Android Platform Notes#

Android-specific configuration concerns that don’t fit cleanly into the layer-by-layer pages but matter for a production HAAPI integration. Each note is short and stands alone.

HttpURLConnection includes a cookie manager that’s used to maintain potentially long-lived sessions between client and server. The framework does not install one automatically — you choose the policy.

// Accept all cookies (most permissive)
CookieHandler.setDefault(CookieManager(null, CookiePolicy.ACCEPT_ALL))

// Or accept only cookies from the original server (default policy)
CookieHandler.setDefault(CookieManager())

Set the policy in your Application.onCreate before any HAAPI requests fire. For the underlying HTTP-integration detail, see HTTP Integration (Android Only) .

android:allowBackup for Risk Assessment#

android:allowBackup defaults to true on modern Android. Risk-assessment integrations rely on persisted device context surviving backup-and-restore for continuity:

<application
    android:name=".ClientApplication"
    android:allowBackup="true"
    ...>

If your app’s security posture requires allowBackup="false", expect that fresh installs after factory reset or device migration lose risk-assessment context history. Some integrations cope by re-establishing context from scratch; others (typically those relying on long-running device fingerprints) don’t. Test the end-to-end backup-and-restore path before disabling allowBackup. See How to Integrate Risk Assessment .

Manifest Registration#

HaapiFlowActivity must be declared in your manifest alongside your own activities:

<application android:name=".ClientApplication" ...>
    <activity android:name=".MainActivity" ... />
    <activity android:name="se.curity.identityserver.haapi.android.ui.widget.HaapiFlowActivity" />
</application>

Omitting the registration causes ActivityNotFoundException at the startActivity(HaapiFlowActivity.newIntent(...)) call. For modal-presentation styling, add an explicit android:theme entry — see Presentation Options .

Attestation requires pairing your app’s package name and signing-certificate SHA-256 with the OAuth client on the Curity Identity Server, plus an assetlinks.json published at https://<your-domain>/.well-known/:

<application ...>
    <meta-data
        android:name="asset_statements"
        android:resource="@string/asset_statements" />
</application>
<string name="asset_statements" translatable="false">
    [{\"include\": \"https://idsvr.example.com/.well-known/assetlinks.json\"}]
</string>

Get your app’s signing certificate SHA-256 with ./gradlew signingReport. See Quickstart — Android Step 5 for the full pairing procedure.

Related: UI Layer Configuration · HTTP Integration · How to Integrate Risk Assessment

Was this helpful?