Links

what happens if you attach a Secure attribute to a cookie

Cookies tagged with the Secure attribute will only be sent if the request from the browser is transmitted over an encrypted protocol (https).

4 common cookie fraud exploits

Cross Site Scripting XSS Session Fixation Cross Site Request Forgery Attack XSRF Cookie Tossing Attack

how to find the team id for the AASA?

Head over to https://developer.apple.com/account and retrieve it from the Membership section

difference between AASA and URI Schemes(prefix)

URI can handle app links (wayfairapp://yadayda.com) and AASA is for universal links like https://someting.com Universal links is the iOS's capability of sending web url request to a given app, instead of opening them in the browser. URL-schemes is an apps ability to open in a given state, described by the url, and handled in code by the developer. Say you have an app called "Cool App", and you've registed the url-scheme "coolapp". And your app have different areas like "Nice gadgets" and "Nice stuff". Now you can open your app with at link link coolapp://nice-gadgets. To make the app open on the nice gadget section, you have to implement the application(_:openURL:options:) method, and within this discover the requested url, and make the app open the requested view controller. At the same time you have a website called www.coolapp.com. When browsing using an iOS device, and you come across a link to your site - say www.coolapp.com/nice-gadgets, and opening the link, it will open in the browser. By enabling universal links it will open the app instead by calling the application(_:continueUserActivity:restorationHandler:) method given the url as parameter. From here you can use the same logic from the url scheme handling, to open the app in the requested state. So will universal links replace url schemes? I doubt it, but they are going to compliments each other in a nice way. Are universal links deep links? No, but they can initiate the process of using deep links within an app.

what is a URL in terms of URI

URIs that identify a resource by a location or by the means used to access it, rather than by a name or other attribute of the resource.

what does URL stand for

Uniform Resource Locater

What does URI stand for

Universal Resource Identifier

example of a link layer protocol

Wi-fi

where to store tokens

With token-based auth, you are given the choice of where to store the JWT. Commonly, the JWT is placed in the browser's local storage and this works well for most use cases. There are some issues with storing JWTs in local storage to be aware of. Unlike cookies, local storage is sandboxed to a specific domain and its data cannot be accessed by any other domain including sub-domains. You can store the token in a cookie instead, but the max size of a cookie is only 4kb so that may be problematic if you have many claims attached to the token. Additionally, you can store the token in session storage which is similar to local storage but is cleared as soon as the user closes the browser.

two main forms of cookie fraud

a malicious website uses legitimate website visitors as a proxy in an attack on a website or to game tracking systems by attaching false session IDs to a legitimate user's activity.

What is Session Fixation

a user receives a malicious cookie that contains the cookie issuer's session ID. When the user attempts to log into a targeted domain, the issuer's session ID is logged in instead of the user's session ID. In this way, it looks to the targeted domain like the issuer is performing actions that the user is actually performing.

What is XSRF

a user visits a legitimate site and receives a legitimate cookie. The user then visits a malicious site that instructs the user's browser to perform some action targeting the legitimate site. The legitimate site receives the request along with the legitimate cookie and performs the action since it appears to be initiated by a legitimate user.

What is cookie tossing attack

a user visits a malicious site that provides a cookie designed to look like it originated from a subdomain of a targeted site, such as http://subdomain.example.com. When the user visits the targeted site, http://example.com in this case, the subdomain cookie is sent along with any legitimate cookies. If the subdomain cookie is interpreted first, the data in that cookie will overrule the data contained in any subsequent legitimate cookies.

what is XSS

a user visits a malicious website and receives a cookie that contains a script payload targeting a different website. The malicious cookie is disguised to look like it originated from the targeted website. When the user visits the targeted site, the malicious cookie, including the script payload, is sent to the server hosting the targeted site.

what is a query string

after the path component, and provides a string of information that the resource can use for some purpose like searching or data to be process. example term=bluebird, and name and value pairs are separated by an & like term=bluebird&source=bowser

what is a URI

any character string that identifies a resource

what is the URI scheme key's value for your app

any prefixes you want. you can add as many as you want

Explain each key in this AASA file: { "applinks": { "apps": [], "details": [ { "appID": "3XXXXX9M83.io.branch-labs.Branchster", "paths": [ "NOT /e/*", "*", "/", "/archives/201?/* ] } ] }

applinks: Since the AASA file can also serve other purposes (for example, Shared Web Credentials), the applinks object defines the section of the file used by Universal Links. apps: The apps array must be present, but will always be empty. appID: Built by combining your app's Team ID* (or the Apple App Prefix) and the Bundle Identifier**. In the example above, 3XXXXX9M83 is the Team ID and io.branch-labs.Branchster is the Bundle ID. paths: Array of strings that specify which paths are included or excluded from association. You can use NOT (before the path - as in the example JSON above) to disable paths. In this case, all the links on this path will go to the web instead of opening the app. You can use * as a wildcard to enable all paths in a directory and ? to match a single character (/archives/201?/ example in the sample JSON). Please note that these strings are case sensitive and that query strings and fragment identifiers are ignored.

what is a path in relation to a host

resource in the host that the web client wants to access

Give the syntax for an entire URL

scheme://host:port/path?query

name 4 most common cookies

session persistent first party third party

What is Internet Media Type

"Internet Media Type" is the same as a MIME type. MIME types were originally created for emails sent using the SMTP protocol. Nowadays, this standard is used in a lot of other protocols, hence the new naming convention "Internet Media Type".

To specify an area that should not be handled as a universal link in AASA

"NOT somethingsomething"

what happens with cookies flagged with httpOnly

Cookies flagged as HttpOnly will be inaccessible to JavaScript within the webpage DOM and will only be transmitted back to the issuing domain.

2nd step to support universal links to the app

After you specify your associated domains, adopt the UIApplicationDelegate methods for Handoff (specifically application:continueUserActivity:restorationHandler:) so that your app can receive a link and handle it appropriately. When iOS launches your app after a user taps a universal link, you receive an NSUserActivity object with an activityType value of NSUserActivityTypeBrowsingWeb. The activity object's webpageURL property contains the URL that the user is accessing. The webpage URL property always contains an HTTP or HTTPS URL, and you can use NSURLComponents APIs to manipulate the components of the URL. When a user taps a universal link that you handle, iOS also examines the user's recent choices to determine whether to open your app or your website. For example, a user who has tapped a universal link to open your app can later choose to open your website in Safari by tapping a breadcrumb button in the status bar. After the user makes this choice, iOS continues to open your website in Safari until the user chooses to open your app by tapping OPEN in the Smart App Banner on the webpage.

who does the cookie law apply to

Any person or organization that is physically located in the EU and has a website Any website that targets EU consumers

________ layer protocols contain commands for specific applications

Application

bare minimum 2 pieces of data for a cookie

Cookies necessarily contain, at a minimum, two pieces of data: a unique user identifier and some information about that user

Difference between cookie and token

Cookie-based authentication is stateful. This means that an authentication record or session must be kept both server and client-side. The server needs to keep track of active sessions in a database, while on the front-end a cookie is created that holds a session identifier, thus the name cookie based authentication. Let's look at the flow of traditional cookie-based authentication: User enters their login credentials. Server verifies the credentials are correct and creates a session which is then stored in a database. A cookie with the session ID is placed in the users browser. On subsequent requests, the session ID is verified against the database and if valid the request processed. Once a user logs out of the app, the session is destroyed both client-side and server-side. Token-based authentication is stateless. The server does not keep a record of which users are logged in or which JWTs have been issued. Instead, every request to the server is accompanied by a token which the server uses to verify the authenticity of the request. The token is generally sent as an addition Authorization header in the form of Bearer {JWT}, but can additionally be sent in the body of a POST request or even as a query parameter. Let's see how this flow works: User enters their login credentials. Server verifies the credentials are correct and returns a signed token. This token is stored client-side, most commonly in local storage - but can be stored in session storage or a cookie as well. Subsequent requests to the server include this token as an additional Authorization header or through one of the other methods mentioned above. The server decodes the JWT and if the token is valid processes the request. Once a user logs out, the token is destroyed client-side, no interaction with the server is necessary.

how are cookies created and where do they come from

Cookies are created when a web server tells a browser to create the cookie. The instructions for creating the cookie are usually sent in an HTTP header

iOS rules for persistent cookies in app extensions using the shared singleton

Each app and app extension has a unique data container, meaning they have separate cookie stores. You can obtain a common cookie storage by using the sharedCookieStorage(forGroupContainerIdentifier:) method. By default, apps and associated app extensions will have different data containers. As a result, the value of the HTTPCookieStorage class's shared property will refer to different persistent cookie stores when called by the app and by its extensions.You can use this method to create a persistent cookie storage available to all apps and extensions with access to the same app group. Subsequent calls to the this method with the same identifier will return the same storage instance.

how can apple and android devices send emails to each other

For example, an Apple iPhone can send an email to an Android device using a standard mail protocol. They share the protocol

If two or more apps associate with the same content path, which app gets the link?

If two or more apps associate with the same content path on the website then the order of the appID, paths dictionary in the details array will determine which app will get precedence.

in general, how to delete cookies from browser

In general, you will want to open the browser settings and look for the privacy or security section. Next, look for an option that allows you to view the cookies stored by your browser. When viewing individual cookies you will be provided the option to delete any cookies you wish to remove from your browser. You should also find an option to easily delete all cookies if you wish to do so.

step 1 to supporting universal links for app

In your com.apple.developer.associated-domains entitlement, include a list of the domains that your app wants to handle as universal links. To do this in Xcode, open the Associated Domains section in the Capabilities tab and add an entry for each domain that your app supports, prefixed with applinks:, such as applinks:www.mywebsite.com. Limit this list to no more than about 20 to 30 domains. To match all subdomains of an associated domain, you can specify a wildcard by prefixing *. before the beginning of a specific domain (the period is required). Domain matching is based on the longest substring in the applinks entries. For example, if you specify the entries applinks:*.mywebsite.com and applinks:*.users.mywebsite.com, matching for the domain emily.users.mywebsite.com is performed against the longer *.users.mywebsite.com entry. Note that an entry for *.mywebsite.com does not match mywebsite.com because of the period after the asterisk. To enable matching for both *.mywebsite.com and mywebsite.com, you need to provide a separate applinks entry for each.

how to register a custom scheme in your app

Info tab of your project settings. Update the URL Types section to declare all of the URL schemes your app supports,

_____ layer protocols are used to initiate data transfers and route them over the Internet

Internet

4 rules for the AASA file?

Is served over HTTPS. Uses application/json MIME type. Does not have an appended .json to the apple-app-site-association file name. Has a size not exceeding 128 Kb (requirement in iOS 9.3.1 onwards).

What is a routes.json file and how does it look

It gives you information of certain paths in URL's and what is a valid path/route "action" : "apple_app_site_association", "controller" : "wayfair_app", "pattern" : "(?i)^(?:.well-known/)?apple-app-site-association$", "schema_id" : "WFRoute" }, { "action" : "apple_domain_association", "controller" : "checkout/applepay", "pattern" : "(?i)^(?:\\.well-known/)?apple-developer-merchantid-domain-association$", "schema_id" : "WFRoute" }, { "action" : "google_app_assets", "controller" : "wayfair_app", "pattern" : "(?i)^(?:.well-known/)?assetlinks\\.json$", "schema_id" : "WFRoute" }, { "action" : "index", "controller" : "affiliate_programme", "pattern" : "^affiliate_programme[/]?$", "schema_id" : "WFRoute" }, { "action" : "index", "controller" : "gateway", "pattern" : "^gateway.php$", "schema_id" : "WFRoute" },

What is the anchor # use for a URL

It's a mechanism that allows you to provide an URL to say, a website, and have the page scrolled to where you want the user to be reading. Something like http://mywebsite.com/article#credits might take the reader to the credits at the bottom of an article page

What happens if you call openURL for a universal link while in your app

It's important to understand that if your app uses openURL: to open a universal link to your website, the link does not open in your app. In this scenario, iOS recognizes that the call originates from your app and therefore should not be handled as a universal link by your app.

whats inside an AASA file?

JSON object file with a list of apps and the URL Paths on the domain that should be included and excluded as universal links. { "applinks": { "apps": [], "details": [ { "appID": "3XXXXX9M83.io.branch-labs.Branchster", "paths": [ "NOT /e/*", "*", "/", "/archives/201?/* ] } ] }

2 main ways to protect against cookie fraud

Keep your browser up to date. Many cookie exploits are designed to take advantage of security holes in outdated browsers. Most browsers today update automatically, but if you happen to be using an antiquated browser, stop using it and update it. Avoid questionable sites. If you are ever warned either by your browser or by a search engine that a site is potentially malicious, don't proceed to the site. It just isn't worth the risk.

how to comply with the cookie law

Let users know that you're using cookies Provide a link where they can learn more about how you use the data you gather Provide a way for users to consent to the use of cookies

What is a MIME type

MIME stands for "Multipurpose Internet Mail Extensions. It's a way of identifying files on the Internet according to their nature and format. For example, using the "Content-type" header value defined in a HTTP response, the browser can open the file with the proper extension/plugin.

what happens to cookies when you send any request of the same domain

Once a cookie has been created by a browser, when the browser makes a subsequent request of the same domain it will send back any cookies belonging to that domain as part of the request.

3 great ways to have XSS and XSRF protection

One of the best ways to protect your users and servers is to have a short expiration time for tokens. That way, even if a token is compromised, it will quickly become useless. Additionally, you may maintain a blacklist of compromised tokens and not allow those tokens access to the system. Finally, the nuclear approach would be to change the signing algorithm, which would invalidate all active tokens and require all of your users to log in again. This approach is not easily recommended, but is available in the event of a severe breach.

what is a zombie cookie and how do you delete it

One special type of cookie you may have trouble deleting is a zombie cookie. This type of cookie is automatically recreated by a script stored outside of the browser memory every time you delete it. The result? You can't simply delete the cookie and have it stay gone for good. This strange behavior might make you think that all zombie cookies are malicious, but that isn't the case. Some zombie cookies have legitimate uses. However, their behavior has caused them to be universally derided by both security experts and privacy advocates. To delete these types of cookies takes a little more perseverance, and typically involves the exercise of your googling skills to figure out how others have dealt with the same undeletable cookie. What you'll have to do is figure out where the script that is recreating the cookie is stored and delete that script to stop the continual rebirth of the zombie cookie.

how to manage cookies on chrome

Open the settings menu and use the Search settings field to search for "cookies." This will return the Privacy settings. You can also find this section by scrolling to the bottom of the settings menu, selecting Show advanced settings, and locating the Privacy section. From the Privacy settings, select the Content settings option. By default, all first and third-party cookies are accepted — a setting which Chrome refers to as Allow local data to be set (recommended). If you aren't happy with this policy, alternatives include:

how can you reduce the cookie scope of access

Open your browser's settings menu and look for the security or privacy settings. Set the cookie policies to be as stringent as you deem necessary without making it unduly difficult to access website features.

The instructions for creating the cookie are usually sent in an HTTP header. what do they look like

Set-Cookie: <cookie_name>=<cookie_value> Cookies may also be created with client-side JavaScript by using the document.cookie method.

benefits of token authentication

Stateless, Scalable Perhaps the biggest advantage to using tokens over cookies is the fact that token authentication is stateless. The back-end does not need to keep a record of tokens. Each token is self-contained, containing all the data required to check it's validity as well as convey user information through claims. The server's only job, then, becomes to sign tokens on a successful login request and verify that incoming tokens are valid. In fact, the server does not even need to sign tokens. Third party services such as Auth0 can handle the issuing of tokens and then the server only needs to verify the validity of the token. Cross Domains Cookies work well with singular domains and sub-domains, but when it comes to managing cookies across different domains, it can get hairy. In contrast, a token-based approach with CORS enabled makes it trivial to expose APIs to different services and domains. Since the JWT is required and checked with each and every call to the back-end, as long as there is a valid token, requests can be processed. There are a few caveats to this and we'll address those in the Common Questions and Concerns section below. Store Data in JWT With a cookie based approach, you simply store the session id in a cookie. JWT's, on the other hand, allow you to store any type of metadata, as long as it's valid JSON. The JWT spec specifies different types of claims that can be included such as reserved, public and private. You can learn more about the specifics and the differences between the types of claims on the jwt.io website. In practice, what this means is that a JWT can contain any type of data. Depending on your use case you may choose to make the minimal amount of claims such as the user id and expiration of the token, or you may decide to include additional claims such as the user's email address, who issued the token, scopes or permissions for the user, and more. Performance When using the cookie-based authentication, the back-end has to do a lookup, whether that be a traditional SQL database or a NoSQL alternative, and the round trip is likely to take longer compared to decoding a token. Additionally, since you can store additional data inside the JWT, such as the user's permission level, you can save yourself additional lookup calls to get and process the requested data. For example, say you had an API resource /api/orders that retrieves the latest orders placed via your app, but only users with the role of admin have access to view this data. In a cookie based approach, once the request is made, you'd have one call to the database to verify that the session is valid, another to get the user data and verify that the user has the role of admin, and finally a third call to get the data. On the other hand, with a JWT approach, you can store the user role in the JWT, so once the request is made and the JWT verified, you can make a single call to the database to retrieve the orders. Mobile Ready Modern APIs do not only interact with the browser. Written properly a single API can serve both the browser and native mobile platforms like iOS and Android. Native mobile platforms and cookies do not mix well. While possible, there are many limitations and considerations to using cookies with mobile platforms. Tokens, on the other hand, are much easier to implement on both iOS and Android. Tokens are also easier to implement for Internet of Things applications and services that do not have a concept of a cookie store. JWT Size The biggest disadvantage of token authentication is the size of JWTs. A session cookie is relatively tiny compared to even the smallest JWT. Depending on your use case, the size of the token could become problematic if you add many claims to it. Remember, each request to the server must include the JWT along with it.

what is SameSite flag for cookies

The SameSite flag is a relatively new attribute that ensures that cookies will only be transmitted back to the same website from which they originated

How to make sure your custom scheme is unique and doesn't get picked up by other apps

The identifier you supply with your scheme distinguishes your app from others that declare support for the same scheme. To ensure uniqueness, specify a reverse DNS string that incorporates your company's domain and app name. Although using a reverse DNS string is a best practice, it does not prevent other apps from registering the same scheme and handling the associated links. Use universal links instead of custom URL schemes to define links that are uniquely associated with your website. com.example.myphotoapp as the identifier and put the url scheme as myphotoapp

How to handle incoming URLS

The system delivers the URL to your app by calling your app delegate's application(_:open:options:) method. Add code to the method to parse the contents of the URL and take appropriate actions. To ensure the URL is parsed correctly, use NSURLComponents APIs to extract the components. Obtain additonal information about the URL, such as which app opened it, from the system-provided options dictionary. func application(_ application: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:] ) -> Bool { // Determine who sent the URL. let sendingAppID = options[.sourceApplication] print("source application = \(sendingAppID ?? "Unknown")") // Process the URL. guard let components = NSURLComponents(url: url, resolvingAgainstBaseURL: true), let albumPath = components.path, let params = components.queryItems else { print("Invalid URL or album path missing") return false } if let photoIndex = params.first(where: { $0.name == "index" })?.value { print("albumPath = \(albumPath)") print("photoIndex = \(photoIndex)") return true } else { print("Photo index missing") return false } }

how do you manage cookies on iOS for iOS Chrome

To delete cookies open the Chrome menu and select Settings. Scroll down and select Privacy. Scroll down again and select Clear Browsing Data. Select the types of data you want to delete, making sure to select Cookies, Site Data, and then select the option to Clear Browsing Data. Another option for Chrome users on iOS is to browse using an incognito tab, and make sure to close the tab prior to closing the browser. That way, no cookies will ever be stored beyond the current browsing session.

_______ layer protocols define how packets are sent, received, and confirmed

Transport

T/F Each domain that the app needs to support has to have its own apple-app-site-association file

True

T/F If the content served by domains is different, then the contents of the file will also be different to support the respective paths. Otherwise, the same AASA file can be used but it needs to be accessible on every supported domain. Also note that even though example.com and www.example.com might be serving the same content, you need to ensure that the AASA file is hosted on both these domains

True

T/F Persistent cookies are created by adding an Expires attribute to the Set-Cookie header.

True

T/F The first actual real-world application of cookies on the web was to determine whether visitors to the Netscape website had been there previously.

True

T/F UIWebView — UIWebView instances within an app inherit the parent app's shared cookie storage.

True

T/F URL schemes offer a potential attack vector into your app, so make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that do not risk the user's data. For example, do not allow other apps to directly delete content or access sensitive information about the user. When testing your URL-handling code, make sure your test cases include improperly formatted URLs.

True

T/F follow these 3 guidelines and you should be okay with using cookies for your website: If you're based in the EU or targeting EU consumers, make sure that you give them the opportunity to acknowledge that your site uses cookies. If you allow paid advertisements or the placement of affiliate ads on your site, disclose that information on your website in an obvious manner. If you track user activity or collect any user data, provide a comprehensive privacy policy explaining what data you gather and how it's used.

True

4 different ways to string match paths in AASA

Use * to specify your entire website Include a specific URL, such as /wwdc/news/, to specify a particular link Append * to a specific URL, such as /videos/wwdc/2015/*, to specify a section of your website In addition to using * to match any substring, you can also use ? to match any single character. You can combine both wildcards in a single path, such as /foo/*/bar/201?/mypage.

what happens when universal link is tapped inside your website, do you go to the app?

When a user is browsing your website in Safari and they tap a universal link to a URL in the same domain as the current webpage, iOS respects the user's most likely intent and opens the link in Safari. If the user taps a universal link to a URL in a different domain, iOS opens the link in your app. For users who are running versions of iOS earlier than 9.0, tapping a universal link to your website opens the link in Safari.

how does private or incognito mode protect against invasion of your privacy regarding cookie tracking

When using this mode, the browser will not use any existing persistent cookies. When you close the browser, all cookies, even persistent ones, will be deleted. Just keep in mind that this means no passwords will be saved and every site will think it's the first time you ever visited it every time you visit it.

what is an authentication cookie

When you log into a website the site may return a cookie that identifies your user account and confirms that you have successfully logged in to the site. When you interact with the site it will use that cookie as confirmation that you are a logged-in user

what is a persistent cookie

are longer-term cookies that are tagged by the issuer with an expiration date. These cookies are stored by the browser even after the browser is closed. They are returned to the issuer every time you visit the site that issued the cookie or view a site that contains a resource (such as an ad) issued by the original cookie issuer. In this way, persistent cookies can track your activity not only on the site that issued the cookie but also on any site that includes a resource issued by the same site. This is the mechanism sites like Google and Facebook use to create a log of user activity across multiple websites. When you click "Remember Me" or a similar option when logging into an online account, a persistent cookie is used to store your login information on your browser. Due to the fact that persistent cookies stick around much longer than session cookies, and can theoretically track your activity over time at multiple sites, persistent cookies pose a greater risk than session cookies.

what is a session cookie

are temporary cookies stored in the browser's memory just until the browser is closed. These types of cookies pose less of a security risk and are used to power e-commerce shopping carts, to control the page elements shown to a user during a single multi-page visit to a website, and for other short-term storage purposes.

What is the type of a cookie

class HTTPCookieStorage : NSObject Each stored cookie is represented by an instance of the HTTPCookie class.

what is a server

computer that provides data to other computers.

what are third party cookies

cookies added by a domain that is not the domain you are currently visiting. The most common use of third-party cookies is to track users who click on advertisements and associate them with the referring domain. For example, when you click on an ad on a website, a third-party cookie is used to associate your traffic with the site where the ad appeared.

what are first party cookies

cookies created by the site you're currently visiting. For example, while on this site we use cookies for various purposes, such as making our host filtering feature work. The cookies we issue while you're visiting our site are first-party cookies.

what is a url prefix

everything that comes before the website address, like https://

T/F tokens are encrypted and signed

false, not encrypted, only signed The very important thing to note here is that this token is signed by the HMACSHA256 algorithm, and the header and payload are Base64URL encoded, it is not encrypted. If I go to jwt.io, paste this token and select the HMACSHA256 algorithm, I could decode the token and read its contents. Therefore, it should go without saying that sensitive data, such as passwords, should never be stored in the payload. If you must store sensitive data in the payload or your use case calls for the JWT to be obscured, you can use JSON Web Encryption (JWE). JWE allows you to encrypt the contents of a JWT so that it is not readable by anyone but the server. JOSE provides a great framework and different options for JWE and has SDKs for many popular frameworks including NodeJS and Java.

T/F URI is a specific type of URL

false, other way around

T/F You don't need to decode a URL for UIApplication to open it

false, you do

how to manage cookies on iOS for Safari (The Apple Search Browser)

opening the Settings app, scrolling down and selecting Safari, and then scrolling down until you see the Block cookies option. The Block cookies menu will display four options:

What is problem with custom URI schemes (prefixes)`

other apps can use the same prefixes, in a sense hijacking your links.

AASA Validator, what is it?

paste in your domain and check if it handles the universal links https://branch.io/resources/aasa-validator/

What is the Apple App Site Association File

file that lives on your website and associates your website domain with your native app. In other words, it's a safe way to prove domain ownership to iOS. With URI schemes, which were the standard way for opening apps on iOS until iOS 9, app developers could register any URI scheme of their liking and iOS, without any verification, would respond to those URI schemes by opening apps. For example, if an indie developer registers the fb:// URI scheme for a test app, there was nothing to stop that, even thoughfb:// is used by the Facebook native app. The AASA file makes Universal Links unique and secure because there is no way for an indie developer to host an AASA file on the facebook.com domain. Basically, it stores all the paths and the file is uploaded on the backend. the file name has to be apple-app-site-association and will contain json (although it does not have json extension). inside you put in bundle id's and list of paths for deeplinking within the app. on iOS 9+, you website needs to be https not http. if less than 9, encrypt the aasa file. in the capabilities tab, associated domains can be flipped on, and you can add to the list of entries (subdomain variations), and they all start with applinks: for example: applinks:www.wayfair.com You can get information about the URL from the userActivity: if let url = userActivity.webpageURL, userActivity.activityType == NSUserActivityTypeBrowsingWeb { var data = [ TrackingKeys.url: url.absoluteString ] let referrerURL = userActivity.referrerURL?.absoluteString ?? "AppLaunch" You can do this by using this app delegate function: func application(_ application: UIApplication, continue userActivity: NSUserActivity, restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool { return launchController.handle(userActivity: userActivity) }

how to get the bundle id of your app

head over to your Xcode project, select project and then the 'General' tab

A JSON Web Token is comprised of three parts:

header, payload, and signature

what to do when you create an AASA file

host it on your domain either at https://<<yourdomain>>/apple-app-site-association or at https://<<yourdomain>>/.well-known/apple-app-site-association.

what is a host

host name identifies the host that holds the resource. for example, www.example.com. a server provides services in the name of the host, but hosts and servers do not have a one to one mapping.

example of an application layer protocol

https

whats difference between http and https

https uses SSL, more secure

What is an encoded URL

https://www.w3schools.com/tags/ref_urlencode.ASP It's one in which there are HTML URL Encoding references like %3F, etc that represent characters.

What is a decoded URL

https://www.w3schools.com/tags/ref_urlencode.ASP It's one in which there are no HTML URL Encoding references like %3F.

how can a website know you've visited b4?

if you visit a website, the site may deliver a cookie identifying you as user X. If you leave the site and then return to it again, that cookie will be used by the website to recognize that you are the same user X that was at the site previously.

example of and internet layer protocol

ipv4, ipv6

In order to transmit data from one device to another, each device's hardware must support the same ____ layer protocol

link

what is an action for URL

method on a controller that handles incoming requests

when should you route to mweb?

only for failbacks. like a pdp doesn't exist on the app but it does on the web. If you have a user in an app, you want to keep them in the app and in that experience

what are privacy policy requirements

several countries, including the United States, the UK, Australia, and every country in the EU, require that you let users know what you're doing with their personal data. If you use cookies in any way to track user activity, including using analytics cookies to track visitor traffic, you are required by law to publish a privacy policy explaining what data you collect and how you use it.

what is an HTTP cookie

small bits of data stored as text files on a browser. Websites use those small bits of data to keep track of users and enable user-specific features. They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user activity.

what is a url

specific address to a webpage or file on the internet

what is https:// doing

specifies the protocol used to access the location

what is a protocol in terms of the internet

standard set of rules that allow electronic devices to communicate with each other. These rules include what type of data may be transmitted, what commands are used to send and receive data, and how data transfers are confirmed if two hardware devices support the same protocol, they can communicate with each other

difference between routes.json and aasa

the app site association file is what iOS reads when the app is installed to detect which URLs should and should not open the app at all. I think WF has everything open by default except for a number of paths that are blacklisted. the routes.json file was loaded by the app itself and if a url matches the regex in that file, then we try to see if the app can understand it. if the app can, then the url is opened by the app, otherwise its sent back to safari

what is the URL identifier key's value for your app

the bundle identifier that makes your app unique

what is the IP address or server name in a url typically

the name of the address that is familiar, like techterms.com

http://techterms.com/definition/url after the prefix and ip address, what is the rest

the path to the directory or file

whats the purpose of URI schemes

they allow our app the recognize and want to try to open that link in our app

why cant antivirus software protect against cookies

they are just text files, not software. they cannot be executed on your computer.

what is the FTC disclosure requirement

third-party tracking for the purpose of advertising and affiliate sales is one of the primary uses of HTTP cookies. If you're using cookies for this purpose, the FTC makes clear that you must let your site visitors know what you're doing.

t/f While custom URL schemes are an acceptable form of deep linking, universal links are strongly recommended as a best practice

true

t/f. In short, if you're going to use the web and allow your browser to accept cookies, you are being tracked, and now you know it.

true

T/F the cookie class is a singleton

true, class var shared: HTTPCookieStorage { get }

example of a transport layer protocol

udp, tcp

what is an ip address

unique identifier over a local or global network

What is a controller for URL

used to define and group a set of actions. Controllers provide a logical means of grouping similar actions together, allowing common sets of rules (e.g. routing, caching, authorization) to be applied collectively

what is the EU cookie law

what started out as an EU directive was later incorporated into law by every country in the EU. In short, the cookie law says that if you're based in the EU or target consumers in the EU you must get permission from users in order to use cookies. In particular, Let users know if they are using cookies Explain what data is gathered through the use of cookies and how that data is used, and Gather user consent to the use of cookies

what is a custom url scheme

you can open your app from other apps.

How do you add a new values (that have default key values) in a plist?

you click the + button in info.plist, choose one of the default keys, and then input values.

create an AASA file with multiple apps

{ "applinks": { "apps": [], "details": [ { "appID": "3XXXXX9M83.io.branch-labs.Branchster", "paths": [ "NOT /e/*", "*", "/", "/archives/201?/* ] }, { "appID": "3ZZZZZ9M94.io.branch-test.Branch", "paths": [ "NOT /e/*", "*", "/", "/archives/200?/* ] } ] } another example { "applinks": { "apps": [], "details": [{ "appID": "D3KQX62K1A.com.example.photoapp", "paths": ["/albums"] }, { "appID": "D3KQX62K1A.com.example.videoapp", "paths": ["/videos"] }] } } another one { "applinks": { "apps": [], "details": [ { "appID": "9JA89QQLNQ.com.apple.wwdc", "paths": [ "/wwdc/news/", "/videos/wwdc/2015/*"] }, { "appID": "ABCD1234.com.apple.wwdc", "paths": [ "*" ] } ] } }