getting all its claimed domain auto-verified.

The registration happens in the manifest here: https://gitlab.e.foundation/e/os/apps/-/blob/cca2f0ddf81f159f572b64763d92fac0ff46e54f/app/src/main/AndroidManifest.xml#L94

Now it is debatable whether it is a good idea to hijack other project's domains. However, it should be obvious that App Lounge should swallow unrelated links on the same domain, e.g. https://f-droid.org/about/

I am not sure, if you can limit the paths in that intent filter. If not, you could at least bounce back intents you can't handle to the system, so that another app, like the browser, can still handle it.

Upstream issue at F-Droid: https://gitlab.com/fdroid/fdroid-website/-/issues/865