StrictMode UnsafeIntentLaunchViolation when launching OAuth flow #1136
Description
Environment
- AppAuth version: 0.11.1
- Tested on Android 14 and 15
- Occurs with both target SDK 34 and 35
Description
When running an app with StrictMode enabled, AppAuth triggers an UnsafeIntentLaunchViolation during the OAuth authorization flow. This occurs when the library launches an implicit intent to open the authorization URL in a browser.
StrictMode violation
StrictMode policy violation: android.os.strictmode.UnsafeIntentLaunchViolation:
Launch of unsafe intent: Intent { act=android.intent.action.VIEW dat=https://[oauth-provider-url] pkg=com.android.chrome (has extras) }
at android.os.StrictMode.onUnsafeIntentLaunch(StrictMode.java:2366)
at net.openid.appauth.AuthorizationManagementActivity.onResume(AuthorizationManagementActivity.java:228)
Steps to reproduce
- Enable StrictMode in the app following this official Android documentation
fun onCreate() {
StrictMode.setVmPolicy(VmPolicy.Builder()
.detectUnsafeIntentLaunch()
.build()
)
}
- Initiate OAuth flow using AppAuth
- Observe the violation in logs
Additional context
According to this response from Google, the violation is currently only a StrictMode warning and doesn't affect functionality in production. However, it may be enforced in future Android releases.