Start copying here:

This rule was developed in part by Zifei (FeiFei) Han and Rachel Xu at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html).
For more information about this statement, see the About the OurCS Workshop page.

End copying here.

This guideline is under construction. 

 

Explanation:

Explicit intent can protect user information, while implicit intent declares general actions that all applications can use. This way implicit intent may be harmful and release the user's action information.

On the other hand, Explicit intent sent access tokens by using specific components to personalize for specific applications. Specifically when sending access tokens to hosts we should use explicit intent rather than implicit.

Noncompliant Code Example

This noncompliant code example shows an application that ...

protected void OnTokenAcquired(Bundle savedInstanceState) {
	//[Code to construct an OAuth client request goes here]
	Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(request.getlocationUri() + "&response_type=code"));
	startActivity(intent);
}

 

Compliant Solution

In this compliant solution ...:

protected void OnTokenAcquired(Bundle savedInstanceState) {
	//[Code to construct an OAuth client request goes here]
	Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(request.getlocationUri() + "&response_type=code"), this, [YOUR OAUTH ACTIVITY CLASS]);
	startActivity(intent);
}

Exceptions

 

Risk Assessment

Summary of risk assessment.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

TBD

 

 

 

 

 

Automated Detection

Tool

Version

Checker

Description

TBD 


 

Related Guidelines

Fill in the table below with at least one entry row, per these instructions, then remove this purple-font section.

CWE-297

 Improper Validation of Certificate with Host Mismatch

Bibliography

[Chen 14]

OAuth Demystified for Mobile Application Developers.  OAuthDemystified.pdf

[IETF OAuth1.0a]

Internet Engineering Task Force (IETF). OAuth core 1.0 revision a. http://oauth.net/core/1.0a/.

[IETF OAuth2.0] Internet Engineering Task Force (IETF). The OAuth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749.
[Android Intent]Intends and Intent Filters in Andriod Developer Documentation. Intents.filters.document