search

okta / okta-oidc-android

OIDC SDK for Android
https://github.com/okta/okta-oidc-android
Other
60 stars 45 forks source link

com.okta.oidc.OktaRedirectActivity not protected #333

Closed simonedif closed 1 year ago

simonedif commented 1 year ago

Describe the bug?

Follow up a pen-testing report from mobSF oidc.OktaRedirectActivity was highlighted as a high risk. Activity (com.okta.oidc.OktaRedirectActivity) is not Protected. [android:exported=true]

this means An Activity is found to be shared with other apps on the device, therefore, leaving it accessible to any other application on the device.

Looking at the Merged_manifest/AndroidManifest.xml I can see the build is set to true.

 android:name="com.okta.oidc.OktaRedirectActivity"
            android:autoRemoveFromRecents="true"
            android:exported="true"
            android:launchMode="singleInstance" >

Is there a way to set this option to false and improve security?

What is expected to happen?

OktaRedirectActivity export should be set to false?

What is the actual behavior?

AndroidManifest.xml generated after the build located inside the merged_manifest AndroidManifest.xml the export for okta is set to "true"

Reproduction Steps?

Generated a Pentest report with MobSF and got this HIgh-risk vulnerability flagged due to the OktaRedirectActivity export set to true

Additional Information?

N/A

SDK Version

android:minSdkVersion="23" android:targetSdkVersion="31"

Build Information

No response

JayNewstrom commented 1 year ago

This needs to be exported. When using the browser redirect flow (Authorization Code Flow with PKCE), we launch another process (often Chrome) to perform the login, then the Chrome task redirects back via the OktaRedirectActivity.

simonedif commented 1 year ago

Thanks, @JayNewstrom for the clarification