Trusted domains security - infobip/mobile-messaging-sdk-android GitHub Wiki

Trusted Domains Security

Available since SDK version 14.3.0

The Trusted Domains feature is an optional security enhancement that allows you to restrict which URLs can be opened by the Mobile Messaging SDK. This helps protect your users from potentially malicious URLs that could be sent through push notifications.

Table of Contents

Overview

When trusted domains are configured, the SDK will only open those URLs that match the specified domains. URLs from untrusted domains will be blocked and logged as warnings.

Key Benefits:

  • Protection against malicious URLs
  • Control over which domains your app can navigate to
  • No breaking changes - completely optional feature
  • Backward compatible with existing implementations

Configuration

Configure trusted domains during SDK initialization using the withTrustedDomains() method:

val trustedDomains = HashSet<String>()
trustedDomains.add("example.com")

MobileMessaging.Builder(application)
    .withTrustedDomains(trustedDomains)
    .build()
expand to see Java code 

HashSet<String> trustedDomains = new HashSet<>();
trustedDomains.add("example.com");

new MobileMessaging.Builder(this)
        .withTrustedDomains(trustedDomains)
        .build();

Parameters:

  • domains: HashSet of domain strings that should be trusted
  • Domain format: "example.com", "subdomain.example.com", etc.

How It Works

The SDK validates domains for the following URL types:

  • WebView URLs (webViewUrl): URLs opened in the in-app webviews
  • Browser URLs (browserUrl): URLs opened in an external browser

The validation happens before opening the URL. If a URL's domain is not trusted, the SDK will:

  1. Block the URL from opening
  2. Log a warning message
  3. Continue normal execution without the URL action

Domain Matching Rules

Exact and Subdomain Match

// Trusted domain: "example.com"
// ✅ Matches: https://example.com/page
// ✅ Matches: https://api.example.com/endpoint
// ✅ Matches: https://cdn.example.com/image.jpg
// ✅ Matches: https://www.example.com/home

Partial Match Prevention

// Trusted domain: "example.com"
// ❌ Does not match: https://badexample.com/malicious
// ❌ Does not match: https://example.com.evil.org/phishing

What URLs Are Affected

URLs That Are Validated

  • HTTP/HTTPS URLs in webView actions
  • HTTP/HTTPS URLs in browser actions
  • URLs from push notification webViewUrl field
  • URLs from push notification browserUrl field

URLs That Are NOT Validated

  • Deep links (non-HTTP/HTTPS schemes like myapp://, tel:, mailto:)
  • URLs opened programmatically outside of SDK notification handling

Backward Compatibility

The trusted domains feature is completely backward compatible:

  • Without configuration: All URLs work exactly as before
  • With null value or empty HashSet: withTrustedDomains(null) - All URLs are allowed
  • With domains: Only specified domains are allowed

Examples

URL Behavior Examples

// Configuration
.withTrustedDomains(["example.com", "trusted.org"])

// ✅ These URLs will be opened:
// https://example.com/page
// https://api.example.com/data
// https://www.example.com/home
// https://trusted.org/content

// ❌ These URLs will be blocked:
// https://malicious.com/phishing
// https://untrusted.net/spam
// https://fake-example.com/scam

// ✅ These deeplinks will still work (not validated):
// myapp://open-screen
// tel:+1234567890
// mailto:[email protected]
// maps://location

Logging

When URLs are blocked, the SDK logs warning messages:

MobileMessaging  W  URL domain is not trusted and will not be opened: http://example.com

These logs help with debugging and monitoring security events in your application.

Related Documentation

If you have any questions or suggestions, feel free to send an email to [email protected] or create an issue.

⚠️ **GitHub.com Fallback** ⚠️