Question
Why is a web browser needed to log in to 8x8 Work for Mobile on Android devices?
Applies To
- 8x8 Work for Mobile
- Android Devices
- OAuth
- Web Browsers
Answer
With 8x8 Work for Mobile version 11.1 we uncovered a security weakness within our OAuth login flow that could have enabled advanced attackers to intercept login data. The fix required moving away from native WebView and a custom redirect schema used for the sign-in process to taking users to a secure environment using trusted and OAuth standard-compliant web browsers to complete the single sign-on process. The authentication happens securely in the browser and on successful login the user is redirected in the mobile app.
Note: As a side effect of this change login on devices without a trusted and OAuth standard-compliant web browser is not supported any longer and in certain cases, the user is redirected to the web version of 8x8 Work. To resolve this issue one of the supported browsers needs to be installed on the device.