question

BaluprasathSampathKumar-5511 avatar image
0 Votes"
BaluprasathSampathKumar-5511 asked RobCaplan edited

MSAL - Xamarin Forms - iOS and Android - Penetration Test - Password is disclosed in the process where app is running

Hi,

We have implemented the MSAL authentication with EmbeddedWebView for Xamarin Forms Mobile app(iOS and Android).

The issue is when the app is penetration tested, they could find the password is being saved inside the app process and it can be easily retrieved.

MSAL library exposing sensitive information to the attackers.

Would be helpful if it is addressed earlier ASAP.

Regards,
Baluprasath S

dotnet-xamarinazure-ad-msal
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BaluprasathSampathKumar-5511 , Thank you for sharing your findings. Could you please let me know what oAuth flows you are using while the password is being saved in the app process?

0 Votes 0 ·

Hi @shashishailaj,

Thanks for your email.

MSAL library internally does it choosing the oAuth flow(correct me if I am wrong) because there is no config or code written to specify the oAuth flow. It should be Authorization Code oAuth flow (but not sure).

But the authentication is interactive where user needs to enter their own email and password.

The implementation would be similar as in the below link,
https://damienaicheh.github.io/azure/xamarin/xamarin.forms/2019/07/01/sign-in-with-microsoft-account-with-xamarin-en.html

Regards,
Baluprasath S

0 Votes 0 ·

0 Answers