App Attest

RSS for tag

Validate the integrity of your app before your server provides access to sensitive data.

App Attest Documentation

Posts under App Attest tag

20 Posts
Sort by:
Post not yet marked as solved
3 Replies
319 Views
Dear Experts, I have App Attest deployed in an app that is currently in TestFlight. Its works OK most of the time. For one particular user, however, attestKey fails with DCErrorInvalidKey for a new key that it has just created. I have some insight into what the app is doing because I send diagnostics to the server. It seems that for this user, the sequence of events is: Initially the app has no key ID saved. The user initiates an action that requires App Attest-signed communication with my server. The app calls generateKey which seems to succeed. The app fetches a challenge from the server. The app calls attestKey. attestKey returns DCErrorInvalidKey. The app doesn't save the key ID persistently, so next time the same thing happens. attestKey really shouldn't fail with the invalid key error for a key that it has just created, should it? What could be going on here?
Posted
by endecotp.
Last updated
.
Post not yet marked as solved
2 Replies
102 Views
Hello, I'm developing a server that uses the app attestation feature. During the development, I found the behavior that are not written in the document, I would like to inquire this. When Apple server returns 404 for risk metric refresh request? A month after the attestation, receipt is not past expiration time, but 404 is returned from Apple server when I try refresh. And this receipt succeeded in refreshing the risk metric normally if the attestation proceeds again. This behavior is not in the document, but I wonder if it is intended. Is there a case where an attestation has occurred but the risk metric value does not increase? I found a case where attestation occurred twice on one device, but when both receipts were refreshed, the risk metric returned 1. Is this an expected behavior? If it is, I would like to know the detailed conditions under which it occurs. Thank you.
Posted
by gbgwon.
Last updated
.
Post not yet marked as solved
1 Replies
228 Views
Hello, I am creating this post to ask if there is any plan for bringing the Attestation Service support for macOS or any plans for supporting it in macOS. We implemented it in iOS and it increased the security for our users and partners but we are evaluating deprecated macOS and keeping only Windows and linux because of this restriction on the Attestation Service... if you recommend any other provider to attest the device please bring me some recommendations.
Posted Last updated
.
Post not yet marked as solved
3 Replies
435 Views
A lot of our customers experienced failed App attest and always return error "DCErrorInvalidKey 3" invalidKey error on these iOS versions: 16.7.2 - iPhone 8 17.1.1, 17.1.2 - iPhone X, iPhone XS, iPhone XR, iPhone SE 2. iPhone 12, iPhone 12 Pro, iPhone 12 Pro Ma
Posted
by mjred.
Last updated
.
Post not yet marked as solved
0 Replies
288 Views
I am seeing DCErrorInvalidInput returned from DCAppAttestService generateAssertion: in production. Can anyone suggest what might cause this, and what I should do in response? The documentation says of this error code: "An error code that indicates when your app provides data that isn’t formatted correctly.: The only input to the method is the key ID and the data hash. I generate the hash with CC_SHA256() and then put the bytes in an NSData. I don't think much can go wrong with that, though I can't see exactly what is being passed in my diagnostics. There is another error response, DCErrorInvalidKey which I handle separately. I am wondering if problems with the key ID are being reported as "invalid input" rather than "invalid key". I can see the key ID in my diagnostics and it looks legitimate, i.e. it's 32 random-looking bytes, base64-encoded. Suggestions anyone?
Posted
by endecotp.
Last updated
.
Post not yet marked as solved
5 Replies
401 Views
I'm using App Attest and the endpoint mentioned here to receive receipts with a fraud metric from Apple on my server. However, I've so far been unable to decode the receipts sent by Apple's server. Can anyone point to an implementation in JavaScript/TypeScript? In general, it's been very difficult to implement App Attest on the server due to the lack of reference implementations provided by Apple.
Posted Last updated
.
Post not yet marked as solved
1 Replies
405 Views
Hi, App Attestation API "attestKey(:clientDataHash:completionHandler" returns "DCErrorInvalidKey 3" for some of the users. We have checked for first reason regarding if generated key is already been attested, we are generating new key and challenge every time. Could you please provide more details regarding more details for second reason "The App Attest service rejects the key." https://developer.apple.com/documentation/devicecheck/dcerror/3585177-invalidkey
Posted
by mahashis.
Last updated
.
Post not yet marked as solved
3 Replies
593 Views
I'm trying to verify attestations from Apple devices on my server, and I'm finding it difficult to implement some of the steps outlined here. This is the current state of my implementation. I'm stuck on the step where the credCert extension is decoded and compared with the nonce. I'd be grateful for any help anyone can provide.
Posted Last updated
.
Post not yet marked as solved
3 Replies
2.5k Views
Hi, We have a multi-platform application that requires integrity attestation before the backend will enable supporting services (fairly common scenario). I've read the documentation for DeviceCheck and AppAttest, as well as SafetyNet on the Android side. The Android documentation includes lots of examples of use, including server-side (though oddly in C# and Javascript... which I don't see as being server-side languages, but... oh, well). Anyway, maybe there's a server-side example of using an application attestation on the server when validating a client, as well as validating individual requests with assertions, but I've not been able to find it. It seems like a relatively important bit of functionality to ensure that apps aren't being compromised, while at the same time requiring a correct implementation... Why not give a reference implementation as a starting point to make sure developers are on the right path? Can anyone point me at an example as a Gist, etc? Thanks.
Posted
by PhilipTP.
Last updated
.
Post not yet marked as solved
0 Replies
442 Views
Hello everyone, I am using Apple's DeviceCheck API in my Swift application which will check if the device is registered on Apple's server or not and based on the bits I have set I am updating the values in my own database. These values will help me to differentiate the new devices through which the users are getting logged in to my application and I will give them some digital reward poits to use my application on their new devices. Everything is working fine for me in the development environment as I get the right response when I am using the development API i.e. https://api.development.devicecheck.apple.com but it do not work as intended when I am using the production API i.e. https://api.devicecheck.apple.com/
Posted Last updated
.
Post not yet marked as solved
2 Replies
613 Views
Hi, App Attestation API "attest key" returns "DCErrorInvalidKey 3" in iOS 17 beta with these parameters keyId: "IAeivHRAmm8gDFuNfRbRGAt4n7AuJ1msWEgdMUGHEV8=" and challenge: "9132b01acd5d416369382950be1f421e" tried on device model: XSMax. Note: I tried same challenge on another phone and it works fine.
Posted
by Israa.
Last updated
.
Post not yet marked as solved
5 Replies
993 Views
Hello, for some reason all implemented (and working before) App Attestation code stopped working. iOS is unable to get attestation returning com.apple.devicecheck.error error 4. (serverUnavailable). On https://developer.apple.com/system-status/ I can see green dot but I suspect that infrastructure is not OK. Can anyone confirm these problems or know whether it is strictly connected to App Attest service availability? I just don't want to look for a problem in code for hours when it can lay in 3rd party...
Posted
by Heps.
Last updated
.
Post not yet marked as solved
4 Replies
837 Views
I've been getting 500 error responses from the https://data.appattest.apple.com/v1/attestationData server for the last few hours. About half of requests complete OK and half fail. Anyone else seeing this?
Posted
by endecotp.
Last updated
.
Post not yet marked as solved
0 Replies
672 Views
Hello. When running the app with AppAttest on the simulator, I get false when executing DCAppAttestService.shared.isSupported. How can I get approval and test the framework locally? It is possible?
Posted
by __Artem__.
Last updated
.
Post not yet marked as solved
1 Replies
782 Views
Dear All, I have working code that talks to the App Attest receipt refresh API using JWT authorization. I'm now trying to talk to the App Store Connect API, and I'm trying to use essentially the same code for the JWT generation - but it doesn't work. It's frustrating that the API just returns a non-specific 401 "Not Authorized" response, without giving any further clue about what's wrong. I am creating a JWT as follows for App Store Connect; yes I'm aware that the required fields are slightly different for the two APIs: header = {"alg":"ES256","kid":"12345YZSX8","typ":"JWT"} payload = {"iss":"1234567-1234-1234-1234-123456789012","iat":1687379230,"exp":1687379530,"aud":"appstoreconnect-v1"} Using the resulting encoded token, with my own code or with curl, fails with a 401 error: Status: 401 { "errors": [{ "status": "401", "code": "NOT_AUTHORIZED", "title": "Authentication credentials are missing or invalid.", "detail": "Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens" }] } Doing essentially the same thing, with the slightly different JSON fields and a different .p8 key file, does work with the App Attest API - so I'm probably not creating complete garbage. I've wasted hours on this now. Does anyone have any debugging hints?
Posted
by endecotp.
Last updated
.
Post not yet marked as solved
0 Replies
704 Views
I'm trying to prevent my App from running on jailbroken devices. For React Native apps, there is Firebase App Check, wich integrates with App Attest and DeviceCheck. I wonder, is App Attest with DeviceCheck able to detect that my App is running on a jailbroken device? I see other posts about jailbeaking on this forum, but they are mostly (or perhaps all of them) older than DeviceCheck. Which is why I'm repeating the question but asking specifically about DeviceCheck and App Attest.
Posted
by dmelo.
Last updated
.
Post not yet marked as solved
0 Replies
651 Views
Hi! I'm generating assertions using DCAppAttestService.shared.generateAssertion. It's running for almost one and a half years and has the following issue. Approx 6% of our users trying to generate assertions have issues and according to our analytics about half of them have invalid_input error during assertion process). I've managed to reproduce this issue on test device and noticed some weird scenario: (first app run) The AppAttest key generated and attested at Apple side successfully. Key Identifier persisted. Attestation object verification on backend and public key extraction is ok Unlimited number of assertion can be generated this time (second app run) Key Identifier persisted on previous app run is read and passed to DCAppAttestService.shared.generateAssertion Invalid input error received. Regeneration of key and attestation works fine. So looks like there is a kinda state in assertion process - it works well after key generation on first run, but fails with invalid_input on second run. As invalid_input error cannot say much about the issue, I've swizzled some methods of DCAppAttestService (https://developer.limneos.net/index.php?ios=15.2.1&framework=DeviceCheck.framework&header=DCAppAttestService.h) - _rewrapAsDCError, _loadAppUUID, _saveAppUUID. Swizzling implementation attached (swizzling.swift). As the swizzling logs show - when invalid_input raises, a strange error is printed (Error Domain=com.apple.appattest.error Code=-2 "Invalid appUUID" UserInfo={NSLocalizedDescription=Invalid appUUID}). What can be the issue? In another app this behaviour isn't reproducible but they share similar dependency with App Attest - wrapping logic I've filed bug report no FB12205670. Thanks. Logs: ok case: key generation: swizzleLoadAppID swizzleSaveAppID EDA165DC-0781-4891-A16D-0979FC4FEB84 swizzleRewrap key attestation: (key_id: "XzTjW3V7944\/ljQ2C8LTpqug0t0gslVyhdWGUCnJXfY=") swizzleLoadAppID EDA165DC-0781-4891-A16D-0979FC4FEB84 swizzleRewrap key assertion: (input key_id = "XzTjW3V7944\/ljQ2C8LTpqug0t0gslVyhdWGUCnJXfY=" clientDataHash = "zUwl\/jiunewwd1ofhEOmgNGWM+oD7LmUGe6Te5Iv9pc=") swizzleLoadAppID EDA165DC-0781-4891-A16D-0979FC4FEB84 swizzleRewrap issue case (DCError.invalid_input): key assertion: (input key_id = "XzTjW3V7944\/ljQ2C8LTpqug0t0gslVyhdWGUCnJXfY=" clientDataHash = "F8o5i+8PsZ5cTuyjlZoMe+kcbTG0\/R8Vw6tmjPlzlLc=") swizzleLoadAppID swizzleRewrap Error Domain=com.apple.appattest.error Code=-2 "Invalid appUUID" UserInfo={NSLocalizedDescription=Invalid appUUID} Swizzling logic: @objc func swizzleRewrap(obj: NSObject) -> NSObject { let returnValue = swizzleRewrap(obj: obj) print("swizzleRewrap \(obj)") return returnValue } @objc func swizzleLoadAppID() -> NSObject { let returnValue = swizzleLoadAppID() print("swizzleLoadAppID \(returnValue.debugDescription)") return returnValue } @objc func swizzleSaveAppID(app_id: NSObject) { swizzleSaveAppID(app_id: app_id) print("swizzleSaveAppID \(app_id)") } static func makeSwizzling() { let sel = NSSelectorFromString("_rewrapAsDCError:") DCAppAttestService.swizzleInstanceMethod(sel, #selector(DCAppAttestService.swizzleRewrap(obj:))) let sel1 = NSSelectorFromString("_loadAppUUID") DCAppAttestService.swizzleInstanceMethod(sel1, #selector(DCAppAttestService.swizzleLoadAppID)) let sel2 = NSSelectorFromString("_saveAppUUID:") DCAppAttestService.swizzleInstanceMethod(sel2, #selector(DCAppAttestService.swizzleSaveAppID(app_id:))) } } public extension NSObjectProtocol { static func swizzleInstanceMethod(_ origin: Selector, _ replace: Selector) { let origin = class_getInstanceMethod(self, origin) let replace = class_getInstanceMethod(self, replace) if let origin = origin, let replace = replace { method_exchangeImplementations(origin, replace) } } }
Posted
by beetlab.
Last updated
.