DRD27-J. For OAuth, use an explicit intent method to deliver access tokens

Start copying here:

This rule was developed in part by Zifei (FeiFei) Han and Rachel Xu at the October 20-22, 2017 OurCS Workshop ( http://www.cs.cmu.edu/ourcs/register.html ).
For more information about this statement, see the About the OurCS Workshop page.

End copying here.

Under Construction

This guideline is under construction.

Explanation:

Explicit intent can protect user information, while implicit intent declares general actions that all applications can use. This way implicit intent may be harmful and release the user's action information.

On the other hand, Explicit intent sent access tokens by using specific components to personalize for specific applications. Specifically when sending access tokens to hosts we should use explicit intent rather than implicit.

Noncompliant Code Example

This noncompliant code example shows an application that ...

protected void OnTokenAcquired(Bundle savedInstanceState) {
    //[Code to construct an OAuth client request goes here]
    Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(request.getlocationUri() + "&response_type=code"));
    startActivity(intent);
}

Compliant Solution

In this compliant solution ...:

protected void OnTokenAcquired(Bundle savedInstanceState) {
    //[Code to construct an OAuth client request goes here]
    Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(request.getlocationUri() + "&response_type=code"), this, [YOUR OAUTH ACTIVITY CLASS]);
    startActivity(intent);
}

Exceptions

Risk Assessment

Summary of risk assessment.

Automated Detection

Related Guidelines

Fill in the table below with at least one entry row, per these instructions , then remove this purple-font section.

Bibliography