AzureAD · p3dr0rv · Jul 2, 2025 · Jul 1, 2025 · Jul 1, 2025 · Jul 2, 2025
@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Update IP phone app teams signature constants to use SHA-512 format (#2700)
 - [MINOR] Updating handling of ssl error received in Android WebView's onReceivedSslError callback (#2691)
 - [MINOR] Fixing the sign in screens when edge to edge is enabled (#2665)
 - [MINOR] Showing webcp flow in webview (#2673)

@@ -1194,13 +1194,13 @@ public static String computeMaxHostBrokerProtocol() {
          * The only supported detection of this phone is the application install state.
          * App signature of Teams Phone app to detect it for the MDM Device CA redirect.
          */
-        public static final String IPPHONE_APP_SIGNATURE = "fcg80qvoM1YMKJZibjBwQcDfOno=";
+        public static final String IPPHONE_APP_SHA512_RELEASE_SIGNATURE = "iPULpH0pq8ms1Qy7cOzGsVRQN7/zW4IbW+UKcajvtrTrzM5o5VcaghNEA1Ho4Wq7ay0efqqJcalxa8eHxVnHKA==";
 
         /**
          * Signing certificate thumbprint of the DEBUG-signed Teams IP Phones (Sakurai devices)
          * to unblock any teams local debug development.
          */
-        public static final String IPPHONE_APP_DEBUG_SIGNATURE = "VCpKgbYCXucoq1mZ4BZPsh5taNE=";
+        public static final String IPPHONE_APP_SHA512_DEBUG_SIGNATURE = "FOoI98kyj+dXPZYW191TjF6017ljKj47G+RCQPYjIcXD7uhhTpw7pqznTABB0ZjB1/DZetRgr284pyLumvXN6A==";
 
         /**
          * The value for pkeyauth redirect.

@@ -23,9 +23,9 @@
 
 package com.microsoft.identity.common.internal.broker;
 
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_DEBUG_SIGNATURE;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_PACKAGE_NAME;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SIGNATURE;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SHA512_DEBUG_SIGNATURE;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SHA512_RELEASE_SIGNATURE;
 
 import android.content.Context;
 import android.content.pm.ApplicationInfo;
@@ -124,7 +124,7 @@ private static String getSigningCertificateThumbprintForPackage(final PackageInf
             final Signature[] signatures = getSignatures(packageInfo);
             if (signatures != null && signatures.length > 0) {
                 final Signature signature = signatures[0];
-                MessageDigest md = MessageDigest.getInstance(useSha512 ? "SHA-512" : "SHA");
+                MessageDigest md = MessageDigest.getInstance(useSha512 ? "SHA-512" : "SHA"); // CodeQL [SM05136] MSAL still uses SHA-1 format in redirect url.
                 md.update(signature.toByteArray());
                 return Base64.encodeToString(md.digest(), Base64.NO_WRAP);
             }
@@ -293,9 +293,9 @@ public boolean verifyIfValidTeamsPackage(final String packageName) {
 
         if (packageName.equals(IPPHONE_APP_PACKAGE_NAME) &&
                 isPackageInstalledAndEnabled(IPPHONE_APP_PACKAGE_NAME)) {
-            final String currentSignatureForTeamsApp = getSha1SignatureForPackage(IPPHONE_APP_PACKAGE_NAME);
-            if (IPPHONE_APP_SIGNATURE.equals(currentSignatureForTeamsApp) ||
-                    IPPHONE_APP_DEBUG_SIGNATURE.equals(currentSignatureForTeamsApp)) {
+            final String currentSignatureForTeamsApp = getSha512SignatureForPackage(IPPHONE_APP_PACKAGE_NAME);
+            if (IPPHONE_APP_SHA512_RELEASE_SIGNATURE.equals(currentSignatureForTeamsApp) ||
+                    IPPHONE_APP_SHA512_DEBUG_SIGNATURE.equals(currentSignatureForTeamsApp)) {
                 return true;
             }
         }

@@ -94,7 +94,7 @@
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.AMAZON_APP_REDIRECT_PREFIX;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.COMPANY_PORTAL_APP_PACKAGE_NAME;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_PACKAGE_NAME;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SIGNATURE;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SHA512_RELEASE_SIGNATURE;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.PLAY_STORE_INSTALL_APP_PREFIX;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.PLAY_STORE_INSTALL_PREFIX;
 import static com.microsoft.identity.common.java.AuthenticationConstants.AAD.APP_LINK_KEY;
@@ -607,7 +607,7 @@ private boolean isDeviceCaRequest(@NonNull final String url) {
     private boolean shouldLaunchCompanyPortal() {
         final PackageHelper packageHelper = new PackageHelper(getActivity().getPackageManager());
         return packageHelper.isPackageInstalledAndEnabled(IPPHONE_APP_PACKAGE_NAME)
-                && IPPHONE_APP_SIGNATURE.equals(packageHelper.getSha1SignatureForPackage(IPPHONE_APP_PACKAGE_NAME))
+                && IPPHONE_APP_SHA512_RELEASE_SIGNATURE.equals(packageHelper.getSha512SignatureForPackage(IPPHONE_APP_PACKAGE_NAME))
                 && packageHelper.isPackageInstalledAndEnabled(COMPANY_PORTAL_APP_PACKAGE_NAME);
     }
 

@@ -62,7 +62,7 @@ public static Cipher getCipher(@NonNull final String algorithm,
                                    @Nullable final Provider provider) throws ClientException {
         try {
             if (provider != null) {
-                return Cipher.getInstance(algorithm, provider);
+                return Cipher.getInstance(algorithm, provider); // CodeQL [SM05136] Used to decrypt SK, and the algorithm used is defined by ESTS.
             }
             return Cipher.getInstance(algorithm);
         } catch (final NoSuchAlgorithmException e) {