This company which I'm working with wanted to have their IOS application in-house based rather than distributing over the general App store. So I built a simple html page with a button to download the application to user's iPhone. this button contains path to the ".plist" file
itms-services://?action=download-manifest&url=https://url-to-plist.plist
and inside the ".plist" we have the actual URL to the ".ipa" file.
.... <dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://url-to-ipa.ipa</string>
</dict> ....
Everything's working fine and they've been using this for over an year now. But now their concern is that this ".ipa" file can be downloaded to the pc directly by getting the actual URL from the ".plist" file. Well if you right click on the button on that html page or "inspect elements" you can simply get the URL to the ".plist" file. Since this is an enterprise application, it contains some sensitive information such as company's server ip addresses and port numbers and they don't want anyone to have the ".ipa" file itself.
So first i tried to prevent access to this ".plist" file by blocking the extension and then by hiding the directory through web.config file
<security>
<requestFiltering>
<fileExtensions applyToWebDAV="false">
<add fileExtension=".plist" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="folderName"/>
</hiddenSegments>
</requestFiltering>
</security>
but in both events the download button also stopped working because iPhones are directly calling the ".plist" file by its URL not the directory path.
itms-services://?action=download-manifest&url=https://url-to-plist.plist
Other than that, my next solution would be to allow only Iphone users to access the page as in here so that it could minimize the problem.
What would be the correct approach? Is it possible to do what I'm trying to do here?