Hi There, I have a question related to the security of the deeplinks, I understand that in the associated domains is handled a JSON with the relationship of the bundles that are allowed to redirect. but I want to validate , if there is no way for a clone app to add these assosiated domains and allow a deeplink to open your malicious app.
I think that there's no way to do that because the Apple app site association json that you provide on your website has to have data that matches your app identifier. The app identifier or bundle identifier it's unique.
The problem could come up when you are using a redirect on your site with the scheme URL, in that case, whichever app could set your scheme to open their app.