add one step to verify the signature in intent for chrome while the intent has a scheme for the app.

chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java

Index: chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java b/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
index 99c2a0418e6c33bcb9d4d677230334e3549929bd..c7ebab09065fb885657ebf8de1a4a417eedb036b 100644
--- a/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
@@ -7,7 +7,9 @@ package org.chromium.chrome.browser.externalnav;
 import android.content.ActivityNotFoundException;
 import android.content.ComponentName;
 import android.content.Intent;
+import android.content.pm.PackageManager;
 import android.content.pm.ResolveInfo;
+import android.content.pm.Signature;
 import android.net.Uri;
 import android.os.SystemClock;
 import android.provider.Browser;
@@ -28,6 +30,8 @@ import org.chromium.chrome.browser.util.UrlUtilities;
 import org.chromium.ui.base.PageTransition;
 
 import java.net.URI;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.HashSet;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
@@ -42,7 +46,8 @@ public class ExternalNavigationHandler {
     private static final String SCHEME_WTAI = "wtai://wp/";
     private static final String SCHEME_WTAI_MC = "wtai://wp/mc;";
     private static final String SCHEME_SMS = "sms";
-
+    private static final char[] HEX_DIGITS = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
+            'A', 'B', 'C', 'D', 'E', 'F'};
     @VisibleForTesting
     static final String EXTRA_BROWSER_FALLBACK_URL = "browser_fallback_url";
 
@@ -112,6 +117,48 @@ public class ExternalNavigationHandler {
             browserFallbackUrl = null;
         }
 
+        try {
+            //scheme
+            String scheme = intent.getData().getScheme();
+            String fragment = intent.getData().getFragment();
+            if (!TextUtils.isEmpty(scheme) && null != fragment && fragment.contains(";")) {
+                String[] parts = fragment.split(";");
+                String[] part = null;
+                String fingerPrint256 = "";
+                String pkgName = "";
+                for (String each : parts) {
+                    part = each.split("=");
+                    if (part[0].equals("sha256")) {
+                        fingerPrint256 = part[1];
+                    }
+                    if (part[0].equals("package")) {
+                        pkgName = part[1];
+                    }
+                }
+                if (!TextUtils.isEmpty(pkgName) && !TextUtils.isEmpty(fingerPrint256)) {
+                    PackageManager pm = mDelegate.getAssociatedActivityContext()
+                            .getPackageManager();
+                    Signature[] signatures = pm.getPackageInfo(pkgName,
+                        PackageManager.GET_SIGNATURES).signatures;
+                    HashSet<String> fingerPrint256Set = new HashSet<String>();
+                    String fingerPrint = "";
+                    if (signatures.length > 0) {
+                        for (Signature each : signatures) {
+                            fingerPrint = computeNormalizedSha256Fingerprint(each.toByteArray());
+                            fingerPrint = fingerprint.replaceAll(":", "");

[esprehn, 2016/07/19 05:52:12]

I don't think other parts of the platform make this optional, can we just not
allow colons?

+                            fingerPrint256Set.add(fingerPrint);
+                        }
+                    }
+                    if (!fingerPrint256Set.contains(fingerPrint256)) {
+                        return OverrideUrlLoadingResult.NO_OVERRIDE;
+                    }
+                }
+            }
+        } catch (Exception e) {
+            return OverrideUrlLoadingResult.NO_OVERRIDE;

[esprehn, 2016/07/19 05:52:12]

Why would there be a exception? Can you scope this to what actually throws?

+        }
+
+
         long time = SystemClock.elapsedRealtime();
         OverrideUrlLoadingResult result = shouldOverrideUrlLoadingInternal(
                 params, intent, hasBrowserFallbackUrl, browserFallbackUrl);
@@ -520,4 +567,42 @@ public class ExternalNavigationHandler {
         }
         return null;
     }
+
+    /**
+     * compute normalized sha256fingerprint from signatures
+     *
+     * @return hexString of the fingerprint
+     */
+    private static String computeNormalizedSha256Fingerprint(byte[] signature) {
+        MessageDigest digester;
+        try {
+            digester = MessageDigest.getInstance("SHA-256");
+        } catch (NoSuchAlgorithmException e) {
+            throw new AssertionError("No SHA-256 implementation found.");
+        }
+        digester.update(signature);
+        return byteArrayToHexString(digester.digest());
+    }
+
+    /**
+     * convert byteArray to String
+     *
+     * @return hexString
+     */
+    private static String byteArrayToHexString(byte[] array) {
+        if (array.length == 0) {
+            return "";
+        }
+        char[] buf = new char[array.length * 3 - 1];
+        int bufIndex = 0;
+        for (int i = 0; i < array.length; i++) {
+            byte b = array[i];
+            if (i > 0) {
+                buf[bufIndex++] = ':';
+            }
+            buf[bufIndex++] = HEX_DIGITS[(b >>> 4) & 0x0F];
+            buf[bufIndex++] = HEX_DIGITS[b & 0x0F];
+        }
+        return new String(buf);
+    }
 }