There are 2 Apps in my case say App A and App B.
I want to use universal link to open App B from App A and do some authentication work. I will be sending some result from App B to App A after it completes authentication via App A universal link.
But the use case I am troubled about is I do not want any other app to open App B.
If my HTTPS universal linking URL gets exposed, I know that universal links can not work directly from browser but someone can create malicious app and can try to open the universal link from malicious app.
Is there any solution to that? Like restricting what apps can open App B via universal linking?
Please correct me if my understanding is wrong.
The developer of a malicious app cannot intercept ANY link they want, that's what your apple-app-site-assotiation is for. The connection between the app and the site works both way:
In your app you need to put a domain to your website.
Under <your_domain>/.well-known/apple-app-site-assotiation you've got to put appID and only the app with that specific appID will be eligible to handle URLs to of this domain.
Hope it answers your question.
Related
I am implementing universal deeplinking, I don't want to use any third party framework I have the domain and I have uploaded the apple-app-site association file. Now I want to test if everything is correct or not. How to create the universal link, how to specify ios url scheme and app id in the link ?
Universal Links do not look any different than normal links with your domain. If you registered your AASA at yourdomain.com/apple-app-site-association then yourdomain.com/?example=data should open your app. In the comments you mentioned you want it to open the app store if its not installed. You'll actually need to redirect your link to go to the app store. The Universal Link will not automatically handle that. So yourdomain.com/ will actually need to return a 301 redirect to the app store url. Branch links have that functionality built in if you'd like to save yourself a lot of time.
I am trying to have a link on my website that will open the app on the App Store, with some extra parameters, which my app can then use once it is installed.
The sequence would be similar to this:
User visits my website and clicks a link to install app on App Store.
User is redirected to the app store and installs links
App is launched with the extra parameters passed in URL in step 1.
Hopefully it could look something like this:
itms-apps://itunes.apple.com/app/id123456789?user=foo&page=bar
The main reason I would like to do something like this would be so a user can jump right to the same page they were on, and possibly also be logged in.
I did some research on this already, but only found stuff for affiliate linking (which maybe could be used for this) but this doesn't seem like the right option.
https://affiliate.itunes.apple.com/resources/documentation/basic_affiliate_link_guidelines_for_the_phg_network/
Any thoughts would be greatly appreciated, thanks!
Edit
It turns out this is called "Deferred Deep Linking", here are some similar threads I've found:
How to make deferred deep linking?
Deferred Deep Linking in iOS
You can do this scenario with 2 ways
1-) define URL scheme on your iOS app firstly.
For example, you define "dateApp" as a URL scheme.
After that, if you write on safari browser this adress "dateApp://" your browser should ask you should this page open on: "DataApp"? if this app installed on your phone
2-) Firebase Dynamic Links.
You should implemented related SDK and callback on your app.
After that you should prepare dynamic link from firebase dashboard
You should check this option if you don't want see preview page.
Note: firebase dynamic link option is more powerfull. Because if someone not install your app but clicked firebase link, redirecting AppStore. After installation process, if opening app in 2 hours, deeplink url cachted by firebase. So you can route appropriate page.
Firebase deeplink example for you :)
https://www.dateapp.com.tr/?page=CampaignDetail&p=78771
I'm trying to implement Firebase Dynamic Links in an iOS app. The goal is to have a clean URL for marketing purposes so folks can share links on social media. The idea is folks will share the clean URL that starts with my domain name.
When the app is installed following a click on that link, we want to be able to track who referred the app install by looking at the payload delivered by Firebase. I think this goal is similar to Firebase's use case to convert web users to mobile app users.
An example link I would like to provide for sharing on social media is: http://example.com/my-payload-here
I've tried several cases but I'm not able to get the behavior I'm looking for in any case. Has anyone implemented this successfully before?
Here is my test procedure:
Uninstall the app
Send the link to be tested in an iMessage to myself
Tap the link on my iOS device (not using a simulator)
Install the app from the App Store
Launch the app after download completes by tapping "Open" button in the App Store
Below are my findings:
Short link generated from the Firebase Console (https://xyz.app.goo.gl/ABCD) - Link opens in App Store. I install the app. When I launch the app after installing, the payload is not delivered. If I quit out of the app, go back to the link in iMessage, and launch a second time, the payload is delivered.
Long link identical to the "Long Dynamic Link" from the Firebase console for the link generated in #1 (https://xyz.app.goo.gl/?link=http://example.com/my-payload-here&isi=12345&ibi=com.example.MyApp) - behavior is identical to #1
Short link using my domain (http://example.com/redirect/my-payload-here, configured to 301 redirect to URL in #2) - Opens in App Store. I install. When I launch the app after installing, the payload is not delivered. If I quit out of the app, go back to the link in iMessage, and launch a second time, the link still goes to the App Store.
Some questions I have:
Why isn't the payload delivered on the first launch for cases 1 and 2?
How can we make this launch the app and deliver the payload instead of going to the App Store?
I've also consulted the Firebase flowchart for the deep link in case 2.
Google Firebase team added support for custom subdomains to Dynamic Links.
You can now specify up to five custom page.link subdomains for your Dynamic Links. Short links using these new custom subdomains look like the following example: https://example.page.link/abcXYZ
Firebase Dynamic Link domains assigned on projects couldn't be deleted at this time.( firebase team is working on it.)
You can now whitelist the URL patterns that can be used as a Dynamic Link's deep link (link) or fallback link (ifl, ipfl, afl, ofl). If you define a whitelist, Dynamic Links won't redirect to URLs that don't match a whitelisted pattern.
You can try both of these features in the Firebase console.
This is not currently possible with Firebase. If you need whitelabeled URLs, you either need to build it yourself or use a more powerful link platform like Branch.io (full disclosure: I'm on the Branch team).
To answer your questions specifically:
I have implemented Firebase Dynamic Links in a testbed app and can confirm that linking through installation the first time does work for both long and short URL variants. There is likely something wrong with your AppDelegate config, so we can take a look at that if you want to share code.
Firebase does not support custom domains at this time. In theory (if you can solve the first issue above) you could get this working for first install by using a redirect like you have tried. However, you'll never be able to get it to launch the app with Firebase link data once the app is installed. This is because Universal Links work based on the domain of the link, and don't even request the web destination. Even if you enable Universal Links manually on your own domain, the app will open immediately without ever calling Firebase and the link data will never be set.
I have Universal Linking setup in my app.
Now when browsing my website in Safari and visiting a UL registered link, it opens in safari and asks me if I want to open in my App.
Is there a way that it always opens in the app? No prompt to open in app, just open when it is installed, else continue in safari.
There are two different issues here:
1. In Safari, the URL of a Universal Link needs to be on a different domain/subdomain than the page on which it appears
Apple is very conservative with where Universal Links are allowed to work. One of the limitations in Safari is not allowing the app to open if the user is already browsing the same site (this sort of pages sense — if the user made the effort to open a site in Safari instead of the app, it could be annoying if every single link on that site tried to open the app, especially if the app isn't properly configured for deep link routing).
The workaround is to use a separate domain/subdomain for links you want to open the app. For example, if your site is on example.com, point any link you want to open the app to link.example.com and then redirect users without the app back to the main website or onward to the App Store. This is actually the system we built at Branch.io (which you could consider using instead of re-building it yourself!)
2. What you have described is not Universal Links behavior
Universal Links do not ask the user for confirmation before opening the app, even the first time. They always open the app immediately without even requesting the web page, until/unless the user explicitly disables them (which is actually rather easy to do). What you're describing is the behavior of custom URI schemes, so I suspect you may have a some sort of automatic redirect to the app's URI scheme on the page the Universal Link points to. This is actually not the best idea in most cases, since users without the app will see a nasty error message.
I have an app that gets opened from another app via a URL scheme. The URL contains signup tokens. As any app can register the same URL scheme as my app, I am concerned a "fake" app can do a man-in-the-middle attack and capture the signup tokens.
My idea is to check that the URL scheme does not open another app when my app is first opened.
From a security perspective, if the URL scheme opens my app the first time, will it always open my app in the future?
How about using iOS 9 universal links?
Unlike custom URL schemes, universal links can’t be claimed by other apps, because they use standard HTTP or HTTPS links to your website.
https://developer.apple.com/library/prerelease/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html
This way the "dispatch table" is on your server, so no other app can hijack the signup URL. (URL dispatch is based on AppIDs)
It's a valid (and usually ignored) attack vector. It isn't strictly a man-in-the-middle attack as it won't forward the URL on to your app (it can't). It's almost worse as the attacking app would only really be able to crash and it would look like your app had...
Another app could be installed any time your app is in the background. Technically it's possible that an update is released and installed for an existing app while your app is running (it's hard to know if that happens). So, it isn't safe to only test when your app is first opened.