ARTICLE AD BOX
The Problem
Our iOS Universal Links (https://Client1.example.com/card/96/58aa?utm_campaign=ADHOC&utm_medium=shareable) are opening in Safari instead of our app, the same links were opening the app earlier but stoped recently so we have moved our AASA file to conform to modern standards.
Old path: https://www.example.com/apple-app-site-association
New path: https://example.com/.well-known/apple-app-site-association
We've investigated and found a confusing validation failure. Similarly we have Client2.example.com, Client3.example.com etc.
The Contradiction
Works: curl to our AASA file at https://example.com/.well-known/apple-app-site-association returns a 200 OK with the correct JSON content-type. Works: Third-party validators (like Branch.io) report our AASA file is perfectly valid. Fails: Apple's own CDN at https://app-site-association.cdn-apple.com/a/v1/example.com returns a 404 Not Found.A device console log reveals:
Request for '<private>' ... denied because the CDN told us to stop with HTTP status 404: SWCERR00101 Bad HTTP Response: 403 Forbidden -- {"status":"403 Forbidden"}Response from https://example.com/.well-known/apple-app-site-association
{ "applinks": { "apps": [], "details": [ { "appID": "ID.com.example.native.example", "paths": [ "/user/*", "/card/*", "/inbox" ] } ] } }Our Setup
Xcode: applinks:*.example.com AASA File: Located at https://example.com/.well-known/apple-app-site-associationOur Questions
Is a separate apple-app-site-association file required on each subdomain (sub.example.com) when using a wildcard applinks:*.example.com in Xcode, we have nearly 100+ clients as sub domains?
What would cause a server to return a 200 OK for curl and validators, but a 403 Forbidden specifically to Apple's user agent? What kind of firewall, WAF, or bot protection rules could be responsible for this?
What are we missing? What should our next debugging steps be?
