Deep Linking example: Sainsbury’s SmartShop

Decoding a QR code

Using zbarcam to scan the Sainsbury’s SmartShop QR code from my Android device.
QR-Code:https://go.onelink.me/2838942512/4fd5c0b1?af_qr=true
curl -v https://go.onelink.me/2838942512/4fd5c0b1?af_qr=true
* Trying 54.192.137.42:443...
* Connected to go.onelink.me (54.192.137.42) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.onelink.me
* start date: Sep 3 00:00:00 2020 GMT
* expire date: Oct 3 12:00:00 2021 GMT
* subjectAltName: host "go.onelink.me" matched cert's "*.onelink.me"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x564d224a3560)
> GET /2838942512/4fd5c0b1?af_qr=true HTTP/2
> Host: go.onelink.me
> user-agent: curl/7.74.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 302
< content-type: application/octet-stream
< content-length: 0
< location: https://apps.apple.com/GB/app/id976551005?mt=8
< date: Sun, 28 Mar 2021 14:45:03 GMT
< server: http-kit
< strict-transport-security: max-age=31536000; includeSubDomains
< x-cache: Miss from cloudfront
< via: 1.1 e8e9550625d3e8f605abc4417e820fc0.cloudfront.net (CloudFront)
< x-amz-cf-pop: LHR62-C5
< x-amz-cf-id: DAnjkyaD3cSOEf_Vya3fnB9YWd2qQJ93T3VDTnk3eHUO6hOyeax85w==
<
* Connection #0 to host go.onelink.me left intact
https://apps.apple.com/GB/app/id976551005?mt=8
curl -v -H "User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; AFTMM Build/NS6265; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36" https://go.onelink.me/2838942512/4fd5c0b1?af_qr=true
curl -v -H "User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; AFTMM Build/NS6265; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36" https://go.onelink.me/2838942512/4fd5c0b1?af_qr=true
* Trying 143.204.180.31:443...
* Connected to go.onelink.me (143.204.180.31) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.onelink.me
* start date: Sep 3 00:00:00 2020 GMT
* expire date: Oct 3 12:00:00 2021 GMT
* subjectAltName: host "go.onelink.me" matched cert's "*.onelink.me"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55a1fa81e560)
> GET /2838942512/4fd5c0b1?af_qr=true HTTP/2
> Host: go.onelink.me
> accept: */*
> user-agent: Mozilla/5.0 (Linux; Android 7.1.2; AFTMM Build/NS6265; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 302
< content-type: application/octet-stream
< content-length: 0
< location: market://details?id=com.sainsburys.ssa&referrer=af_tranid%3D43Pr6sUII7ARDHawC_t-UA%26af_qr%3Dtrue%26shortlink%3D4fd5c0b1%26pid%3DQR_code%26c%3DSS%20Poster
< date: Sun, 28 Mar 2021 14:53:08 GMT
< server: http-kit
< strict-transport-security: max-age=31536000; includeSubDomains
< x-cache: Miss from cloudfront
< via: 1.1 95e275e2550c87aeaa644f1f37b346e0.cloudfront.net (CloudFront)
< x-amz-cf-pop: LHR50-C1
< x-amz-cf-id: KLK5uQEx8lkFSkLib7CaksPVCyDFKZmAUi5K7cPSi2Y6hH3zIgAr9w==
<
* Connection #0 to host go.onelink.me left intact
market://details?id=com.sainsburys.ssa&referrer=af_tranid%3D43Pr6sUII7ARDHawC_t-UA%26af_qr%3Dtrue%26shortlink%3D4fd5c0b1%26pid%3DQR_code%26c%3DSS%20Poster
market://details?id=com.sainsburys.ssa&referrer=af_tranid=43Pr6sUII7ARDHawC_t-UA&af_qr=true&shortlink=4fd5c0b1&pid=QR_code&c=SS Poster

Breaking down the URL parameters

  • id— The Android app identifier, I assume SSA being short for “Sainsbury’s SmartShop App”
  • referrer— AppsFlyer specific tracking property, transaction ID, possibly for remarketing or tracking the actions of a single user?
  • af_qr — A query parameter for tracking QR code actions, as seen on the original URL
  • shortlink — This value matches part of the original path for the go.onlink.me URL
  • pid — Defines the media source, apparently an absolute requirement for any AppsFlyer link
  • c— Identifies the campaign this is related to.

Why is scanning the QR code now required for any mobile app SmartShop sessions?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store