Users of our iOS app are receiving a Certificate Error when login to their OneDrive

New Contributor

Hi,

 

On or around February 18th, users of our iOS App have started receiving a certificate error when attempting to sign in to their OneDrive accounts:

 

"The certificate for this server is invalid. You might be connecting to a server that is pretending to be “skyapi.onedrive.onedrive.live.com” which could put your confidential information at risk."


Obviously, the URL looks incorrect (too many "onedrive."'s in there...). The trouble is this URL is generated by "accountchooser.js" (Microsoft written) in code that looks like this:


e.skyApiBaseUrl = "https://skyapi.onedrive." + document.domain + "/API/2/";


We use the OneDriveSDK via a Cocoapod (nothing has changed here in years) and our App hasn't changed anything here in a similar time frame.


So something recent looks to have changed, either in the accountchooser.js code, or in how "document.domain" is calculated/determined on iOS. For reference, our users are seeing this on iOS 15.3.x and iOS 15.4, so latest stable production releases.


Is anyone seeing anything similar? Any help with where or how we should raise this issue would be helpful...

 

Who is the responsible team for accountchooser.js?

 

Attached a screenshot of a Proxyman capture on a clean iOS Simulator 

177232-image.png

Offending Code

code.jpg

 

Related Threads and Issues Raised

https://docs.microsoft.com/en-us/answers/questions/751860/onedrive-certificate-broken.html?childToVi...

https://docs.microsoft.com/en-us/answers/questions/747693/users-of-our-ios-app-have-just-started-rec...

https://twitter.com/StrongboxSafe/status/1496467806451286021

2 Replies
I replied over on the Q&A thread but wanted to update here as well in case anyone sees one but not the other, we are currently investigating this on the OneDrive side and will update when we have a path forward.

 hello,

do you plan to update this within the year?