Android users have found themselves in a state of confusion following the latest update to the Google mobile app, which has introduced a peculiar twist to the way links are shared. The recent rollout has resulted in links shared from the app being prefixed with a new “search.app” domain, leaving many users scratching their heads.
What are these mysterious search.app links?
On November 6, 2024, Google launched version 15.44.27.28.arm64 of its Android app, coinciding with updates to Chrome for a select group of users. This update has led to an unexpected behavior: links accessed through Google’s in-app Chromium browser now appear with the “search.app” domain when shared externally.
The tech community first took notice of this change, with BleepingComputer reporting their initial alarm upon discovering the new domain. Concerns about potential adware infections were quickly voiced on platforms like Reddit, where users shared similar experiences. One user, danilopiazza, remarked, “Recently (few days ago), I noticed that each link shared from the Google in-app web browser uses the ‘search.app’ domain.” Another user echoed these sentiments, expressing initial fears of malware or unintended settings changes.
Further investigation revealed that social media posts shared via the Google app were also bearing the “search.app” domain, raising eyebrows and prompting discussions among users.
Is search.app safe?
To clarify, search.app serves as a URL redirector domain, akin to other well-known redirectors like t.co or g.co. By appending links with “https://search.app?link=”, Google gains enhanced visibility into how users share links and who engages with them. This mechanism not only aids in analytics but also allows Google to potentially block access to phishing or compromised sites, thereby safeguarding users.
In testing, navigating directly to search.app led to an “Invalid Dynamic Link” page featuring the Firebase logo, a platform acquired by Google in 2014 for mobile app development. Interestingly, Firebase Dynamic Links are set to be deprecated by August 2025.
SSL certificate and hosting shared by over a hundred domains
After the initial report, readers pointed out an unusual aspect of the TLS certificate associated with the search.app domain. The certificate’s Common Name (CN) was found to be linked to fallacni.com, a French website focused on national identity cards. This anomaly raised further questions about the legitimacy of the domain.
Moreover, it was discovered that the same SSL certificate is utilized by over a hundred domains hosted on the same Firebase server, indicating a shared hosting environment. This is not uncommon due to technologies like Server Name Indication (SNI), which allow multiple domains to operate over HTTPS on a single server. However, the situation appears irregular when compared to Google’s other domains, such as search.app.goo.gl, which has a distinct CN and is hosted on a different IP address.
While the search.app redirector URLs seem to be safe and officially managed by Google, the absence of clear documentation surrounding the domain raises eyebrows. This lack of transparency could lead to increased anxiety among users, particularly those who may suspect their devices have been compromised.
As this story continues to unfold, the tech community is left to ponder whether this move is an attempt by Google to mirror Apple’s approach with its news-sharing links or simply a new feature lacking adequate explanation. BleepingComputer has reached out to Google for clarification and awaits a response.
Update, 8 November 2024 10:35 AM ET: Added section on ambiguous SSL certificate presented by search.app. This is a developing story.
