Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Android App Links deeplink blocked (Custom Tabs)

See original GitHub issue

Hi team, 👋 I’m using Android App Links; the official way of doing deep linking since Android API 23. In that scenario, the domains are previously verified by Android at -user application- install time and their intent-filters are approved or not. Once verified, visiting a link that matches those intent-filter criteria, would invoke their app without asking the user for choosing one app.

When visiting a callback URL such as “https://myapp.com/callback” the Chrome browser redirects successfully without further action. On Firefox, that’s not the case. Because the URL doesn’t have any content, as it’s meant to be used only for registering that redirect, Firefox displays a “Not found.” text and white page in the custom tab, and unless I select “Open in app” from the menu, I won’t be redirected to the app.

The question for you is, how is this menu option intuitive for someone that just installs the Firefox browser?.

We have customers that are losing conversion rates because of this design decision. Their users don’t understand how to log in to their applications after they come across this white page. And I couldn’t find any official documentation on it that I could share with them.

Steps to reproduce

Create an android application targeting as min API android version 23.
Register an intent filter that matches against a callback URL you can redirect to from your site.
Set autoVerify=true so the domain verification happens at install time.
Host the assets links file in the well-known directory of your domain, using the hash for the key you are using to sign the APK.
Install a release in the device, making sure it was signed with the same key from the previous step. (All this is detailed in the android docs linked at the top).
Run your app, call a custom tab that opens a site with a button that when clicked would invoke that callback URL you’ve registered in the intent-filter.
Watch how firefox ignores the redirect when you click the button.
Click the “Open in app” menu option and watch how it redirects successfully.

I’m testing this on a sample app using the Auth0 SDK.

Expected behavior

Redirect back to the app automatically, without additional user action.

Actual behavior

The page shows content loading error “Not found.” and the user has to click the overflow menu ... and select “Open in app” for the app to successfully receive the intent.

What I’d expect from Firefox is to at least check those apps that have officially registered their intent-filters using App Links and not thinking twice about opening it on that same browser tab or in an external app. The domain has been already verified by the OS at install time using the hosted .well-known/assetslinks.json file, so the deep link should be trusted.

I’ve also tested first enabling the “Open links in apps” but that didn’t change anything, at least when used from a Custom Tab.

Device information

I tried this on a Pixel 2 emulator with Google Play Services, running Android 28. I’ve installed the latest Firefox app from the Playstore at that time (yesterday). I don’t think that’s the “nightly” version, but rather the classic. The version name according to the Playstore listing is 80.1.3.

Android device: Pixel 2, with Google Apps installed. Android API 28.
Fenix version: ?

Issue Analytics

State:
Created 3 years ago
Reactions:21
Comments:31 (11 by maintainers)

Top GitHub Comments

13reactions

lbalmacedacommented, Mar 25, 2021

Hi team, any updates on this matter?

7reactions

carstenhagcommented, Sep 29, 2021

Info for the others here: @rocketsroger and I had a chat and he looked at our app & the login. A summary of the chat:

He agrees that the current UX is bad. While there is a settings option to open the link in the app, many users will not even understand the option. It is currently implemented as is to protect the user’s privacy. He says when using Custom Tabs, perhaps this setting could be ignored, and a redirect would always open a native app. He will talk to the “product people” to see what can be done. He thanked me for being vocal about this.

Edit: This is how I implemented a workaround, disallowing Firefox:

    // Use custom list, as AppAuth's firefox constant only refers to the main firefox app.
    private val firefoxPackageNames = listOf(
            "org.mozilla.firefox",
            "org.mozilla.klar",
            "org.mozilla.firefox_beta",
            "org.mozilla.fenix",
    )
    appAuthConfigurationBuilder.setBrowserMatcher { descriptor ->
                descriptor.useCustomTab && !firefoxPackageNames.contains(descriptor.packageName)
    }