DeviceCheck

RSS for tag

Access per-device, per-developer data that your associated server can use in its business logic using DeviceCheck.

DeviceCheck Documentation

Posts under DeviceCheck tag

25 results found
Sort by:
Post not yet marked as solved
34 Views

Why my site is not responsive on ios devices?

I just placed a test where I've tested my site on different platforms. It's doing well on Andriod devices but not showing responsiveness on ios devices. What are the possible reasons for this???
Asked
by subflow.
Last updated
.
Post not yet marked as solved
61 Views

Apple device reset popup doesn't appear for automatic renewal enabled accounts

Hi! We have enabled automatic renewal for apple developer account of our company. Today is our renewal date and it was renewed already. But the device reset popup doesn't show up yet. Can anyone help me with this? We have already exceeded our registered device limit and we have to wait another year for device resetting otherwise. Thanks!
Asked Last updated
.
Post not yet marked as solved
76 Views

Limits and quotas on DeviceCheck / AppAttest APIs

Hello, I would simply like to know where i can find the information regarding the quotas and limits for using DeviceCheck / AppAttest APIs please. Thanks
Asked
by tomtom1.
Last updated
.
Post marked as solved
216 Views

How does Apple certify the keys and queries of an application using App Attest?

Hello, I've already made a previous similar post but it's getting a bit old so I'm re-launching it. I am currently developing an iOS application using AppCheck with AppAttest. I have read Apple's documentation on AppAttest to understand how it works. However, there is a part I didn't understand. When the public key is to be shared, Apple will create a certificate to attest that this public key belongs to an official instance of my application. Here is what it says about this verification on the official website : How does the Apple server identify that the key comes from an official instance of my application ? I can also rephrase my question as follows: How does the apple server detect an unofficial instance of my application if the data it receives for this check comes from it directly (I assume and I am probably wrong) and can therefore be falsified ? Is this a secret process to which I cannot have access, this answer would also suit me ? Thanks for your attention !
Asked
by Sheezen.
Last updated
.
Post not yet marked as solved
669 Views

DeviceCheck(iOS 11+) Vs AppAttest(iOS 14+)

We see appAttest (available iOS 14+) provides us 3 key features: if app instance is not modified, device is genuine apple device and payload is not tempered with. We also have deviceCheck Api (iOS 11+) which return 2 bits per device, as mentioned in documentation we can create different payloads for validation and different for updating the 2 bits. Apart from returning those bits in validation request, does this DeviceCheck APIs also validate 2 of the 3 above features i.e. app is not modified and the device is genuine apple device? If yes, what response from apple server to look for in successful validation of above 2 features and what response to look for in fraud cases or failure cases? Does isSupported in case of DCDevice.current hints the device is a simulator ? Can we get exhaustive list of cases where isSupported is false? Does DCDevice.current.generateToken fails only in case of modified app instance? Can we get exhaustive list of cases where above can throw error? Can modified app instance also able to generateToken?
Asked Last updated
.
Post not yet marked as solved
136 Views

Determining development/production environment for DeviceCheck

Is there a recommended way to determine whether to use the development or the production server API endpoint for DeviceCheck? For App Attest, the authenticator data includes either "appattest" or "appattestdevelop" in a field of the cbor data. For IAPs, we're supposed to try the production endpoint and then retry with the development endpoint if we get a particular HTTP status code. But the docs for DeviceCheck say only to use the development endpoint in development and the production endpoint in production. What are others doing? Is there any clue in the docs that I have missed?
Asked
by endecotp.
Last updated
.
Post not yet marked as solved
154 Views

Reusing the same key across multiple users on a device

According to documentation, the guideline is as follows - "Don’t reuse a key among multiple users on a device because this weakens security protections. In particular, it becomes hard to detect an attack that uses a single compromised device to serve multiple remote users running a compromised version of your app." This can be addressed if we keep a tally of how many users have used the same key pair? If we see a single key pair in use across say 500 users, it's clearly an instance of compromised device. Are there other security reasons why binding a key to device + user is the recommended practice?
Asked Last updated
.
Post not yet marked as solved
1.8k Views

Having issue with device check on iOS 14.x

Hello, I have problem with DeviceCheck framework on iOS 14. On some devices with version, 14.x attestation doesn't work properly. In response, I get 400 error code and Missing or incorrectly formatted device token payload. This is very weird because this reproduces on a small group of devices and device after hard reset works fine.
Asked Last updated
.
Post not yet marked as solved
158 Views

DeviceCheck for Enterprise Account

Apple team, I need your help. Can you answer for my question in thread: https://developer.apple.com/forums/thread/701876 ? I created new thread due to I wasn't able to add tag wwdc21-10244 in thread 701876.
Asked
by Fman.
Last updated
.
Post not yet marked as solved
259 Views

DeviceCheck for Enterprise Account

Hi, I'm trying to validate device token generated on app which is signed by Enterprise account. I generate deviceToken on device I send the token to our backend Our backend creates JWT token The backend calls validate_device_token endpoint and receives 401 The authentication token can't be verified I've seen many implementations on the internet and I'm pretty sure that we generate the token in correct way. (eg implementation: https://github.com/marinosoftware/DeviceCheckSample) The Questions are: Is it possible to use DeviceCheck on Enterprise Account ? There is no possibility to enable DeviceCheck on Enterprise account is APNs key configuration: https://developer.apple.com/account/resources/authkeys/list. Is this configuration required ? Is there is a way to validate signature of JWT token locally ? Services such as https://jwt.io requires Public and Private keys in correct format, I didn't find a way to validate the signature signed by p8 certificate without any additional keys.
Asked
by Fman.
Last updated
.
Post not yet marked as solved
240 Views

DCAppAttestService generateAssertion invalidInput

Hi! Sometimes when calling DCAppAttestService.shared.generateAssertion(key.id, clientDataHash: hash) I'm getting DCError.Code.invalidInput. I am formatting clientDataHash usingSHA256.hash - so it is always 32 bytes long. As I found out - this error depends on hash that I pass to generateAssertion method. But I could not find any system - which hashes are good and which are not. Keys are always correct, otherwise invalidKey error would be risen. What can cause the issue? I'm testing on iPhone 11, iOS 15.2.1
Asked
by beetlab.
Last updated
.
Post not yet marked as solved
169 Views

Missing or badly formatted authorization token

Always get this error during device token validation. Are there any ideas why it's happening? Here is the snipped of the code below I use for JWT generation. import time import jwt private_key = """-----BEGIN PRIVATE KEY----- mykey -----END PRIVATE KEY-----""" data = { "iss": "my_team_id", "iat": int(time.time()), } headers = { "kid": "my_key_id", } jwt_token = jwt.encode( payload=data, key=private_key, algorithm="ES256", headers=headers ) print(jwt_token)
Asked Last updated
.
Post not yet marked as solved
641 Views

Reference example of AppTest server-side implementation

Hi, We have a multi-platform application that requires integrity attestation before the backend will enable supporting services (fairly common scenario). I've read the documentation for DeviceCheck and AppAttest, as well as SafetyNet on the Android side. The Android documentation includes lots of examples of use, including server-side (though oddly in C# and Javascript... which I don't see as being server-side languages, but... oh, well). Anyway, maybe there's a server-side example of using an application attestation on the server when validating a client, as well as validating individual requests with assertions, but I've not been able to find it. It seems like a relatively important bit of functionality to ensure that apps aren't being compromised, while at the same time requiring a correct implementation... Why not give a reference implementation as a starting point to make sure developers are on the right path? Can anyone point me at an example as a Gist, etc? Thanks.
Asked
by PhilipTP.
Last updated
.
Post not yet marked as solved
261 Views

Socket - web server problems

I have a webserver developed from scratch in Microsoft visual c ++ 2019. I use only c/c++, when I receive the request, I process it and build a response that I send to the client. I use my iPhone (13 pro with iOS 15.2). Case 1: I am connected to a local wi-fi, I type the server address (local address or external address by port forwarding), it receives 'get / http ...' and 'get / other resources' through 3-4 simultaneous connections and responds with the content of the requested page. The connections remain stable and I can navigate further through the site, opening other pages without any problems. iPhone send requests and my server respond. everything works fine. Case 2: I am connected only to the telephone operator (4G Vodafone), I type the external server address, it receives 'get / http ...' and 'get / other resources' through 3-4 simultaneous connections and responds with the content of the requested page. (just once, only first page). After that, the connections disappear and I can no longer browse the site (because I lose the session ID and other credentials). **In fact, the iPhone, after receiving what it requested, sends many null buffers and my server disconnects all sockets immediately. is something to do with WSAENOBUF, but I don't know what.   ** Why this dual behavior. How can I solve this situation? Thank you very much.
Asked
by Catalin1.
Last updated
.
Post not yet marked as solved
257 Views

DeviceCheck tokens lifetime

Hi! We are using Device Check tokens to prove that HTTP request comes from iOS device. We found out that both envs - prod and sandbox doesn't limit token lifetime v1/validate_device_token always return true and can be reused for a long period of time per one DCDevice token. v1/update_two_bits also can be reused unlimited number of times per one token (didn't measure the exact number) Is it true - that lifetime of token generated via DCDevice.generateToken isn't short (minutes) and we should build our own infrastructure to prevent replay attacks?
Asked
by beetlab.
Last updated
.