It’s the new robots.txt, warns NCC

UPDATED Misuse of Apple’s App-Site Association standard has the potential to leak web app routes and other sensitive info, security researchers at NCC warn.

The behavior means App-Site Association could be leaking information that might be of use to hackers in enumerating a target site.

Web and app developers ought therefore to be checking they aren’t publishing anything sensitive in the publicly accessible resource, such as internal URLs for applications.

The issue arises due to naïve use of the standard by unaware developers rather than inherent problems with the technology, researchers say.

A blog post by NCC’s Tanner Prynn compares Apple’s App-Site Association standard to the robots.txt feature that has been around almost since the inception of the web.

App-Site Associations requires websites to host a file .well-known/apple-app-site-association. This file contains data on web app routes comparable to robots.txt.

Trust but verify

Apple’s tech allows users to link their iOS applications to their domain in order to support functionalities such as sharing user credentials between multiple iOS applications developed by the same organization.

iOS requires a two-way trust between an iOS application and a domain in order to set up this type of association.

“At runtime, the user’s device reaches out to the configured domain, which must respond with a JSON blob containing permitted app identifiers and URLs to open in the corresponding app,” Prynn explains. “This JSON blob must be hosted at the hardcoded route /.well-known/apple-app-site-association.”

“As a result, pretty much any site with a corresponding iOS application hosts this publicly-accessible file listing, which lists site URLs that should be opened in the mobile app,” he adds.

Applying the technology can lead to inadvertent information disclosure by the unwary.

“This file specifies the app along with dozens of URLs which should or shouldn’t be opened – in a very similar way to the old robots.txt,” Prynn writes.

“Especially on black box tests or for bug bounty work, this file can help testers to find hidden routes or build a word list for further testing. On many sites, the file also contains app identifiers and URL lists for internal and enterprise apps, further expanding the amount of information which is disclosed.”

In response to follow-up questions from The Daily Swig, Prynn clarrified that Apple's App-Site Associations (AASA) only made issues easier to find rather than creating fresh problems.

“If a problem exists, it's (almost) always going to be in some route or functionality of a web application that a developer is intending to hide/obfuscate,” he explained. “But that functionality exists regardless of AASA; AASA just makes it easier and quicker to find.”

Apple's technology nonetheless creates fresh avenues for pen testers and bug bounty hunters. Prynn advises hackers to forget robots.txt and start checking .well-known/apple-app-site-association for problems instead.


This story was updated on Tuesday, 16 April to add comment from NCC researcher Tanner Prynn