Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resolved to a non-allowlisted handler package (logcat:IntentResolver), followed within a short window by that same package accessing token material via AccountManager/Keystore or reading application token caches under /data/data/
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | ACTION_VIEW redirect_uri handled by unexpected package |
| Application Log Content (DC0038) | android:logcat | Task switch from browser/custom tab to handler immediately after OAuth return |
| File Access (DC0055) | android:logcat | KeyChain/AndroidKeyStore read of token alias |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max seconds between redirect handling and token access (e.g., 30–180). |
| RedirectUriAllowlist | Approved redirect URI patterns per app (HTTPS/app-scheme). |
| TrustedHandlerPackages | Expected package names allowed to handle the redirect. |
| TokenFileRegex | Environment-specific token cache filenames/paths. |
| WorkProfileScope | Restrict to enterprise work profile to reduce personal-app noise. |
When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.[1][2]
On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.
| Data Component | Name | Channel |
|---|---|---|
| API Calls (DC0112) | Application Vetting | None |
| System Notifications (DC0117) | User Interface | None |