[Security] Fix TapTrap vulnerability in RedirectUriReceiverActivity #1147
Description
Checklist:
- I am using the latest release
- I searched for existing GitHub issues
- I read the documentation
- I verified the client configuration matches the information in the identity provider (or I am using dynamic client registration)
- I am either using a custom URI scheme or
httpswith App Links for client redirect. - I can reproduce the issue in the demo app (optional)
Configuration
- Version: 0.9.1 (and potentially other versions)
- Integration: Native (Java/Kotlin)
- Identity provider: OAuth2/OpenID Connect (Generic)
Issue Description
Security Vulnerability: RedirectUriReceiverActivity susceptible to TapTrap Attack
Summary
Security scanning tools have identified that RedirectUriReceiverActivity is vulnerable to TapTrap attacks due to insufficient activity protection in the AndroidManifest.
Details
TapTrap is an Android attack that exploits activity transition animations to trick users into performing unintended actions. The RedirectUriReceiverActivity currently lacks proper protection against this attack vector.
Vulnerability Details
- Affected Component:
net.openid.appauth.RedirectUriReceiverActivity - Attack Vector: Activity transition animation exploitation
- Risk: Potential unauthorized actions during OAuth redirect flow
Recommended Fix
Implement one of the following mitigations in the library's AndroidManifest.xml:
Option 1: Set android:exported="false" (if appropriate for the use case)
Option 2: Add android:launchMode="singleTask" or similar
Option 3: Override entry animations in the Activity
Option 4: Add input delay after animation completion
Impact
This affects all applications using AppAuth library for OAuth2/OpenID Connect authentication flows.
Request
Could the maintainers please review this security concern and implement appropriate mitigations in a future release?
Thank you for maintaining this excellent library!