9,309 questions
MobSF Security Flags on Intune-Wrapped React Native App: Exported Components (Activity/Service/BroadcastReceiver) - False Positives?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 87%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Naveenkumar Sivaprakasam
0
Reputation points
Context:
We’ve integrated Microsoft Intune SDK into our React Native app (v0.72.6, minSDK 29) for app protection policies and authentication (using Microsoft OAuth2.0). After generating a release build and testing with MobSF, we received security warnings about exported components not being protected. We suspect these are false positives due to Intune’s internal security mechanisms but need confirmation.
- Activity:
net.openid.appauth.RedirectUriReceiverActivity- Issue: Exported (
android:exported="true") without explicit permission. - Purpose: Handles OAuth redirects via AppAuth library.
- Issue: Exported (
- Service:
com.microsoft.intune.mam.client.notification.MAMNotificationReceiverService- Issue: Exported (
android:exported="true") without explicit permission. - Purpose: Part of Intune SDK for policy notifications.
- Issue: Exported (
- Broadcast Receiver:
com.microsoft.intune.mam.client.service.MAMBackgroundReceiver- Issue: Exported (
android:exported="true") without explicit permission. - Purpose: Part of Intune SDK for background tasks.
- Issue: Exported (
Steps Taken to Mitigate:
AppAuth Activity:
- Confirmed
RedirectUriReceiverActivityfollows AppAuth best practices. - Added intent-filter specificity to limit exposure.
Intune Components:
- Added the
ManageAppPermissionsignature-level permission to the Intune service/receiver (as per Microsoft documentation). - Result: MobSF still flags the service as unprotected.
Questions for Microsoft:
- Is there official guidance on suppressing these warnings for Intune SDK components?
- For
RedirectUriReceiverActivity, does the AppAuth + Intune integration inherently mitigate the risk ofexported=true(e.g., via URI specificity or Intune policy enforcement)?
Additional Details:
- Intune SDK Version: 1.0.4549.6
- react-native-app-auth Version: 8.0.0
- MobSF Report Screenshots: (Attached images)
Why This Matters:
We need to ensure compliance with enterprise security standards while avoiding unnecessary workarounds for false positives. Official confirmation from Microsoft would help resolve this cleanly.
Are there any additional details, logs, or configurations you need from our side to investigate these issues? Please let us know.
Microsoft Security | Microsoft Authenticator
Sign in to answer