Security concern for public apple-app-site-association file

Hi LemonSpike! For your public-facing domain, the apple-app-site-association file must be publicly accessible. Otherwise, its contents won't be visible to individual iOS devices where your app(s) are installed.

If you are testing your apps prior to distribution, iOS 14 and macOS Big Sur introduce "developer mode" for associated domains (including universal links.) This feature allows you to test your associated domains data with your app without requiring that it be visible on the public Internet. You will need to make some changes to use developer mode:

• Your app gets a modified associated domains entitlement specifying that a given domain is a "developer" domain, and

• Your device must be placed in developer mode (via Developer settings on iOS, tvOS, and watchOS, or using swcutil on macOS.)

If you use a separate server for predeployment testing, say "testing.example.com", you can install a self-signed root certificate on your device and use it (or a certificate chained to it) on your HTTPS server. This means you don't need to configure a "real" certificate for your test domain. And this server will be accessed directly from your iOS device instead of via Apple's CDN, so it can be kept inside your intranet.

For more information about developer mode, please watch this year's edition of What's new in universal links!

Can the file be publicly accessible but only with a specific key appended to the URL. For example? /.well-known/apple-app-site-association/key=Abc123

Bot/hacker traffic to everyone's server directed at this specific file is surging. Exposed to bots/hackers , they now know "Okay. Let me just download any one of your apps, Jail break in with any ***** or any other one, change the info plist to point to any domain, and proceed to attempt password reset requests. It's safer not to use this file.