What security is there for associated domains specified in an app?

When you associate a domain with your app, that domain is baked into your app’s binary. While inspecting an app’s binary isn’t trivial, it’s certainly possible, and you should set up your server infrastructure based on that assumption.

Having said that, this feature requires that your server be on the public Internet and, given that, you need to set it up with appropriate protections anyway. Bad actors don’t need to look at your app to find your server.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, is there any possibilities using shared web credentials for some form of authentication?

P.S. The domain is in the info.plist, isn't that easily inspectable?

The domain is in the info.plist, isn't that easily inspectable?

It depends on how you define “easily”. It’s safe to say that anyone with the skills to attack your server will also have the skills required to do this, which is why I recommended that you assume that these details are not secret.

is there any possibilities using shared web credentials for some form of authentication?

Sure. But that’s a different issue than the one you’ve been asking about here. In this thread you’re asking about the security of your app running on the device. That’s different from SWC, which is about authenticating users.

If you have a user account system then you have many more options for securing your server.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"