Developer technologies | .NET | Xamarin
A Microsoft framework for building cross-platform mobile apps using .NET and C# with native performance and user interfaces.
MSAL - Xamarin Forms - iOS and Android - Penetration Test - Password is disclosed in the process where app is running
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 44%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Baluprasath Sampath Kumar
1
Reputation point
Hi,
We have implemented the MSAL authentication with EmbeddedWebView for Xamarin Forms Mobile app(iOS and Android).
The issue is when the app is penetration tested, they could find the password is being saved inside the app process and it can be easily retrieved.
MSAL library exposing sensitive information to the attackers.
Would be helpful if it is addressed earlier ASAP.
Regards,
Baluprasath S
Developer technologies | .NET | Xamarin
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,636 Reputation points Microsoft Employee Moderator2021-04-07T08:41:42.55+00:00 @Baluprasath Sampath Kumar , Thank you for sharing your findings. Could you please let me know what oAuth flows you are using while the password is being saved in the app process?
-
Baluprasath Sampath Kumar 1 Reputation point
2021-04-08T03:19:45.98+00:00 Hi @Shashi Shailaj ,
Thanks for your email.
MSAL library internally does it choosing the oAuth flow(correct me if I am wrong) because there is no config or code written to specify the oAuth flow. It should be Authorization Code oAuth flow (but not sure).
But the authentication is interactive where user needs to enter their own email and password.
The implementation would be similar as in the below link,
https://damienaicheh.github.io/azure/xamarin/xamarin.forms/2019/07/01/sign-in-with-microsoft-account-with-xamarin-en.htmlRegards,
Baluprasath S
Sign in to comment
Sign in to answer