javedparmar940
commented
2 years ago There's a Relevant Reference link https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/1123
Open javedparmar940 opened 2 years ago
javedparmar940
commented
2 years ago There's a Relevant Reference link https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/1123
Any third-party app can start this activity with no permission. If a malicious app constantly start the browser activity, our app will stop work.
MSAL Version: 2.2.2
AndroidManifest.xml: com.microsoft.identity.client.BrowserTabActivity android:exported='true'
Expected: com.microsoft.identity.client.BrowserTabActivity android:exported='false'
Actual Behavior BrowserTab activity can be invoke by any third party app(malicious app). This is not the accepted behavior.
Query: I want to understand what security impact it will have if we kept android:exported='true' and is it really require to mark it "android:exported=''false"