0

According to Google FIDO Documentation, Only websites require digital asset link file for interoperability.

https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website

Do we really need to host assetlinks.json file for an android app which uses custom fido server?

albeee
  • 1,452
  • 1
  • 12
  • 20
  • It depends on you whether you want to make your app versatile/self-updating or static. – Yogesh Aggarwal May 27 '20 at 04:07
  • Actually I tried without hosting a assetlinks.json file on domain. Android FIDO Platform Authenticator always returns SECURITY_ERR (The incoming request cannot be validated.) Any idea? – albeee May 28 '20 at 14:06
  • What kind of security error? CORS? – Yogesh Aggarwal May 30 '20 at 16:57
  • Ref: https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/api/common/ErrorCode#public-static-final-errorcode-security_err – albeee May 31 '20 at 11:29

1 Answers1

0

Having just implemented a fido server, you most definitely need to have the assetslinks.json file hosted on a publicly accessible site.

Your phone sends a request to a public Google server which then loads and validates the assetslinks.json file before returning an ok/bad response back to the phone.

I've not had a chance to confirm if it needs to be https (but from recollection) the doco suggests that it can be either HTTPS or HTTP.

Brett Sutton
  • 3,900
  • 2
  • 28
  • 53