apple-app-site-association
** with the details. Then this file needs to be hosted in the root directory of your webserver (e.g. https://google.com/apple-app-site-association).
For the pentester this file is very interesting as it discloses paths. It can even be disclosing paths of releases that haven't been published yet..entitlements
file looking for com.apple.developer.associated-domains
. Each of the domains must be prefixed with applinks:
, such as applinks:www.mywebsite.com
..entitlements
file:apple-app-site-association
file from the server using the associated domains you got from the previous step. This file needs to be accessible via HTTPS, without any redirects, at https://<domain>/apple-app-site-association
or https://<domain>/.well-known/apple-app-site-association
.application:continueUserActivity:restorationHandler:
. If you have the original project try searching for this method.openURL:options:completionHandler:
to open a universal link to the app's website, the link won't open in the app. As the call originates from the app, it won't be handled as a universal link.webpageURL
must be HTTP or HTTPS (any other scheme should throw an exception). The scheme
instance property of URLComponents
/ NSURLComponents
can be used to verify this.NSUserActivity
object with an activityType
value of NSUserActivityTypeBrowsingWeb
. The activity object’s webpageURL
property contains the HTTP or HTTPS URL that the user accesses. The following example in Swift verifies exactly this before opening the URL:NSURLComponents
API can be used to parse and manipulate the components of the URL. This can be also part of the method application:continueUserActivity:restorationHandler:
itself or might occur on a separate method being called from it. The following example demonstrates this: