Misconfigured MSAL for Android Exposes Microsoft Account Tokens

Recent research has highlighted a significant security flaw within the Microsoft Authentication Library (MSAL) for Android, which left billions of downloads vulnerable to account takeover. The flaw, according to SecurityWeek, originated from a single line of configuration code that inadvertently bypassed security protections designed to keep authentication tokens within the intended application’s sandbox. This Microsoft Android app authentication vulnerability highlights the risks inherent in complex OAuth 2.0 implementations.

Technical Analysis of the MSAL Vulnerability

The vulnerability centered on how MSAL handled redirect URIs during the authentication handshake. In a standard OAuth flow, after a user provides their credentials, the authentication server sends an authorization code to a specified redirect URI. The application then exchanges this code for an access token. The research conducted by Overseer found that many Microsoft applications were using a custom URI scheme that was marked as ‘browsable’ in the Android Manifest file.

By including the android:browsable attribute in an intent filter, an application signals to the Android operating system that the URI can be triggered by the mobile browser. If an attacker could convince a user to visit a malicious website or install a low-privilege malicious app, they could trigger a Phishing attempt or use a rogue intent to intercept the authorization code. Because the MSAL configuration failed to properly validate the identity of the app receiving the redirect, the authentication token could be leaked to an unauthorized third party.

This configuration effectively allowed for a form of Privilege Escalation where an app with no permissions could gain the high-level access associated with a user’s Microsoft account. While no CVE was formally assigned to this specific misconfiguration—as it was resolved through library updates and server-side logic—the impact was vast, affecting flagship products like Teams, Outlook, and OneDrive.

Securing Android Applications: How to Prevent MSAL Token Theft

To mitigate these risks, developers must adhere to Android browsable intent security best practices. Relying on custom URI schemes for authentication redirects is increasingly considered a legacy approach that lacks the security of modern alternatives. Organizations should prioritize the transition to App Links, which use HTTPS URIs and require a verified association between the website and the mobile app, preventing rogue apps from intercepting the traffic.

From a SOC perspective, detecting this TTP is challenging because the interception occurs locally on the device. Security teams should monitor for unusual sign-in locations or anomalous API calls that follow a user’s authentication event. Implementing Zero Trust principles can further limit the blast radius by requiring device compliance checks before granting access to sensitive resources, even if a token is compromised.

Actionable Recommendations for Developers and Administrators

• Update Libraries: Ensure all Android applications are using the latest version of the Microsoft Authentication Library. Microsoft has issued fixes that add stricter validation to the redirect URI process.
• Review Manifests: Audit AndroidManifest.xml files for any intent filters that use the browsable attribute unnecessarily, especially those associated with authentication flows.
• Shift to HTTPS Redirects: Replace custom URI schemes (e.g., msauth://) with verified HTTPS App Links to ensure the operating system only delivers tokens to the legitimate application.
• Audit MSAL Configurations: Review the MSAL configuration JSON files to ensure that the redirect URIs match exactly with the ones registered in the Azure Portal.

While Microsoft has remediated the issue for its primary applications, the underlying pattern remains a cautionary tale for any developer utilizing third-party identity providers. Understanding how to prevent MSAL token theft is a requirement for maintaining the integrity of mobile-to-cloud identity chains in a modern enterprise.