App Links are properly configured for Android

Without assetlinks.json published at /.well-known/assetlinks.json on your domain, Android cannot cryptographically verify that your app owns the domain, so the OS falls back to showing an app-chooser dialog (or opens the browser) every time a user taps an HTTPS link. This breaks email confirmation flows, referral links, and payment redirects — all of which depend on landing users directly in the app. The Android App Links spec (android-app-links) mandates both the JSON file and intent filter configuration; missing either half means app link verification fails silently in production.

Serve assetlinks.json at https://<your-domain>/.well-known/assetlinks.json with Content-Type: application/json. Get your SHA-256 fingerprint from your release keystore using keytool -list -v -keystore release.keystore.

[
  {
    "relation": ["delegate_permission/common.handle_all_urls"],
    "target": {
      "namespace": "android_app",
      "package_name": "com.yourcompany.appname",
      "sha256_cert_fingerprints": [
        "AA:BB:CC:..."
      ]
    }
  }
]

For Expo-managed builds, add the intent filter to app.json:

{
  "android": {
    "intentFilters": [
      {
        "action": "VIEW",
        "autoVerify": true,
        "data": [{ "scheme": "https", "host": "myapp.com" }],
        "category": ["BROWSABLE", "DEFAULT"]
      }
    ]
  }
}

autoVerify: true is required — without it, Android skips domain verification even if the file is present.

• ID: app-links-android

• Severity: high

• What to look for: Check for assetlinks.json file. This file should exist in your android/ directory or be served at https://<your-domain>/.well-known/assetlinks.json on your backend. The file should specify your app's package name and SHA-256 certificate fingerprint. For Expo-managed projects, check app.json for android.intentFilters config.

• Pass criteria: Count all intent filter entries in app.json or AndroidManifest.xml. Either an assetlinks.json file exists in the Android build, or app.json contains at least 1 intent filter with autoVerify: true and HTTPS data scheme. The file/config includes your app's package name and valid certificate info.

• Fail criteria: No assetlinks.json file or config found. Android app links are not configured.

• Skip (N/A) when: The app has no Android support (no android field in app.json), or app links are not required (custom scheme-only deep links are acceptable).

• Cross-reference: The App Store Readiness audit (mobile-store-readiness) checks Android build.gradle configuration that must align with app link intent filter setup.

• Detail on fail: "No assetlinks.json file found in android/ directory" or "app.json has no android.intentFilters configuration for HTTPS deeplinks"

• Remediation: Configure App Links for Android. Create assetlinks.json at .well-known/assetlinks.json on your domain (served via HTTPS):

  [
    {
      "relation": ["delegate_permission/common.handle_all_urls"],
      "target": {
        "namespace": "android_app",
        "package_name": "com.yourcompany.appname",
        "sha256_cert_fingerprints": [
          "AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88"
        ]
      }
    }
  ]
  

  Get your app's SHA-256 fingerprint from your keystore. Alternatively, in app.json for Expo:

  {
    "android": {
      "intentFilters": [
        {
          "action": "VIEW",
          "data": [
            {
              "scheme": "https",
              "host": "myapp.com"
            }
          ],
          "category": ["BROWSABLE", "DEFAULT"]
        }
      ]
    }
  }