Fix for App Link Usage in DUNA / SSO scenarios (#2363)

shahzaibj · web-flow · commit b7c62432bd10 · 2025-08-28T10:43:02.000-07:00
See related common PR: AzureAD/microsoft-authentication-library-common-for-android#2745
diff --git a/changelog b/changelog
@@ -3,6 +3,7 @@ MSAL Wiki : https://github.com/AzureAD/microsoft-authentication-library-for-andr
 vNext
 ----------
 - [PATCH] Add null checks for guest account ids (#2361)
+- [MINOR] Fix for App Link Usage in DUNA / SSO scenarios (#2363)
 
 Version 7.0.3
 ----------
diff --git a/common b/common
@@ -1 +1 @@
-Subproject commit d8cdaae476b5c6a79a28f5b6d9ee50018ded2967
+Subproject commit 4b0a1de5cd5b8c3f815fe0381ef663a04d4d5e27
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -25,7 +25,7 @@ ext {
     androidxCoreVersion = "1.5.0"
     annotationVersion = "1.0.0"
     appCompatVersion = "1.1.0"
-    browserVersion = "1.0.0"
+    browserVersion = "1.7.0"
     constraintLayoutVersion = "1.1.3"
     dexmakerMockitoVersion = "2.19.0"
     espressoCoreVersion = "3.1.0"
diff --git a/msal/src/main/java/com/microsoft/identity/client/CurrentTaskBrowserTabActivity.java b/msal/src/main/java/com/microsoft/identity/client/CurrentTaskBrowserTabActivity.java
@@ -22,6 +22,7 @@
 //  THE SOFTWARE.
 package com.microsoft.identity.client;
 
+import android.annotation.SuppressLint;
 import android.app.Activity;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
@@ -34,8 +35,6 @@
 import android.os.Bundle;
 import android.widget.Toast;
 
-import androidx.localbroadcastmanager.content.LocalBroadcastManager;
-
 import com.microsoft.identity.common.internal.providers.oauth2.CurrentTaskBrowserAuthorizationFragment;
 import com.microsoft.identity.common.internal.util.StringUtil;
 import com.microsoft.identity.common.logging.Logger;
@@ -58,7 +57,7 @@
  * &lt;intent-filter&gt;
  *     &lt;action android:name="android.intent.action.VIEW" /&gt;
  *
- *     To receive implicit intents, have to put the activity in the category of default.
+ *     To receive implicit intents, have to put the category of default.
  *     &lt;category android:name="android.intent.category.DEFAULT" /&gt;
  *
  *     The target activity allows itself to be started by a web browser to display data.
@@ -73,7 +72,6 @@ public final class CurrentTaskBrowserTabActivity extends Activity {
     private static final String TAG = CurrentTaskBrowserTabActivity.class.getSimpleName();
     private static final int REDIRECT_RECEIVED_CODE = 2;
     private BroadcastReceiver mCloseBroadcastReceiver;
-    //private int mTaskIdResponseFor;
 
 
     @Override
@@ -98,17 +96,18 @@ && getIntent() != null
         }
     }
 
+    @SuppressLint("UnspecifiedRegisterReceiverFlag")
     @Override
     protected void onActivityResult(int requestCode, int resultCode, Intent data) {
         super.onActivityResult(requestCode, resultCode, data);
 
         final String methodTag = TAG + ":onActivityResult";
 
         if (resultCode == RESULT_CANCELED) {
-            // We weren't able to open CurrentTaskAuthorizationActivity from the back stack. Send a broadcast
-            // instead.
+            // Send broadcast to notify authorization activity
             Intent broadcast = new Intent(REDIRECT_RETURNED_ACTION);
-            LocalBroadcastManager.getInstance(this).sendBroadcast(broadcast);
+            broadcast.setPackage(getPackageName()); // Restrict to our app only
+            sendBroadcast(broadcast);
 
             // Wait for the custom tab to be removed from the back stack before finishing.
             mCloseBroadcastReceiver = new BroadcastReceiver() {
@@ -135,16 +134,28 @@ public void onReceive(Context context, Intent intent) {
                     }
                 }
             };
-            LocalBroadcastManager.getInstance(this).registerReceiver(
-                    mCloseBroadcastReceiver,
-                    new IntentFilter(DESTROY_REDIRECT_RECEIVING_ACTIVITY_ACTION)
-            );
+
+            IntentFilter filter = new IntentFilter(DESTROY_REDIRECT_RECEIVING_ACTIVITY_ACTION);
+            // Use backward-compatible receiver registration
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+                // Use RECEIVER_NOT_EXPORTED for Android 13+ to prevent external apps from sending broadcasts
+                registerReceiver(mCloseBroadcastReceiver, filter, Context.RECEIVER_NOT_EXPORTED); // 0x4 = RECEIVER_NOT_EXPORTED
+            } else {
+                registerReceiver(mCloseBroadcastReceiver, filter);
+            }
         }
     }
 
     @Override
     protected void onDestroy() {
-        LocalBroadcastManager.getInstance(this).unregisterReceiver(mCloseBroadcastReceiver);
+        final String methodTag = TAG + ":onDestroy";
+        if (mCloseBroadcastReceiver != null) {
+            try {
+                unregisterReceiver(mCloseBroadcastReceiver);
+            } catch (final Exception e) {
+                Logger.error(methodTag, "Failed to unregister receiver: " + e.getMessage(), e);
+            }
+        }
         super.onDestroy();
     }
 
