Is Android App Links possible to use with an internal-only website?

Background

My company has private, internal-only servers for our development environment. As we build this out, we're running into issues with app-site association verification in this environment.

Our assetlinks.json file is exactly the same as it was with Dynamic Links, and our app is now pointed to our internal-only server (e.g., app.internalserver.com). The device can get to that internal domain just fine on our network. When the device tries to verify the association after app install, it fails.

What I've tried

  1. Google's documentation mentions using this link to verify the file is setup correctly, but Google's servers obviously wouldn't be able to reach our internal server. Using that link fails as expected:

    https://digitalassetlinks.googleapis.com/v1/statements:list?source.web.site=https://domain.name:optional_port&relation=delegate_permission/common.handle_all_urls

{
  "maxAge": "599.999999930s",
  "debugString": "********************* ERRORS *********************\n* Error: unavailable: Error fetching statements from https://app.internalserver.com./.well-known/assetlinks.json (which is equivalent to 'https://app.internalserver.com/.well-known/assetlinks.json'): DNS name not found [0] while fetching Web statements from https://app.internalserver.com./.well-known/assetlinks.json (which is equivalent to 'https://app.internalserver.com/.well-known/assetlinks.json') using download from the web (ID 1).\n",
  "errorCode": [
    "ERROR_CODE_FETCH_ERROR"
  ]
}
  1. Checking the verification results on a device directly gave a generic error:
% adb shell pm get-app-links {package name}
{package name}:
    ID: 498b2db2-6819-4c2d-a1bc-32c5cf3c6d53
    Signatures: [76:4C:8D:AF:72:B3:14:59:82:37:63:8B:3D:DF:B1:B0:F4:7D:61:31:F2:00:02:57:75:AF:35:4F:34:80:77:D6]
    Domain verification state:
      app.internalserver.com: legacy_failure
  1. I confirmed that the certificate used is from a public Certificate Authority, not a self-signed CA. I also confirmed the HTTP response code is 200. I also verified the correct debug keystore hash is in the association file. Those are the only specific requirements I see on Google's documentation.

This all works fine with a public server.

The questions

Is there any confirmation that Google is proxying the call to get the association file themselves rather than the device directly? Apple does this so that they can cache the file in their CDN: https://app-site-association.cdn-apple.com/a/v1/app.internalserver.com (this also fails as expected with our current setup).

If so, is there any indication on things like IP range? Our networking team doesn't grant public access to servers in our development environment and is wanting to avoid opening this up to all the ranges assigned to Google if at all possible.

Any other thoughts on how this could work with non-public servers? This documentation mentions to not publicly release builds with URLs "that may not be accessible to the public" unless you're making private build variants, which we are doing. That comment implies it should work with private servers.

3
Jul 9 at 8:48 PM
User AvatarJay Whitsitt
#android#applinks
No answer found for this question yet.