Fix Edge browser selection for multi-signer APKs (MSAL #2414), Fixes AB#3611725 (#3126)

Fixes
[AB#3611725](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3611725)
tracks the common-side fix for the MSAL customer issue
[#2414](AzureAD/microsoft-authentication-library-for-android#2414).

## Customer-reported issue
Resolves the root cause of
[microsoft-authentication-library-for-android#2414](AzureAD/microsoft-authentication-library-for-android#2414):
when Microsoft Edge is the user''s default browser, MSAL rejects it with
`Browser: com.microsoft.emmx signature hash not match` and falls back to
WebView. Customers using Edge as the default cannot complete sign-in via
custom tabs.

## Root cause
Microsoft Edge ships its production APK with **two** signing
certificates (APK Signature Scheme v3 lineage). Historically, host apps
targeting < API 28 only saw the first signer, so a one-hash safelist
entry was sufficient. Once host apps started targeting API 28+,
`PackageManager` started returning **all** signers, and
`AndroidBrowserSelector.matches()` rejected Edge because it required
strict `Set.equals` between the safelist and the browser''s actual
signatures. This is a semantic bug in the matcher, not a stale hash --
but the safelist is also one hash short.

## Changes

### 1. `AndroidBrowserSelector.matches()` -- relax signature comparison
Replace strict `Set.equals` with `Collections.disjoint()`. A browser is
trusted when **any** of its signers appears in the descriptor''s trusted
set. This is:
- the standard semantic for signature trust (matches AppAuth''s
`BrowserSelector` behavior),
- safe -- `PackageInfo.signatures` is what Android verified at install
time and cannot be forged,
- forward-compatible with future Edge / Chrome / other multi-signer or
post-rotation browsers.

### 2. `BrowserDescriptor.getBrowserDescriptorForEdge()` -- add rotated
hash
Add the second Edge signing certificate hash to the switch-browser
safelist so the hard-coded Edge descriptor matches both legacy and
post-rotation Edge installs even before the matcher change propagates
downstream.

### 3. Regression tests
- `testSelect_Browser_multiSignerBrowserMatchesWithSubsetSafelist` --
multi-signer browser + single-hash safelist must match (the bug).
- `testSelect_Browser_signatureMismatchIsRejected` -- no overlap between
presented signatures and safelist must still reject (guards the security
boundary).
- New `BrowserDescriptorTest` in common4j pins both Edge hashes and the
Chrome entry as regression guards.

## Companion PR
A companion PR updates `msal_default_config.json` and
`auth_config.template.json` in the MSAL repo:
AzureAD/microsoft-authentication-library-for-android#2515 (work item
3611726).

## Test plan
- New unit tests pass (couldn''t run locally -- Maven feed requires VSTS
auth not available in this session; CI will validate).
- Existing `AndroidBrowserSelectorTest` cases unchanged in behavior
under the new matcher (verified by inspection -- all existing fixtures
use identical signature sets between descriptor and browser, so
`disjoint == false` corresponds exactly to `equals == true`).

## Risk
**Low.** The matcher change is a one-line semantic relaxation that only
changes behavior when a browser''s signature set is a proper
superset/overlap (not strict equality) with a safelisted descriptor --
exactly the scenario the customer hit. Strict mismatches are still
rejected.

---------

Co-authored-by: shjameel <shjameel@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [PATCH] Fix Edge browser selection on devices where Microsoft Edge is the default browser: add the rotated Edge signing certificate hash to the Edge BrowserDescriptor and accept multi-signer browsers when any signature intersects the safelist, instead of requiring strict set-equality (resolves MSAL #2414)
 - [MINOR] Refactor Auth Tab integration to use provider-based strategy selection. Adds AuthTabStrategyProvider and BrowserLaunchStrategy with Custom Tabs fallback. Compatible with androidx.browser:browser:1.7.0.
 - [MINOR] Add provisionResourceAccountCredentials API to DeviceRegistrationClientApplication with V0 protocol params/response and add IPPhone to AppRegistry (#3086)
 - [PATCH] Extend filter-then-clone optimization to deleteAccessTokensWithIntersectingScopes and add telemetry attributes (#3114)

common/src/main/java/com/microsoft/identity/common/internal/ui/browser/AndroidBrowserSelector.java

@@ -43,6 +43,7 @@
 import com.microsoft.identity.common.internal.broker.PackageHelper;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 
@@ -100,7 +101,12 @@ private static boolean matches(@NonNull final BrowserDescriptor descriptor,
             return false;
         }
 
-        if (!descriptor.getSignatureHashes().equals(browser.getSignatureHashes())) {
+        // An installed browser may present multiple signatures (e.g. APK Signature Scheme v3
+        // lineage). Trust the browser as long as at least one of its signatures appears in the
+        // descriptor's trusted set. Strict set-equality previously rejected multi-signer apps
+        // such as Microsoft Edge once the host app started targeting API 28+ and PackageManager
+        // began returning all signers instead of just the first one.
+        if (Collections.disjoint(descriptor.getSignatureHashes(), browser.getSignatureHashes())) {
             Logger.warn(methodTag,LOGGING_MSG_BROWSER + browser.getPackageName() + " signature hash not match");
             return false;
         }

common/src/test/java/com/microsoft/identity/common/internal/ui/browser/AndroidBrowserSelectorTest.java

@@ -54,6 +54,7 @@
 
 import java.nio.charset.Charset;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
@@ -97,6 +98,20 @@ public class AndroidBrowserSelectorTest {
                     .setIsCustomTabsSupported(true)
                     .build();
 
+    /**
+     * Simulates a multi-signer browser (e.g. Microsoft Edge), which presents two distinct
+     * signatures via APK Signature Scheme v3. Both must be visible to PackageManager when the
+     * host app targets API 28+.
+     */
+    private static final TestBrowser EDGE_MULTI_SIGNER =
+            new TestBrowserBuilder("com.microsoft.emmx")
+                    .withBrowserDefaults()
+                    .setVersion("142")
+                    .addSignature("EdgeOriginalSignature")
+                    .addSignature("EdgeRotatedSignature")
+                    .setIsCustomTabsSupported(true)
+                    .build();
+
 
     //Currently package manager call returns an empty list... failing this test.  Needs investigation.
     //Ignored while updating to latest Mockito version
@@ -248,6 +263,55 @@ public void testSelect_Browser_preferredBrowserSelected_preferredBrowserNotInSaf
         Assert.assertEquals(preferredBrowser.getSignatureHashes(), browser.getSignatureHashes());
     }
 
+    /**
+     * Regression test for the customer-reported issue where Microsoft Edge as the default browser
+     * caused MSAL to fall back to WebView. Edge ships as a multi-signer APK; when the host app
+     * targets API 28+, PackageManager returns all signers. The safelist contains only one of
+     * those signers, so strict set-equality used to reject the browser. The match must succeed
+     * as long as the descriptor's trusted set intersects the browser's actual signatures.
+     */
+    @Test
+    public void testSelect_Browser_multiSignerBrowserMatchesWithSubsetSafelist() {
+        setBrowserList(EDGE_MULTI_SIGNER);
+
+        // Safelist only carries the original (pre-rotation) Edge signature.
+        final Set<String> safelistHashes = new HashSet<>();
+        safelistHashes.add(PackageHelper.generateSignatureHashes(EDGE_MULTI_SIGNER.mPackageInfo).iterator().next());
+
+        final List<BrowserDescriptor> browserSafelist = new ArrayList<>();
+        browserSafelist.add(new BrowserDescriptor(
+                EDGE_MULTI_SIGNER.mPackageName,
+                safelistHashes,
+                null,
+                null));
+
+        final Browser browser = new AndroidBrowserSelector(ApplicationProvider.getApplicationContext()).selectBrowser(browserSafelist, null);
+        assertNotNull(browser);
+        assertEquals(EDGE_MULTI_SIGNER.mPackageName, browser.getPackageName());
+    }
+
+    /**
+     * A browser whose signatures share no element with any safelisted descriptor must still be
+     * rejected. Guards against accidentally loosening trust beyond "intersection non-empty".
+     */
+    @Test
+    public void testSelect_Browser_signatureMismatchIsRejected() {
+        setBrowserList(EDGE_MULTI_SIGNER);
+
+        final Set<String> unrelatedHashes = new HashSet<>();
+        unrelatedHashes.add("not-a-real-edge-signature-hash");
+
+        final List<BrowserDescriptor> browserSafelist = new ArrayList<>();
+        browserSafelist.add(new BrowserDescriptor(
+                EDGE_MULTI_SIGNER.mPackageName,
+                unrelatedHashes,
+                null,
+                null));
+
+        final Browser browser = new AndroidBrowserSelector(ApplicationProvider.getApplicationContext()).selectBrowser(browserSafelist, null);
+        assertNull(browser);
+    }
+
     /**
      * Browsers are expected to be in priority order, such that the default would be first.
      */

common4j/src/main/com/microsoft/identity/common/java/ui/BrowserDescriptor.java

@@ -78,6 +78,12 @@ public BrowserDescriptor(
     static private BrowserDescriptor getBrowserDescriptorForEdge() {
         final HashSet<String> edgeSignatureHashes = new HashSet<>();
         edgeSignatureHashes.add("Ivy-Rk6ztai_IudfbyUrSHugzRqAtHWslFvHT0PTvLMsEKLUIgv7ZZbVxygWy_M5mOPpfjZrd3vOx3t-cA6fVQ==");
+        // Edge production APK is signed with two certificates (APK Signature Scheme v3 lineage).
+        // AndroidBrowserSelector#matches trusts a browser when at least one of its presented
+        // signers appears in this set, so listing both covers Edge installs at any point in the
+        // rotation lifecycle (devices may report one or both signers depending on Edge version
+        // and host app targetSdk).
+        edgeSignatureHashes.add("KxJRZ8RFW-6BQa-e4xNE7UmeGU6BWIR_6dzgaAOQWh0rWVENxsXU5TjnWuTR9GqOFbCKMilXKIu7as6VJRjuSw==");
         return new BrowserDescriptor(
                 "com.microsoft.emmx",
                 edgeSignatureHashes,

common4j/src/test/com/microsoft/identity/common/java/ui/BrowserDescriptorTest.java

@@ -0,0 +1,89 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.java.ui;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.List;
+
+/**
+ * Unit tests for {@link BrowserDescriptor}, verifying the hard-coded switch-browser safelist
+ * contains the expected packages and signature hashes. These tests also serve as a regression
+ * guard for the Microsoft Edge multi-signer fix (see MSAL #2414): both Edge signing certificate
+ * hashes must remain in the descriptor so Edge installs are trusted across the APK signing
+ * certificate rotation lifecycle.
+ */
+public class BrowserDescriptorTest {
+
+    private static final String EDGE_PACKAGE_NAME = "com.microsoft.emmx";
+    private static final String EDGE_ORIGINAL_SIGNATURE_HASH =
+            "Ivy-Rk6ztai_IudfbyUrSHugzRqAtHWslFvHT0PTvLMsEKLUIgv7ZZbVxygWy_M5mOPpfjZrd3vOx3t-cA6fVQ==";
+    private static final String EDGE_ROTATED_SIGNATURE_HASH =
+            "KxJRZ8RFW-6BQa-e4xNE7UmeGU6BWIR_6dzgaAOQWh0rWVENxsXU5TjnWuTR9GqOFbCKMilXKIu7as6VJRjuSw==";
+    private static final String CHROME_PACKAGE_NAME = "com.android.chrome";
+
+    @Test
+    public void switchBrowserSafeListContainsEdgeWithBothSignatureHashes() {
+        final List<BrowserDescriptor> safeList = BrowserDescriptor.getBrowserSafeListForSwitchBrowser();
+
+        BrowserDescriptor edge = null;
+        for (final BrowserDescriptor descriptor : safeList) {
+            if (EDGE_PACKAGE_NAME.equals(descriptor.getPackageName())) {
+                edge = descriptor;
+                break;
+            }
+        }
+
+        Assert.assertNotNull("Edge entry must be present in switch-browser safelist", edge);
+        Assert.assertTrue(
+                "Original Edge signing certificate hash must remain in the safelist",
+                edge.getSignatureHashes().contains(EDGE_ORIGINAL_SIGNATURE_HASH));
+        Assert.assertTrue(
+                "Rotated Edge signing certificate hash must be present in the safelist (regression for MSAL #2414)",
+                edge.getSignatureHashes().contains(EDGE_ROTATED_SIGNATURE_HASH));
+    }
+
+    @Test
+    public void switchBrowserSafeListContainsChrome() {
+        final List<BrowserDescriptor> safeList = BrowserDescriptor.getBrowserSafeListForSwitchBrowser();
+
+        boolean chromeFound = false;
+        for (final BrowserDescriptor descriptor : safeList) {
+            if (CHROME_PACKAGE_NAME.equals(descriptor.getPackageName())) {
+                chromeFound = true;
+                break;
+            }
+        }
+
+        Assert.assertTrue("Chrome entry must be present in switch-browser safelist", chromeFound);
+    }
+
+    @Test
+    public void brokerSafeListContainsChromeOnly() {
+        final List<BrowserDescriptor> safeList = BrowserDescriptor.getBrowserSafeListForBroker();
+
+        Assert.assertEquals("Broker safelist is expected to contain a single entry", 1, safeList.size());
+        Assert.assertEquals(CHROME_PACKAGE_NAME, safeList.get(0).getPackageName());
+    }
+}