I have just got rejection of my app update with the message below.
Your app(s) are vulnerable to Intent Redirection.
com.facebook.CustomTabMainActivity->onCreate
i am using a facebook login in the app and it uses activity as below defined. Simple solution could be to set exported="false" but even my build is not working I get a build error " error MSB6006: "java.exe" exited with code 1."
I am using xamarin. I am not sure if that is related to it but i guess not.
<activity android:name="com.facebook.CustomTabMainActivity" android:exported="true" />
<activity android:name="com.facebook.CustomTabActivity" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="#string/fb_login_protocol_scheme" />
</intent-filter>
</activity>
If i understand correctly, exported=false also not a good solution i need data from another app. In this case if user has facebook app installed and login details should be delivered from the facebook app, exported=false makes the activity private and cannot receive the data.
So what could be the possible solution here?
You have a duplicate, the first line is not necessary.
<activity android:name="com.facebook.CustomTabMainActivity" android:exported="true" />
Only use the rest and the sign in works.
I have found the problem with diagnostic build. I have Android library in the project which has also Manifest file. Indeed my Manifest in the Android library project didnt have anything within the application tags as shown below.
<application />
But somehow setting goes double with once true and other with false. Not sure why but within the logs I have found out that was message like "at the line xx android:exported="false" and other line yy android:exported="true" use tools:replace.
This seems to be caused by Manifest merger and simply setting as below solved the error and now it builds fine and works as well.
<activity android:name="com.facebook.CustomTabActivity"
tools:replace="android:exported" android:exported="false">
I hope that it helps in case anyone come across with the same issue
I have hosted assetlinks file into our domain https://ourdomain/.well-known/assetlinks.json And also verified this using https://developers.google.com/digital-asset-links/tools/generator and from android studio's App Links Assitant and got verified status from both the ways.
But when i am sharing debug APK for testing it's always opening in browser.
I also tried uploading on app store and downloaded from there for testing but it always open in browser.
Note: for debug build used my laptop SHA-256 and once app live on play store changed SHA ( got SHA-256from By going to Application Dashboard in Play Console then Release Management --> App Signing ) on hosted assetlinks file into our domain https://ourdomain/.well-known/assetlinks.json
Below is the code used in the manifest file.
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:scheme="https"
android:host="abc.test.com" />
</intent-filter>
Deep-links are working in Android 11 or before but on Android 12 it isn't.
But even after adding assetlinks.json file and adding all the intent-filters. Android 12 still isn't detecting deep-links. In Android-Manifest file turns out that scheme's tag is need to be separated from the data tag like this:
// OLD - Which is only working Android 11 or before
<data
android:host="domain.name"
android:pathPrefix="/videos"
android:scheme="https" />
// NEW - Which is working on all including Android 12
<data android:scheme="https" />
<data
android:host="domain.name"
android:pathPrefix="/videos" />
You need to add deep link verification.
See https://doordash.engineering/2022/01/25/your-deep-links-might-be-broken-web-intents-and-android-12/
I have same problem and solved by going to app info setting -> set as default ->support web addresses and you will see your short link
so turn it on and it will work ;)
Update:
as every one said its not a programmatically way so the best way is that link below said
In my case, the app is working in android 11, but it doesn't work in android 12 when the app is compiled and built with android studio.
I tested the production app; it works fine with the app link.
For development build, I have to go to App info -> Open by default -> Add link -> check off all the available links
This seems only happen with development builds; the apps installed from Google app store automatically has all the links selected.
In my case problem was with inconsistent between SHA Signatures in store build and https://ourdomain/.well-known/assetlinks.json, that's why deep links were disabled by default on Android 12, for fixing it we can connect our phone with problem build to Android studio and run this command:
adb shell pm get-app-links com.your_app_package_name
as a result you should see something like this:
com.your_app_package_name:
ID: .....
Signatures: [AB:CD:EF:HI:GK...]
Domain verification state:
your_domain.com legacy_failure
next you need to check whether the signature fingerprints is included in your https://ourdomain/.well-known/assetlinks.json, in my case it doesn't,
also keep in mind that in assetlinks.json file can be couple of signatures for example for debug, alpha, beta and production builds, it should looks like below:
[
{
"relation": ["delegate_permission/common.handle_all_urls"],
"target": {
"namespace": "android_app",
"package_name": "com.your_app_package_name",
"sha256_cert_fingerprints" :["DE:BU:GS:HA:25:6...","PR:OD:SH:A:25:6..."]
}
}
]
After adding assetlinks.json in domain you have to reinstall app (just uninstall the app and install again) that will work
This fixed it for me:
<intent-filter
android:autoVerify="true"
>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="my.page.link" />
<data android:scheme="https" />
</intent-filter>
Notice: android:autoVerify="true"
The weird thing about this is only broke on certain Android phones, and wasn't necessarily consistent across API versions. Pixel 4 on API 33 worked fine without this fix and didn't work with Pixel 6 on API 33. What can ya do.
In my case after doing the above (debug/release SHA-256 keys in assetlinks, separate the scheme tag) the final culprit turned out to be the "path" tag. For some reason the verification process does not include the tag even though this has always been there in the app and used to work prior to Android 12. Not a big deal in my app since I was ignoring the path anyway.
Before (not working):
<data android:host="dl.example.com"
android:path="/test" />
<data android:scheme="https" />
After (working):
<data android:host="dl.example.com"/>
<data android:scheme="https"/>
Hope it helps someone
Follow these steps:
Step 1:
Add android:autoVerify="true" to your intents-filter.
Step 2:
Move the android:scheme to separate data tag
So now your intents-filter in manifest looks like this:
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:host="websiteUrl"
android:pathPrefix="/" />
<data
android:scheme="https" />
<!-- note that the leading "/" is required for pathPrefix-->
</intent-filter>
Step 3:
Add your Digital Asset Links JSON file to following url:
https://{yourdomain.name}/.well-known/assetlinks.json
Note:- For production app make sure you use the digital asset links JSON file generated by Play console. You can find it at
Play console -> Your App -> Setup (Side menu option) -> App Integrity -> App signing (scroll to the bottom)
Step 4:
Verify that all the steps are correctly implemented by manually running app link validation using these commands - https://developer.android.com/training/app-links/verify-android-applinks#manual-verification
Step 5:
If your links were shown as verified in step 4 then now install the app on device and wait for atleast 2-3 minutes before clicking on any app links because in this time Android will verify your app links by reading your manifest file and the digital assets JSON file that you uploaded on your website.
After you have waited 2-3 minutes, now you can click on your app link and it should open your app.
Hope this helps!
Before Android 12, Deep link followed the standard implementation with the code in the Manifest:
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:scheme="https"
android:host="www.yourdomain.dev"
android:pathPrefix="/set/v1" />
After Android 12, we have to add autoVerify to the intent-filter:
<intent-filter android:autoVerify="true" tools:targetApi="m">
And the website must be verified by adding assetlinks.json to the .well-known directory in your website (same as Apple does)
But, most important, you can only test this building and signing the app:
Build -> Generate Signed Bundle/APK
during development, you can test your implementation manually enabling the link in the app on your device
I am trying to set up Facebook deep linking feature for my Android app. (My end goal is deferred deep linking, but I am even stuck with regular deep linking, so this is my question).
I created a Facebook App and pointed it to my Android app:
I installed FB SDK (the react-native version) and added FB App id in my Android Manifest.xml:
$ cat android/app/src/main/res/values/strings.xml
<resources>
<string name="app_name">Invest Advisor</string>
<string name="facebook_app_id">1807501069529222</string>
<string name="fb_login_protocol_scheme">fb1807501069529222</string>
</resources>
$ cat android/app/src/main/AndroidManifest.xml
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.investadvisor">
<application
android:name=".MainApplication"
android:label="#string/app_name"
android:icon="#mipmap/ic_launcher"
android:roundIcon="#mipmap/ic_launcher_round"
android:allowBackup="false"
android:theme="#style/AppTheme">
<meta-data android:name="com.google.android.gms.ads.AD_MANAGER_APP" android:value="true"/>
<meta-data android:name="com.facebook.sdk.ApplicationId" android:value="#string/facebook_app_id"/>
.....
<intent-filter>
<data android:scheme="investadvisor" android:host="open"/>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
</intent-filter>
</activity>
<activity android:name="com.facebook.react.devsupport.DevSettingsActivity"/>
</application>
</manifest>
When I open FB App Ads Helper https://developers.facebook.com/tools/app-ads-helper I see that it detects installs correctly (it shows the date of last install).
But when I try to fire a deep link it says "Deep link notification could not be sent due to some errors":
Why can that be? I have Facebook on my Android, and I am logged in there, so it looks like all the requirements have been met.
You have to login to facebook app on device with the same account you have a developer account then send a notification. It works
Also check you have enabled the deeplinking for the project in Settings >> Basic
I have created an app link enabled android instant app. But while uploading app bundle to Instant App section in Play store I am getting error as,
"Your site 'subdomain.domain.com' has not been linked through the Digital Assets Link protocol to your app. Please link your site through the Digital Assets Link protocol to your app."
I have uploaded assetlinks.json file generated from Android studio to the .well-known folder under that subdomain with sha256 fingerprint got from App Signing section in play store.
I've verified those link via android studio and Statement List Generator and Tester(https://developers.google.com/digital-asset-links/tools/generator). It gets verified in both.
Verified that assetlinks.json file
is served with content-type application/json.
accessible over an HTTPS connection
accessible without any redirects (no 301 or 302 redirects) and can be accessible by bots
My AndroidManifest file
<application
android:allowBackup="true"
android:icon="#mipmap/ic_launcher"
android:label="#string/app_name"
android:roundIcon="#mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="#style/AppTheme">
<meta-data android:name="asset_statements" android:resource="#string/asset_statements" />
<activity android:name=".MainActivity">
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="https" />
<data android:scheme="http" />
<data android:host="subdomain.domain.com" />
<data android:pathPattern="/openapp" />
</intent-filter>
<meta-data
android:name="default-url"
android:value="https://subdomain.domain.com/openapp" />
</activity>
</application>
Please go through the screenshots,
Verified in Android Studio
Android App link tested in Android Studio
Asset links verified online
assetlinks.json file
Error while upload instant app apk
App signing certificate
I am getting "Can't install " dialog when trying to install from Play Store while the other flavor is already installed.
I have two flavors: free and paid. Both have different applicationIds like so:
free {
applicationId "aaa.bbb.ccc.free"
}
paid {
applicationId "aaa.bbb.ccc.paid"
}
I can't install Free if Paid is installed and vice-versa.
In the code I essentially use the main-flavor for the paid version and add advertisment stuff in the free flavor.
FreeActivity1 inherits Activity1 and
FreeActivity2 inherits from Activity2
My main manifest (used in paid flavor):
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="aaa.bbb.ccc"
android:sharedUserId="aaa.bbb.ccc">
...
<application ...>
<activity
android:name=".Activity1">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity-alias
android:name="${applicationId}.act1"
android:targetActivity=".Activity1"/>
<activity
android:name=".ddd.Activity2"/>
<activity-alias
android:name="${applicationId}.act2"
android:targetActivity=".ddd.Activity2"/>
</application>
and my free manifest:
<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools"
package="aaa.bbb.ccc"
android:sharedUserId="aaa.bbb.ccc">
<application tools:ignore="GoogleAppIndexingWarning">
<activity
android:name=".FreeActivity1">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity-alias
tools:replace="android:targetActivity"
android:name="${applicationId}.act1"
android:targetActivity=".FreeActivity1"/>
<activity
tools:node="remove"
android:name=".Activity1"
/>
<activity
android:name=".ddd.FreeActivity2"/>
<activity-alias
tools:replace="android:targetActivity"
android:name="${applicationId}.act2"
android:targetActivity=".ddd.FreeActivity2"/>
<activity
tools:node="remove"
android:name=".ddd.Activity2"
/>
...
</application>
I have 2 Apps in the Play Console and released just fine but one of my features is migrating the user settings from the free to the paid version. As it is, I just cannot install both on the same device via Google Play. It works fine with apk install.
Tangentially related maybe(?): I have two google accounts with Play Store access. On one of those accounts, Play Store tells me, my Pro version is not compatible with my device (Same device I use on other account). I use the same features/permissions (internet) for free and paid.
Help would be greatly appreciated! Thanks in advance!
EDIT:
I have debugged the playstore installation with logcat. I get the following error:
Error -505 while installing aaa.bbb.ccc.free: INSTALL_FAILED_SHARED_USER_INCOMPATIBLE: Package couldn't be installed in /data/app/aaa.bbb.ccc.freeXXXXXXXXXXXX: Package aaa.bbb.ccc.free has no signatures that match those in shared user aaa.bbb.ccc; ignoring!
Looks like your package name is the same in your manifest for both paid and free. Try changing it there.
Ok this is actually a pretty bad problem:
I used sharedUserId and Google App Signing together. This is just not possible (see edit in op) and there are 0 warnings in the Play Console.
Since the automatic signing process always generates a new key for each App in the Store, those signatures will not match but Play Store requires them to if they have the same sharedUserId.
Either I remove all features requiring the sharedUserId or I unpublish both my apps and create two new versions with different applicationId and use manual signing.