By implementing universal links, you end up with an apple-app-site-association file that you put in the root of your server. The file contains both bundleID and teamID. Is this safe?
I can clearly download e.g. Google’s one and get their IDs since the scenario is always the same.
There is no security risk from displaying the bundle ID and team ID. It is not possible to use these two pieces of information for anything (either productive or dangerous) without also having access to your Apple Developer account password.
Related
I am writing an iOS app and have a dilemma. The app will be used to test the BLE protocol of devices coming off our production line. It needs to be very simple, It is a one button app that automatically connects to devices and tests commands in our protocol and gives a pass or fail result. If it passes the device id is sent to our API to be entered in our database.
My problem is I don't want the user to have to login, but I need to send a username and password to the API to log in. This means the username and password has to be included in the app. I am trying to find out the most secure way to do this. I initially thought I would include a plist in the app with the credentials, enter them in keychain, then delete the plist. However I don't believe you can delete a file included in the app bundle (I get a 513 permission error).
I have 2 questions. Is it secure to include credentials in code? Is there a better way to do this?
Thanks!
No.
Use API to retrieve credentials and store to keychain. Simple call to firebase could solve this. Or use your own backend with your custom “security”.
But even obtaining via API don’t give you 100% security. Everything depends. API solution gives you flexibility and ability to support different versions with different credentials.
I have 3 requirement for DeepLinking or Universal Links to my project.
If user is having the application then URL should redirect to application with content.
If user don't have the application then it should redirect to Appstore.
If user don't have the application then it should redirect to Appstore and after download the app it should go to that page with data which I am sending with URL.
Links which I followed:
https://www.raywenderlich.com/128948/universal-links-make-connection
https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html.
http://swiftdeveloperblog.com/deep-linking-using-custom-url-scheme/.
http://blogs.innovationm.com/deferred-deep-linking-in-ios-with-universal-link/
https://developer.apple.com/documentation/security/shared_web_credentials/preparing_your_app_and_website_to_share
http://www.brianjcoleman.com/tutorial-deep-linking-in-swift/.
What I understood is:
Creating and Uploading the Association File and for this I have to follow some steps:
Adding support for universal links is easy. There are three steps you need to take:
Create an apple-app-site-association file that contains JSON data about the URLs that your app can handle. Upload the apple-app-site-association file to your HTTPS web server. You can place the file at the root of your server or in the .well-known subdirectory. Prepare your app to handle universal links.
Creating and Uploading the Association File
To create a secure connection between your website and your app, you establish a trust relationship between them. You establish this relationship in two parts:
An apple-app-site-association file that you add to your website
A com.apple.developer.associated-domains entitlement that you add to your app
Preparing Your App to Handle Universal Links.
In your com.apple.developer.associated-domains entitlement, include a list of the domains that your app wants to handle as universal links. To do this in Xcode, open the Associated Domains section in the Capabilities tab and add an entry for each domain that your app supports, prefixed with applinks:, such as applinks:www.mywebsite.com.
Problem is: I followed all steps and I have a url I added it in the domain in my Associated Domain.
Example: https://<My_Domain>/anything.
Now Backend is generating URL and sending.
We are using Http server.
Example:
Route::get('appstore',function(){ return redirect()->away('https://itunes.apple.com/in/app/whatsapp-messenger/id310633997?mt=8');});
Problem is when I am clicking on that URL I am not getting any popup for already app and also After download how data I will get ?
Am missing something or backend is missing something?
So it seems like you are trying to accomplish deferred deep linking, which means you route the user to the content if the app is installed or you route the user to the app store to download the app and present them the content once the app is opened. This is very difficult to do by yourself and I'll explain more in a bit.
It looks like you are setting up your universal links correctly but the redirect to the app store is fairly hacky. Universal Links are meant to be used to redirect users to the web version, which means bringing them to the app store instead is no easy task.
If you do get the user to the app store, deferred deep linking which is just directing them to the content after they install the app is nearly impossible to do yourself without using a third-party service like Branch. Branch also will allow you to push users back to the app store to download the app, if that's the user experience your looking for.
Hope this helps!
I am trying to set-up universal links for an iOS app.
The Apple search validator keeps failing when I try to validate the file apple-app-site-association with error message:
Unable to parse that webpage URL. Try a different URL.
The file content is correct, I tried with already validated files from other websites but it seems the crawler fails to access the website generally.
The domain and website are hosted on a shared server at 1and1.com without SSL. The file is not signed.
Any idea why that is?
This is the "App Search API Validation Tool", not the "Universal Links Validation Tool" (which doesn't exist from Apple). The results from this tool have no connection to whether Universal Links work or not.
That said, you must have SSL in order for Universal Links to work. That is the number one requirement. If you can't/don't want to set this up, look at an external link hosting service like Firebase Dynamic Links or Branch.io (full disclosure: I'm on the Branch team)
In reference to "you must have SSL in order for Universal Links to work. That is the number one requirement." This is no longer a requirement.
If your app runs in iOS 9 or later and you use HTTPS to serve the apple-app-site-association file, you can create a plain text file that uses the application/json MIME type and you don’t need to sign it.
I know this can sound absolutely stupid, but I could not find any way to solve this problem.
Say I've a mobile app: from this app, after purchasing an item, since the item is downloadable from a server, I make the user download a file to his device. Problem is it looks like it is very easy even for not so smart people, to get the URL of the file, so, without purchasing anything, the not-so-smart-guy can eventually download the same file for free (using a common browser).
Apart from the language I use (it is not important here, it can be JavaScript, Java, Objective-C, whatever), how can I prevent this issue WITHOUT developing an authentication system?
Generate a token for successful purchase, store it in the server side session or database. Add the token as a query string parameter for the file download request. Implement an filter for the file download request to validate the token.
To make sure that the URL is not share able - find some unique attribute of the device that can't be spoofed easily, hash(url,token,unique property) and add it to the url.
Due to every AppID seems need a correspond URL, that means, every our device needs to apply one AppID with its URL. This is not suitable and not OK for our device goes into mass production due to we don't know the url of the end user. So, does anyone know how to solve this issue?
*
Facebook doesn't allow to create appid now, am having below error.
*You can no longer create apps because our systems indicated that your account may not be authentic. Facebook requires users to provide their
real first and last names, and fake accounts are a violation of our
Statement of Rights and Responsibilities (SRR 4.1), even when used to
host or test apps. Also note that maintaining multiple accounts, even
if they are authentic, is also prohibited. If you would like to create
a test user to test app functionality, you can do so here:
http://developers.facebook.com/docs/test_users/.*
*