This topic describes the causes of and solutions to the issue that the ApkDownloadForbidden error code is returned when you access an object.
Problem description
If you access objects whose names contain the .apk or .ipa extension or objects whose MIME type (the content-type response header) is application/vnd.android.package-archive
or application/iphone
in a bucket anonymously or by using object URLs that contain the public domain name (format: bucketname.oss-[region].aliyuncs.com
) or OSS-accelerated endpoints (format: bucketname.oss-accelerate.aliyuncs.com
or bucketname.oss-accelerate-overseas.aliyuncs.com
), the requests are denied. The HTTP status code 400 and the ApkDownloadForbidden
error code are returned.
Causes
To enhance data security, requests to access the following types of objects anonymously or by using object URLs are blocked if one of the following conditions is met:
You use the public domain name of a bucket that is created on or after 00:00:00 (UTC+8) on August 15, 2023 to access objects whose names contain the .apk or .ipa extension in the bucket.
You use OSS-accelerated domain names to access objects whose names contain the .apk or .ipa extension in a bucket for which the transfer acceleration feature is enabled on or after 00:00:00 (UTC+8) on August 15, 2023.
You use the public domain name of a bucket created on or after 00:00:00 (UTC+8) on August 5, 2024 to access objects whose MIME type (the content-type response header) is
application/vnd.android.package-archive
orapplication/iphone
in the bucket.You use OSS-accelerated domain names to access objects whose MIME type (the content-type response header) is
application/vnd.android.package-archive
orapplication/iphone
in a bucket for which the transfer acceleration feature is enabled on or after 00:00:00 (UTC+8) on August 5, 2024.
Solutions
Use custom domain names to access objects whose names contain the .apk or .ipa extension or objects whose MIME type (the content-type response header) is application/vnd.android.package-archive
or application/iphone
in the bucket. For more information, see Map a custom domain name to the default domain name of a bucket.
Appendix
The following table describes the types of domain names or methods that you can use to access objects whose names contain specific extensions or objects of specific MIME types in buckets created at a specific point in time or buckets for which the transfer acceleration feature is enabled at a specific point in time.
Object type | Date | Access mode |
Objects whose names contain the .apk or .ipa extension | Buckets created before 00:00:00 (UTC+8) on August 15, 2023 | Public domain names |
Buckets for which the transfer acceleration feature is enabled before 00:00:00 (UTC+8) on August 15, 2023 | OSS-accelerated domain names | |
Buckets created at any time | Internal domain names | |
Custom domain names | ||
Include a signature in the Authorization header | ||
Origin fetch from an OSS bucket by Alibaba Cloud CDN (an OSS bucket is used as the origin server) | ||
Objects whose MIME type (the content-type response header) is | Buckets created before 00:00:00 (UTC+8) on August 5, 2024 | Public domain names |
Buckets for which the transfer acceleration feature is enabled before 00:00:00 (UTC+8) on August 5, 2024 | OSS-accelerated domain names | |
Buckets created at any time | Internal domain names | |
Custom domain names | ||
Include a signature in the Authorization header | ||
Origin fetch from an OSS bucket by Alibaba Cloud CDN (an OSS bucket is used as the origin server) |