Security concern for public apple-app-site-association file

Is it possible to improve the security of the apple-app-site-association file? I don't want testers to access the file and learn about how to find hidden routes or build a word list for further testing. I also would be exposing my app identifier, which I am not fully comfortable doing.
Post not yet marked as solved Up vote post of LemonSpike Down vote post of LemonSpike
3.4k views
Posted by
LemonSpike
Reply

  • Can the file be publicly accessible but only with a specific key appended to the URL. For example? /.well-known/apple-app-site-association/key=Abc123

    Bot/hacker traffic to everyone's server directed at this specific file is surging. Exposed to bots/hackers , they now know "Okay. Let me just download any one of your apps, Jail break in with any ***** or any other one, change the info plist to point to any domain, and proceed to attempt password reset requests. It's safer not to use this file.

    KhanHankKhan
Add a Comment

Accepted Reply

Hi LemonSpike! For your public-facing domain, the apple-app-site-association file must be publicly accessible. Otherwise, its contents won't be visible to individual iOS devices where your app(s) are installed.

If you are testing your apps prior to distribution, iOS 14 and macOS Big Sur introduce "developer mode" for associated domains (including universal links.) This feature allows you to test your associated domains data with your app without requiring that it be visible on the public Internet. You will need to make some changes to use developer mode:

  • Your app gets a modified associated domains entitlement specifying that a given domain is a "developer" domain, and

  • Your device must be placed in developer mode (via Developer settings on iOS, tvOS, and watchOS, or using swcutil on macOS.)

If you use a separate server for predeployment testing, say "testing.example.com", you can install a self-signed root certificate on your device and use it (or a certificate chained to it) on your HTTPS server. This means you don't need to configure a "real" certificate for your test domain. And this server will be accessed directly from your iOS device instead of via Apple's CDN, so it can be kept inside your intranet.

For more information about developer mode, please watch this year's edition of What's new in universal links!
Posted by
Frameworks Engineer
Up vote reply of Frameworks Engineer Down vote reply of Frameworks Engineer
Post marked as solved
Add a Comment

Replies

Hi LemonSpike! For your public-facing domain, the apple-app-site-association file must be publicly accessible. Otherwise, its contents won't be visible to individual iOS devices where your app(s) are installed.

If you are testing your apps prior to distribution, iOS 14 and macOS Big Sur introduce "developer mode" for associated domains (including universal links.) This feature allows you to test your associated domains data with your app without requiring that it be visible on the public Internet. You will need to make some changes to use developer mode:

  • Your app gets a modified associated domains entitlement specifying that a given domain is a "developer" domain, and

  • Your device must be placed in developer mode (via Developer settings on iOS, tvOS, and watchOS, or using swcutil on macOS.)

If you use a separate server for predeployment testing, say "testing.example.com", you can install a self-signed root certificate on your device and use it (or a certificate chained to it) on your HTTPS server. This means you don't need to configure a "real" certificate for your test domain. And this server will be accessed directly from your iOS device instead of via Apple's CDN, so it can be kept inside your intranet.

For more information about developer mode, please watch this year's edition of What's new in universal links!
Posted by
Frameworks Engineer
Up vote reply of Frameworks Engineer Down vote reply of Frameworks Engineer
Post marked as solved
Add a Comment