App Links `legacy_failure` verification error on Android 12

Question

I have setup assetlinks.json and AndroidManifest.xml so that the desired App Links are verified in all previous versions of Android. However, the verification no longer works in Android 12 (currently Beta 2). adb shell pm get-app-links <PACKAGE_NAME> returns legacy_failure.

There seems to be some changes for App Links verification in Android 12, but the documentation isn't very explicit about what needs to be changed and whether the change is backward compatible.

Answer 1

Turns out that if you break

<data android:scheme="http" android:host="www.example.com" />

into 2 tags

<data android:scheme="http" />
<data android:host="www.example.com" />

in AndroidManifest.xml, the app link will get verified successfully on Android 12. This change also seems backward compatible on older versions of Android, even though the documentation didn't say so explicitly.

Answer 2

I faced the same issue.

sha256_cert_fingerprints of debug & release keystore are different.

if you register only release fingerprints on assetlinks.json, the verification doesn't work on debug version. so adb shell pm get-app-links <PACKAGE_NAME> returns legacy_failure.

It will work if you add both fingerprints (debug & release) on assetlinks.json

Answer 3

In addition to the other answers which detail the need to:

• ensure you are using the correct sha256_cert_fingerprints value for the type of build you are testing, noting that this may differ based on whether you are using a Debug or Release build
• use separate scheme and host data tags entries for your intent-filter definition

It is also important to ensure that your intent-filter with android:autoVerify="true" does not contain any custom uri schemes (i.e. launch://myapp/screen) since these can cause the verifier to fail.

A new intent-filter can be provided solely for the custom uri scheme in which you do not set the autoVerify flag to true.

Check logcat whilst running the following commands to confirm if verification is working, as per the docs here.

adb shell pm verify-app-links --re-verify <PACKAGE_NAME>

Look for the term IntentFilterIntentOp where it will state if verification succeeded or failed, i.e.:

I/IntentFilterIntentOp: Verification 23 complete. Success:true. Failed hosts:. [CONTEXT service_id=244 ]

If one or more of the intent-filter definitions cannot be verified you may see the following in Logcat instead:

"D/ProcessState: Binder ioctl to enable oneway spam detection failed: Invalid argument" and no mention of IntentFilterIntentOp

Answer 4

Tested on Android 12, all the points mentioned by Jadent are valid, however breaking data declaration in host and scheme doesn't really matters.

Also I was using a wildcard in the 'host' attribute

android:host="*.example.com"

That's supposed to be supported in the documentation

However when I run the domain verification process

adb shell pm verify-app-links --re-verify PACKAGE_NAME

I got a legacy_failure error :( even if the assetlinks.json was placed in the root domain as required.

If the host is explicit:

android:host="www.example.com"

I didn't have such issue.

Answer 5

I had the same issue before.

It turns out that I used Play App signing service. The sha256_cert_fingerprints should be the one printed in Play Console (Release > Setup > App integrity), not the one on my hand. In fact, Play console generates the assetlinks.json in the "App integrity" page.

Ref for Play App signing https://developer.android.com/training/app-links/verify-site-associations#web-assoc