Android - Network and Firewall
Building the DevApp requires your machine to download dependencies from a small set of external hosts. If you work behind a corporate firewall — common at banks and other organizations with locked-down networks — your IT or network-security team must allow outbound access to each of the hosts on this page before Gradle can complete its first sync.
This page is intended to be self-contained. Send the link directly to whoever manages your firewall or proxy rules; every detail they need to make an allow-list decision is below.
Summary
| Direction | Protocol | Port | Required? |
|---|---|---|---|
| Outbound | HTTPS | 443 | Required |
| Outbound | SSH (TCP) | 22 | Recommended — used to clone the DevApp over SSH |
No inbound rules are required.
The recommended way to clone the DevApp is over SSH (port 22) — it uses a key instead of a password and integrates cleanly with Android Studio and command-line Git. If your firewall policy strictly forbids outbound port 22, you can clone over HTTPS (port 443) using your Personal Access Token instead. See DevApp Setup — Clone the repository for both flows.
Required hosts
These hosts must be reachable for the DevApp to build, sync dependencies, and run.
| Host | Why it is required |
|---|---|
code.q2developer.com | Q2's GitLab instance. Hosts the DevApp source code and the private Maven group (group ID 782) that ships Q2's SDK libraries and version catalog. Required. |
services.gradle.org | Hosts the Gradle distribution itself. The Gradle Wrapper downloads the pinned Gradle version from here on first build. Required. |
dl.google.com | Hosts Android Studio installers and Android SDK component downloads. Required. |
maven.google.com | Google's Maven repository (google() in settings.gradle). Hosts the Android Gradle Plugin, AndroidX libraries, Jetpack Compose, Material Components, and Firebase. Required. |
repo.maven.apache.org | Maven Central (mavenCentral() in settings.gradle). Hosts thousands of open-source dependencies — Kotlin standard library, Retrofit, OkHttp, Gson, JUnit, and so on. Required. |
plugins.gradle.org | The Gradle Plugin Portal (gradlePluginPortal() in settings.gradle). Hosts community Gradle plugins. Required. |
jitpack.io | Hosts a small number of transitive dependencies referenced by Q2's libraries that are not published to Maven Central. Required. |
api.foojay.io | Used by the Gradle Foojay toolchain resolver to automatically download JDK 21 the first time you build. Required unless you install JDK 21 manually. |
api.adoptium.net | Adoptium's distribution endpoint, used by Foojay to fetch the actual JDK 21 archive. Required alongside api.foojay.io. |
developer.android.com | Documentation, the Android Studio installer, and SDK release notes. Required only for downloading Android Studio and reading docs in-browser, but most teams already allow this. Recommended. |
Several of the hosts above route downloads through Content Delivery Networks (CDNs). The most common subdomains are listed below. If your firewall does not allow wildcard rules, you may need to allow each CDN host explicitly.
| Parent host | Common CDN subdomain |
|---|---|
services.gradle.org | downloads.gradle-dn.com |
repo.maven.apache.org | repo1.maven.org |
If you encounter a blocked host that is not in this table, capture the exact host name from your proxy logs and contact your Q2 representative — CDN hosts can change over time.
Hosts you do not need
To remove ambiguity for your IT team, the following hosts appear in some Q2 internal projects but are not required for DevApp module development:
artifactory.q2ebanking.com— internal Q2 artifact server. Used only by Q2's first-party banking app (the Q2 Mobile App / NGAM), not by modules built with the DevApp.
If a build error references one of these hosts, contact your Q2 representative — it indicates a misconfigured project, not a missing firewall rule.
Validating your firewall rules
After your IT team has allowed the hosts above, validate connectivity from a developer
machine before starting the install. From a terminal, each of these commands should
return an HTTP 200 or 301 response:
# Q2 GitLab
curl -I https://code.q2developer.com
# Gradle distribution (uses the actual pinned version)
curl -I https://services.gradle.org/distributions/gradle-8.14.4-bin.zip
# Google Maven
curl -I https://maven.google.com/web/index.html
# Android SDK component download host
curl -I https://dl.google.com/android/repository/repository2-3.xml
# Maven Central
curl -I https://repo.maven.apache.org/maven2/
# Gradle Plugin Portal
curl -I https://plugins.gradle.org/m2/
# JitPack
curl -I https://jitpack.io
# Foojay JDK toolchain resolver
curl -I https://api.foojay.io/disco/v3.0/distributions
If any of the above time out or return a connection-refused error, your firewall is still blocking that host.
Proxy configuration
If your organization requires all outbound traffic to go through an HTTP proxy, both Gradle and Android Studio must be configured to use it.
Gradle
Add the following to ~/.gradle/gradle.properties (create the file if it does not
exist):
systemProp.http.proxyHost=proxy.your-company.com
systemProp.http.proxyPort=8080
systemProp.https.proxyHost=proxy.your-company.com
systemProp.https.proxyPort=8080
# Optional — if your proxy requires authentication
systemProp.http.proxyUser=your-username
systemProp.http.proxyPassword=your-password
systemProp.https.proxyUser=your-username
systemProp.https.proxyPassword=your-password
# Optional — bypass the proxy for internal hosts
systemProp.http.nonProxyHosts=*.your-company.com|localhost
systemProp.https.nonProxyHosts=*.your-company.com|localhost
Android Studio
In Android Studio, go to File → Settings → Appearance & Behavior → System Settings → HTTP Proxy and configure your proxy details there.
Custom CA certificates
If your organization performs SSL inspection (a "man-in-the-middle" proxy), Gradle and the JDK must trust your organization's root CA certificate.
The DevApp repository ships with a cacerts truststore at the project root for this
exact case. If you receive SSL handshake errors during a Gradle sync, contact your Q2
representative — they will walk you through importing your organization's root
certificate into the truststore and pointing Gradle at it.
What's next
Network confirmed open? Move to Accounts and Access to obtain your Q2 GitLab account and Personal Access Token.