4.8.4 Release

ForgeRock Android SDK 4.8.4 Release

Fixed

• Fixed Sign in with Apple fails on Android devices.
• Exposed DefaultStorageClient as public API to support MFA authentication migration.

4.8.3 Release

ForgeRock Android SDK 4.8.3 Release

Fixed

• Reverted the minimum support API level (minSdk) back to 23 from 28.
• Changed the default option for key generation to not use StrongBox.
• Resolved a crash on some devices by improving error handling of date fields and adding a fallback when retrieving a push device token.

4.8.2 Release

ForgeRock Android SDK 4.8.2 Release

Added

• Support for 16 KB memory page sizes on 64-bit devices.
• Support for Android 16 (API level 36) and updated the minimum support API level (minSdk) to 28.

Fixed

• Fixed a crash occurring during face biometric authentication.
• Enhanced biometric authentication error handling to return specific failure statuses.
• Upgraded nimbus-jose-jwt from 9.37.3 to 10.4.1.
• Upgraded bcpkix-jdk15on 1.58.0.0 to bcpkix-jdk18on 1.81.
• Upgraded OkHttp from 4.x to 5.1.0.
• Upgraded security-crypto from 1.1.0-alpha to 1.1.0, and enforced com.google.code.gson version
  2.13.1 to address a stack-based buffer overflow vulnerability (CVE-2025-53864, CWE-121).
• The SDK now automatically clears corrupted data from storage instead of throwing an exception.
  UTF-8 encoding is now explicitly set for all strings saved to and loaded from storage, ensuring data consistency.
• Unified push notification expiration logic with iOS SDK to ensure consistent cross-platform behavior.

4.8.1 Release

ForgeRock Android SDK 4.8.1 Release

Fixed

• Encryption and decryption performance has been enhanced through the implementation of caching for the KeyStore, Cipher, and Symmetric Key. Additionally, developers now have the flexibility to enable or disable StrongBox during key generation.

4.8.0 Release

ForgeRock Android SDK 4.8.0 Release

Added

• Support for new response payload in WebAuthn authentication and registration [SDKS-3843]
• Ability to update Firebase Cloud Messaging (FCM) device token for existing push mechanisms [SDKS-3684]

Fixed

• Improved logging for errors and warning exceptions [SDKS-3990]
• Fixed an issue causing a crash when the app process was killed in the background during the centralized login flow [SDKS-3993]

4.7.0 Release

ForgeRock Android SDK 4.7.0 Release

Added

• A fallback mechanism that uses an asymmetric key if symmetric key generation in the Android Keystore fails [SDKS-3467]
• Support for Self-Service [SDKS-3408]
• Support for Sign-out with ID Token in the PingOne Platform [SDKS-3423]

Fixed

• Prevent duplicate PUSH notifications in the Authenticator module [SDKS-3533]
• Fixed an issue where, in some cases, a user's session was not invalidated upon re-authentication [SDKS-3772]

4.6.0 Release

ForgeRock Android SDK 4.6.0 Release

Added

• Support for Android 15. [SDKS-3098]
• Interface allowing developers to customize how the SDK stores tokens and data. [SDKS-3378]
• Support of http/https scheme for centralize login redirect. [SDKS-3433]
• Support for the PingOne Protect Marketplace nodes. [SDKS-3297]
• Client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-2499]
• Exposed the realm and success URL values within SSOToken. [SDKS-3351]

Fixed

• Potential ServiceConnection leaks in CustomTabManager. [SDKS-3346]
• Updated the SDK to ignore type 4 TextOutputCallback callbacks, as these may contain JavaScript that Android cannot execute. [SDKS-3227]
• Fixed an issue where upon force refresh the access_token api call was triggered twice. [SDKS-3254]

4.5.0 Release

ForgeRock Android SDK 4.5.0 Release

Added

• Added SDK support for deleting registered WebAuthn devices from the server. [SDKS-1710]
• Added support for signing off from PingOne to the centralized login flow. [SDKS-3020]
• Added the ability to dynamically configure the SDK by collecting values from the server's OpenID Connect .well-known endpoint. [SDKS-3022]

Fixed

• Resolved security vulnerability warnings related to the commons-io-2.6.jar and bcprov-jdk15on-1.68.jar libraries. [SDKS-3072, SDKS-3073]
• Fixed a NullPointerException in the centralized login flow. [SDKS-3079]
• Improved multi-threaded performance when caching access tokens. [SDKS-3104]
• Synchronized the encryption and decryption block to avoid keystore crashes. [SDKS-3199]
• Fixed an issue related to handling HiddenValueCallback if isMinifyEnabled is set to true. [SDKS-3201]
• Fixed an issue where device binding using an application PIN was failing when Arabic language was used. [SDKS-3221]
• Fixed an issue where browser sessions were not properly signed out when a non-default browser was used in centralized login. [SDKS-3276]
• Fixed an unexpected behavior in the authentication flow caused by AppAuthConfiguration settings being ignored during centralized login. [SDKS-3277]
• Fixed the FRUser.revokeAccessToken() method to not end the user's session during the centralized login flow. [SDKS-3282]

4.4.0 Release

ForgeRock Android SDK 4.4.0 Release

Added

• Added support for the TextInput callback. [SDKS-545]
• Added a new module for future integration with PingOne Protect. [SDKS-2900]
• Added an interface for customizing the biometric UI prompts when device binding or signing. [SDKS-2991]
• Added x-requested-with: forgerock-sdk and x-requested-platform: android immutable HTTP headers to each outgoing request. [SDKS-3033]

Fixed

• Addressed a NullPointerException during centralized login by using ActivityResultContract in place of the deprecated onActivityResult method. [SDKS-3079]
• Addressed nimbus-jose-jwt:9.25 library security vulnerability (CVE-2023-52428). [SDKS-2988]

4.3.1 Release

ForgeRock Android SDK 4.3.1 Release

Fixed

• Fixed an issue where the SDK was crashing during device binding on Android 9 devices [SDKS-2948]