How to package heatwaves.no as a Play Store AAB using a TWA, with no extra SDKs or permissions.
HeatWaves is a full web app on heatwaves.no. The recommended Play Store path is a Trusted Web Activity (TWA): a thin Android shell that opens the live site in the device's Chrome engine, without browser chrome. This keeps a single codebase, adds essentially no new data collection, and requires only network access.
flowchart LR AAB["AAB no.heatwaves.app"] --> TWA["Trusted Web Activity shell"] TWA --> Chrome["Device Chrome engine"] Chrome --> Web["heatwaves.no (Next.js)"]
| Option | Verdict | Why |
|---|---|---|
| TWA (Bubblewrap / PWABuilder) | Recommended | No duplicate codebase, Google-supported, minimal permissions (network only), full Chrome fidelity. |
| Generic WebView APK | Avoid | Extra shell code, weaker fidelity, easy to accidentally pull in SDKs/permissions. |
| Capacitor / React Native | Defer | Only needed for native APIs (push, files, biometrics) — overkill for an analytics dashboard. |
app/manifest.ts (Next.js Metadata API; served at /manifest.webmanifest). Launcher icons are committed PNGs in public/icons/ (icon-192x192.png, icon-512x512.png; source artwork hw-logo.png).public/.well-known/assetlinks.json on production (replace placeholder SHA-256 with Play App Signing fingerprint). See vercel-production-setup.md for deploy order.android/ in this repo:
applicationId: no.heatwaves.apphost: www.heatwaves.no (apex heatwaves.no redirects to www on Vercel)enableNotifications: falseHeatWavesNEXT_PUBLIC_SITE_URL=https://heatwaves.no in production (see vercel-production-setup.md).assetlinks.json to production so it is live at https://www.heatwaves.no/.well-known/assetlinks.json.app-release-bundle.aab to Play Console — not the unsigned Gradle output under app/build/outputs/bundle/release/app-release.aab.Bubblewrap signs the bundle after Gradle. The Play-ready file is:
| File | Signed | Upload to Play |
|---|---|---|
android/app-release-bundle.aab | Yes (upload key) | Use this |
android/app/build/outputs/bundle/release/app-release.aab | No | Never upload |
GitHub Actions artifact heatwaves-release-aab contains the signed app-release-bundle.aab. CI also runs jarsigner -verify before upload.
See android/README.md for local build and secrets.
A correctly configured Bubblewrap TWA requests only network access (INTERNET). Do not add ad SDKs, analytics SDKs, Firebase, location, contacts, camera, or microphone to the shell. All data processing stays in the web app and is already described in personvernregler.md.
Before upload, confirm the AAB's declared permissions are network-only. If the manifest shows anything beyond network access, remove the offending dependency from the shell.
https://heatwaves.no/personvern, so no separate Android policy is needed.personvernregler.md and the Play play-console-checklist.md Data safety answers first.