1

I am working on a project replacing deep linking in house for an iOS and Android app. I know iOS has universal links and Android has app links. They can be synced up and the OS abstracted away if they use the same URL scheme. Additionally, if a user interacts with one of these links on a laptop or desktop, they can reach the link on the web (a corrupt link) and be automatically redirected. Are there any security concerns with this approach? Is there a better way to handle this project or is this design optimal? I am wondering if anyone has adopted universal and app links for their apps. I am also curious what percent of the time they work in production, since I often find they don't work without a fresh install of the app when running from Xcode.

deep_link_flow_chart

Improve this question
4
  • on iOS side: "a corrupt link" would apply to deep link, but universal link is valid from web perspective, and it's generally expected that you serve some "fallback" page from that location in case the user does not have the app. The universal link is "preconfigured", so you don't do all these checks about app existence... in fact iOS won't even invoke the browser if the app is present (and link is coming from elsewhere, say email). So your diagram is overcomplicating what you need to do. As for security, look at iOS guide for universal links, they clearly say what are the risks.
    – timbre timbre
    Commented Jun 24 at 16:11
  • This might be implied on my perspective, but the the redirection is handled by both iOS and Android operating systems internally, I just thought I'd spell it out in the diagram.
    – Braeden Meikle
    Commented Jun 24 at 16:26
  • It sounds like after reading developer.apple.com/documentation/xcode/… one more time, as long as we have some sort of safeguarding in continueUserActivity function in the App/SceneDelegate, then we should be able to protect our app against all sorts of universal links. I am not sure I understand any other security risks
    – Braeden Meikle
    Commented Jun 24 at 16:31
  • 1
    I believe the most important safeguard is that your link doesn't allow any operation on user data and that it doesn't bypass any security safeguards already in place (login most obviously, but also other things, for example if user has no permissions to access some part of the app, the link should not be the way to skip such permission check)
    – timbre timbre
    Commented Jun 24 at 17:36
Related questions
933
Xcode building for iOS Simulator, but linking in an object file built for iOS, for architecture 'arm64'
1408
How can I check for an active Internet connection on iOS or macOS?
1088
How to change Status Bar text color in iOS
Load 7 more related questions Show fewer related questions

0

Reset to default