Microsoft 365 Android Apps Leak Account Tokens

Microsoft 365 Android Apps Expose Account Tokens via Debug Flag

A debug flag that should have been stripped before release is giving any installed Android app the ability to steal account tokens from Microsoft 365 applications. The vulnerability affects Microsoft's suite of Android apps and stems from a leftover configuration that was almost certainly meant for internal testing. The account token exposure this creates is not a theoretical risk. Any malicious app sharing the device can silently pull authentication tokens without user interaction or elevated permissions.

This is a supply chain hygiene failure. A single overlooked build flag opens a door that OAuth and MSAL (Microsoft Authentication Library) were specifically designed to keep closed.

How the Debug Flag Token Theft Works on Android

Android's inter-process communication model is built around explicit permission boundaries. Apps are sandboxed by default. However, debug builds often expose content providers, activities, or broadcast receivers with android:exported="true" and without proper permission checks. When those components ship in production builds, any app on the device can interact with them directly.

In this case, the leftover debug flag appears to expose a mechanism that allows external apps to query or receive OAuth tokens held by the Microsoft 365 apps. These tokens are typically short-lived bearer credentials tied to Microsoft accounts, including corporate Azure AD identities. Stealing one grants an attacker the same access as the legitimate user, for the duration of the token's validity, often hours.

The attacker's app does not need special permissions. It just needs to be installed on the same device and know the right intent or content provider URI to call. That information is trivially extractable by reverse engineering the APK.

What Developers and Organizations Are Actually Risking

For individual users, this means any app they install alongside Microsoft Teams, Outlook, or OneDrive could be silently harvesting their session tokens. For enterprise environments, the blast radius is larger.

Corporate accounts authenticated through Azure AD carry access to email, SharePoint, Teams conversations, OneDrive files, and any other Microsoft 365 service the user is licensed for. A stolen token can be replayed from anywhere. MDM solutions and conditional access policies that check device compliance do not help if the token was stolen before those checks run.

Developers building Android apps that integrate with Microsoft 365 APIs should also audit their own debug configurations before release. This vulnerability is a reminder that build variants need explicit review, not just a toggle from debug to release.

How to Protect Your Apps and Users Against Token Exposure

Four concrete actions worth taking right now:

1. Update immediately. Microsoft has been notified and patches should be prioritized the moment they ship. Check the Microsoft Security Response Center for the relevant CVE and patch status.

2. Audit your own Android builds. If you ship Android apps, run aapt dump xmltree on your release APK against the AndroidManifest.xml. Flag any component with exported="true" that lacks a custom permission or signature-level protection.

3. Enforce token binding where possible. Azure AD Conditional Access policies can require compliant device state and restrict token replay across networks. These are not a complete fix but raise the cost of exploitation.

4. Monitor for anomalous token usage. Azure AD sign-in logs show token issuance location and client details. Unexpected replays from new IP ranges or user agents are a signal worth alerting on.

You can also run an automated scan on any web-facing component of your Microsoft 365 integration at VibeWShield's scanner to surface exposed endpoints or misconfigured OAuth callbacks.

FAQ

How do I know if my device is affected? Any Android device running Microsoft 365 apps before the patched version is potentially vulnerable if other apps are installed. Check for updates to Outlook, Teams, and OneDrive in the Play Store immediately.

Can attackers use stolen tokens remotely? Yes. OAuth bearer tokens are not bound to a device or IP address by default. A token stolen on-device can be replayed from any machine until it expires or is revoked.

Does this affect iOS or desktop Microsoft 365 apps? Based on current reporting, the debug flag issue is specific to the Android platform. iOS sandboxing and macOS/Windows app models handle IPC differently, though that does not mean they are immune to separate issues.

Scan your Microsoft 365 integrations and web app OAuth flows for token exposure risks at VibeWShield.