SDK for Android changelog

Added support for Android 15. [SDKS-3098]

Added the ability to customize how the SDK stores tokens and data. [SDKS-3378]

Added support for Android App Links that use the http/https scheme for redirect URIs in centralized login apps. [SDKS-3433]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3297]

Exposed the realm and success URL values within SSOToken. [SDKS-3351]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-2499]

Updated the SDK to ignore any type 4 TextOutputCallback callbacks, as these contain JavaScript that Android cannot execute. [SDKS-3227]

Fixed a potential ServiceConnection leak in CustomTabManager. [SDKS-3346]

Added support for signing off from PingOne to the centralized login flow. [SDKS-3020]

Added the ability to dynamically configure the SDK by collecting values from the server’s OpenID Connect .well-known endpoint. [SDKS-3022]

Resolved security vulnerability warnings related to the commons-io-2.6.jar and bcprov-jdk15on-1.68.jar libraries. [SDKS-3072, SDKS-3073]

Fixed a NullPointerException in the centralized login flow. [SDKS-3079]

Improved multi-threaded performance when caching access tokens. [SDKS-3104]

Synchronized the encryption and decryption block to avoid keystore crashes. [SDKS-3199]

Fixed an issue related to handling HiddenValueCallback if isMinifyEnabled is set to true. [SDKS-3201]

Fixed an issue where device binding using an application PIN was failing when Arabic language was used. [SDKS-3221]

Fixed an issue where browser sessions were not properly signed out when a non-default browser was used in centralized login. [SDKS-3276]

Fixed an unexpected behavior in the authentication flow caused by AppAuthConfiguration settings being ignored during centralized login. [SDKS-3277]

Fixed the FRUser.revokeAccessToken() method to not end the user’s session during the centralized login flow. [SDKS-3282]

Added a new module for integration with PingOne Protect. [SDKS-2900]

Added support for the TextInput callback. [SDKS-545]

Added an interface for customizing the biometric UI prompts when device binding or signing. [SDKS-2991]

Added x-requested-with: forgerock-sdk and x-requested-platform: android immutable HTTP headers to each outgoing request. [SDKS-3033]

Addressed a null pointer exception during centralized login by using ActivityResultContract in place of the deprecated onActivityResult method. [SDKS-3079]

Addressed nimbus-jose-jwt:9.25 library security vulnerability (CVE-2023-52428). [SDKS-2988]

Fixed an issue where the SDK crashes during device binding on Android 9 devices. [SDKS-2948]

Added ability to customize cookie headers in outgoing requests from the SDK. [SDKS-2780]

Added ability to add custom claims when verifying signatures from bound devices. [SDKS-2787]

Added client-side support for the upcoming AppIntegrity callback. [SDKS-2631]

The SDK now uses auth-per-use keys for Device Binding. [SDKS-2797]

Improved handling of WebAuthn cancellations. [SDKS-2819]

The forgerock_url, forgerock_realm, and forgerock_cookie_name parameters are now mandatory when dynamically configuring the SDK. [SDKS-2782]

Addressed woodstox-core:6.2.4 library security vulnerability CVE-2022-40152. [SDKS-2751]

Added Gradle 8 and JDK 17 support. [SDKS-2451]

Added Android 14 support. [SDKS-2636]

Added verification of key pairs during device binding enrollment by using Google Key Attestation. [SDKS-2412]

Added issued at (iat) and not before (nbf) claims to JSON Web tokens used for device binding and signing verification. [SDKS-2747]

Added support for interceptors in the authenticator module. [SDKS-2544]

Added an interface for refreshing access tokens. [SDKS-2567]

Added support for policy advice from IG in JSON format. [SDKS-2240]

Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

Fixed an issue that caused loss of WebAuthn credentials when upgrading the SDK from 4.0.0-beta4 to newer versions. [SDKS-2576]

Upgraded the Google Fido client to support Passkeys. [SDKS-2243]

Added the FRWebAuthn interface to remove WebAuthn reference keys. [SDKS-2272]

Added an interface to specify a device name during WebAuthn registration. [SDKS-2296]

Added DeviceBinding callback support. [SDKS-1747]

Added DeviceSigningVerifier callback support. [SDKS-2022]

Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Fixed WebAuthn authentication on devices that use a full-screen biometric prompt. [SDKS-2340]

Fixed functionality of the NetworkCollector method. [SDKS-2445]

Removed support for native single sign-on (SSO).

Changed the signature for a number of methods.

Dynamic SDK Configuration. [SDKS-1759]

Android 13 support. [SDKS-1944]

Changed activity type used as parameter in PushNotification.accept. [SDKS-1968]

Updated deserialization of objects to use a class allowlist to prevent access to untrusted data. [SDKS-1818]

Updated the Authenticator module and sample app to handle the new POST_NOTIFICATIONS permission in Android 13. [SDKS-2033]

Fixed an issue where the DefaultTokenManager was not caching the AccessToken in memory upon retrieval from Shared Preferences. [SDKS-2066]

Deprecated the forgerock_enable_cookie configuration. [SDKS-2069]

Align forgerock_logout_endpoint configuration name with the Ping SDK for iOS. [SDKS-2085]

Allow leading slash on custom endpoint path. [SDKS-2074]

Fixed bug where the state parameter value was not being verified upon calling the Authorize endpoint. [SDKS-2078]

Updated the version of the com.squareup.okhttp3 library in the SDK to 4.10.0 [SDKS-1957]

Interface for log management [SDKS-1864]

Support SSL pinning [SDKS-80]

Restore session token when it is out of sync with the session token that bound with the access token [SDKS-1664]

Session token should be included in the header instead of request parameter for /authorize endpoint [SDKS-1670]

Support to broadcast logout event to clear application tokens when user logout the app [SDKS-1663]

Obtain timestamp from new PushNotification payload [SDKS-1666]

Add new payload attributes to the PushNotification [SDKS-1776]

Allow processing of push notifications without device token [SDKS-1844]

Dispose AuthorizationService when no longer required [SDKS-1636]

Authenticator sample app crash after scanning push mechanism [SDKS-1454]

Google Sign-In Security Enhancement.

Fix for WebAuthn Registration & Authentication prompt.

Disable native SSO when the SDK fails to access the Android AccountManager.

Support for Android 12.

Unlocked device is not required for data decryption.

Introduced FRLifecycle interface and exposed interfaces to allow custom native SSO implementation.