SDK for Android changelog

Added a new module for integration with PingOne Protect. [SDKS-2900]

Added support for the TextInput callback. [SDKS-545]

Added an interface for customizing the biometric UI prompts when device binding or signing. [SDKS-2991]

Added x-requested-with: forgerock-sdk and x-requested-platform: android immutable HTTP headers to each outgoing request. [SDKS-3033]

Addressed a null pointer exception during centralized login by using ActivityResultContract in place of the deprecated onActivityResult method. [SDKS-3079]

Addressed nimbus-jose-jwt:9.25 library security vulnerability (CVE-2023-52428). [SDKS-2988]

Fixed an issue where the SDK crashes during device binding on Android 9 devices. [SDKS-2948]

Added ability to customize cookie headers in outgoing requests from the SDK. [SDKS-2780]

Added ability to add custom claims when verifying signatures from bound devices. [SDKS-2787]

Added client-side support for the upcoming AppIntegrity callback. [SDKS-2631]

The SDK now uses auth-per-use keys for Device Binding. [SDKS-2797]

Improved handling of WebAuthn cancellations. [SDKS-2819]

The forgerock_url, forgerock_realm, and forgerock_cookie_name parameters are now mandatory when dynamically configuring the SDK. [SDKS-2782]

Addressed woodstox-core:6.2.4 library security vulnerability CVE-2022-40152. [SDKS-2751]

Added Gradle 8 and JDK 17 support. [SDKS-2451]

Added Android 14 support. [SDKS-2636]

Added verification of key pairs during device binding enrollment by using Google Key Attestation. [SDKS-2412]

Added issued at (iat) and not before (nbf) claims to JSON Web tokens used for device binding and signing verification. [SDKS-2747]

Added support for interceptors in the authenticator module. [SDKS-2544]

Added an interface for refreshing access tokens. [SDKS-2567]

Added support for policy advice from IG in JSON format. [SDKS-2240]

Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

Fixed an issue that caused loss of WebAuthn credentials when upgrading the SDK from 4.0.0-beta4 to newer versions. [SDKS-2576]

Upgraded the Google Fido client to support Passkeys. [SDKS-2243]

Added the FRWebAuthn interface to remove WebAuthn reference keys. [SDKS-2272]

Added an interface to specify a device name during WebAuthn registration. [SDKS-2296]

Added DeviceBinding callback support. [SDKS-1747]

Added DeviceSigningVerifier callback support. [SDKS-2022]

Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Fixed WebAuthn authentication on devices that use a full-screen biometric prompt. [SDKS-2340]

Fixed functionality of the NetworkCollector method. [SDKS-2445]

Removed support for native single sign-on (SSO).

Changed the signature for a number of methods.

Dynamic SDK Configuration. [SDKS-1759]

Android 13 support. [SDKS-1944]

Changed activity type used as parameter in PushNotification.accept. [SDKS-1968]

Updated deserialization of objects to use a class allowlist to prevent access to untrusted data. [SDKS-1818]

Updated the Authenticator module and sample app to handle the new POST_NOTIFICATIONS permission in Android 13. [SDKS-2033]

Fixed an issue where the DefaultTokenManager was not caching the AccessToken in memory upon retrieval from Shared Preferences. [SDKS-2066]

Deprecated the forgerock_enable_cookie configuration. [SDKS-2069]

Align forgerock_logout_endpoint configuration name with the ForgeRock SDK for iOS. [SDKS-2085]

Allow leading slash on custom endpoint path. [SDKS-2074]

Fixed bug where the state parameter value was not being verified upon calling the Authorize endpoint. [SDKS-2078]

Updated the version of the com.squareup.okhttp3 library in the SDK to 4.10.0 [SDKS-1957]

Interface for log management [SDKS-1864]

Support SSL pinning [SDKS-80]

Restore session token when it is out of sync with the session token that bound with the access token [SDKS-1664]

Session token should be included in the header instead of request parameter for /authorize endpoint [SDKS-1670]

Support to broadcast logout event to clear application tokens when user logout the app [SDKS-1663]

Obtain timestamp from new PushNotification payload [SDKS-1666]

Add new payload attributes to the PushNotification [SDKS-1776]

Allow processing of push notifications without device token [SDKS-1844]

Dispose AuthorizationService when no longer required [SDKS-1636]

Authenticator sample app crash after scanning push mechanism [SDKS-1454]

Google Sign-In Security Enhancement.

Fix for WebAuthn Registration & Authentication prompt.

Disable native SSO when the SDK fails to access the Android AccountManager.

Support for Android 12.

Unlocked device is not required for data decryption.

Introduced FRLifecycle interface and exposed interfaces to allow custom native SSO implementation.