-
使用 App Attest 保护你的 App
充分利用 App Attest 保护你的 App 免遭欺诈和未经授权的修改。探索攻击者如何利用修改后的 App 来伪造数据并绕过安全检查,以及 App Attest 如何防御这些威胁。了解如何生成和管理与安全隔区绑定的 App Attest 密钥,对证明和断言进行验证,并利用欺诈指标来检测滥用行为。探索适合各个 Apple 平台的最佳做法,包括 iOS 27 中助你加强验证的新信号。
章节
- 0:00 - Introduction
- 1:35 - Protections
- 4:04 - Availability
- 5:02 - Key generation
- 6:12 - Attestation
- 12:10 - Assertion
- 14:58 - Common pitfalls
- 16:27 - Fraud metric
- 19:07 - Next steps
资源
-
搜索此视频…
-
-
5:07 - Generate a Secure Enclave–bound key
import DeviceCheck let keyID = try await DCAppAttestService.shared.generateKey() -
6:32 - Attestation API
import DeviceCheck let keyId: String = ... let clientDataHash: Data = ... let attestation = try await DCAppAttestService.shared.attestKey(keyId: keyId, clientDataHash: clientDataHash) -
12:33 - Assertion API
import DeviceCheck let keyId: String = ... let clientDataHash: Data = ... let assertion = try await DCAppAttestService.shared.generateAssertion(keyId: String, clientDataHash: Data)
-
-
- 0:00 - Introduction
The threats App Attest is designed to address — modified copies of your app sending valid-looking requests to your server, such as falsified quiz submissions or injected game cheats.
- 1:35 - Protections
Verify genuine Apple hardware, detect app modifications, and secure payloads with assertions.
- 4:04 - Availability
Where App Attest is available, now including macOS 27 and all major platforms though not every app extension type, and how to gate usage with the isSupported API and treat unexpected unsupported responses as a fraud signal.
- 5:02 - Key generation
Create a Secure Enclave–bound key ID and store it in the keychain.
- 6:12 - Attestation
Request and validate attestations, including the macOS key access control property and new authenticator-data extensions.
- 12:10 - Assertion
Sign payloads with attested keys and validate the assertion counter on your server.
- 14:58 - Common pitfalls
Handle new keys for existing users, degrade gracefully on rejection, and assess risk before blocking.
- 16:27 - Fraud metric
The receipt-based fraud metric — an approximate 30-day count of unique attested keys on a device — and how it fits a risk profile to spot a compromised device acting as a broker.
- 19:07 - Next steps
Steps to adopt App Attest: rebuild against the latest SDKs, identify flows that benefit from attestations and assertions, set up your server to validate and track them, and fold the fraud metric into your risk pipeline.