Android 11+ no longer throws MsalClientException when matching URL scheme defined in multiple apps

[opt05]

Describe the bug
Related to #1722 then when an app has a matching scheme, on Android 11 and greater it no longer throws any exception and proceeds with the creation of the client application. This is probably due to Package Visibility change in Android 11

Smartphone (please complete the following information):

• Device: Pixel 6 Pro
• Android Version: Android 13
• Browser: Chrome 109.0.5414.85
• MSAL Version 4.1.3

Stacktrace
This is the expected stacktrace:

Fatal Exception: com.microsoft.identity.client.exception.MsalClientException: More than one app is listening for the URL scheme defined for BrowserTabActivity in the AndroidManifest. The package name of this other app is: com.example.test
       at com.microsoft.identity.client.PublicClientApplicationConfiguration.validateCustomTabRedirectActivity(PublicClientApplicationConfiguration.java:156)
       at com.microsoft.identity.client.PublicClientApplicationConfiguration.checkIntentFilterAddedToAppManifestForBrokerFlow(PublicClientApplicationConfiguration.java:34)
       at com.microsoft.identity.client.PublicClientApplication.initializeApplication(PublicClientApplication.java:57)
       at com.microsoft.identity.client.PublicClientApplication.<init>(PublicClientApplication.java:26)
       at com.microsoft.identity.client.MultipleAccountPublicClientApplication.<init>(MultipleAccountPublicClientApplication.java)
       at com.microsoft.identity.client.PublicClientApplication$9.onTaskCompleted(PublicClientApplication.java:32)
       at com.microsoft.identity.client.PublicClientApplication$9.onTaskCompleted(PublicClientApplication.java:2)
       at com.microsoft.identity.common.java.controllers.CommandDispatcher.commandCallbackOnTaskCompleted(CommandDispatcher.java:8)
       at com.microsoft.identity.common.java.controllers.CommandDispatcher.access$1000(CommandDispatcher.java)
       at com.microsoft.identity.common.java.controllers.CommandDispatcher$4.run(CommandDispatcher.java:38)
       at android.os.Handler.handleCallback(Handler.java:883)
       at android.os.Handler.dispatchMessage(Handler.java:100)
       at android.os.Looper.loop(Looper.java:237)
       at android.app.ActivityThread.main(ActivityThread.java:8167)
       at java.lang.reflect.Method.invoke(Method.java)
       at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:496)
       at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1100)

To Reproduce
Steps to reproduce the behavior:

1. Have 2 apps with a matching scheme, like so:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">
    <application>
        <activity
            android:name="com.microsoft.identity.client.BrowserTabActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data
                    android:host="<insert different host>"
                    android:path="<insert different path>"
                    android:scheme="auth" />
            </intent-filter>
        </activity>
    </application>
</manifest>

2. Run the creation method: PublicClientApplication.createMultipleAccountPublicClientApplication(context, R.raw.msal_config)
3. On Android 10 and below it throws the above stacktrace, but doesn't throw anything on Android 11+ and proceeds creation. On Android 11+, when a user successfully logs in then it gets stuck and never proceeds back to the app.

Expected behavior
Android 11+ should throw the same exception as Android 10 and below when PublicClientApplication.createMultipleAccountPublicClientApplication is called

Actual Behavior
On Android 11+, when any function(i.e. acquireToken) is called on the PublicClientApplication, it will get stuck and never come back to the app

Screenshots
n/a

Additional context
There probably needs to be added an intent query in the Manifest of the library

[negoe]

@opt05 Thanks for sharing the details of the issue. We will investigate and come back to you.

[negoe]

@opt05 Just to confirm, is the data part of both the apps's manifest is absolutely similat? And are you creating your "redirect_uri" using the same set of schemes information for both apps?

Tried reproducing this scenario on Android 11 and 13 and the app is throwing com.microsoft.identity.client.exception.MsalClientException: for me on Pixel device.

[opt05]

@negoe The way that we are reproducing and seeing it in our prod app is by installing the MyDish app (which is registering as some sort of catch all with MSAL scheme) and then using our own registration in our app's manifest (also mentioned above):

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">
    <application>
        <activity
            android:name="com.microsoft.identity.client.BrowserTabActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data
                    android:host="<insert your host>"
                    android:path="<insert your path>"
                    android:scheme="auth" />
            </intent-filter>
        </activity>
    </application>
</manifest>

Then create the PublicClientApplication, like so: PublicClientApplication.createMultipleAccountPublicClientApplication(context, R.raw.msal_config)

Here is our R.raw.msal_config, if that helps:

{
  "client_id": "redacted",
  "authorization_user_agent": "DEFAULT",
  "redirect_uri": "auth://redacted/redacted",
  "account_mode": "MULTIPLE",
  "broker_redirect_uri_registered": true,
  "shared_device_mode_supported": false,
  "authorities": [
    {
      "type": "B2C",
      "authority_url": "redacted",
      "default": true
    },
    {
      "type": "B2C",
      "authority_url": "redacted"
    }
  ]
}

I installed the MyDish app and our app on the following

• Nexus 9 (Android 7.1.1): crash on createMultipleAccountPublicClientApplication with com.microsoft.identity.client.exception.MsalClientException: More than one app is listening for the URL scheme defined for BrowserTabActivity in the AndroidManifest. The package name of this other app is: com.dish.mydish
• Pixel 3 (Android 12): no crash
• Pixel 6 Pro (Android 13): no crash

[Greta-Rad]

Can you please advice how to recover from this situation (when user has another app with MSAL and matching "android:scheme="msauth"" attribute in manifest, installed from Google Play) ?

We encounter this problem from time to time and we discover more and more apps from Google Play that are colliding with our app. (createMultipleAccountPublicClientApplication failing with "MsalClientException: More than one app is listening for the URL scheme defined for BrowserTabActivity in the AndroidManifest") It's a bit ridiculous to ask user to uninstall other apps...

@negoe / @opt05 Please, your inputs would be very valuable

[negoe]

hi @Greta-Rad Thanks for the feedback. We are trying our best to carve out some space on our roadmap to address this issue. As soon as we have more clarity I will reach out to you.

[pawel-gasiorowski-avenga]

The same on my side @negoe. I was trying to fight this problem for a few days already. I still get the error:

"More than one app is listening for the URL scheme defined for BrowserTabActivity in the AndroidManifest. The package name of this other app is: com.***.myapp.dev"

and the _com..myapp.dev_* is exactly the ID of my app.

Samsung Galaxy S10 (fabric reset done)
Android 12
CompileSDK 33.

Any news on that ?