Hello everyone, I am using Apple's DeviceCheck API in my Swift application which will check if the device is registered on Apple's server or not and based on the bits I have set I am updating the values in my own database. These values will help me to differentiate the new devices through which the users are getting logged in to my application and I will give them some digital reward poits to use my application on their new devices. Everything is working fine for me in the development environment as I get the right response when I am using the development API i.e. https://api.development.devicecheck.apple.com but it do not work as intended when I am using the production API i.e. https://api.devicecheck.apple.com/

Hi we are developing a appattestation devicecheck feature . we would like to is there a limit on creating a DCAppAttestService.generateKey() ? what happens to the cryptographic key in the Secure Enclave that already created when we call the DCAppAttestService.generateKey() again . Does it overrides the old keypair OR does it create a new key always

I have a question regarding the usage of the DeviceCheck API. We have been using https://api.development.devicecheck.apple.com/v1/validate_device_token for checking device tokens. However, we encountered frequent HTTP response status code 403 between 16:50 and 17:15 Japan time on June 29th. According to the official documentation at https://developer.apple.com/documentation/devicecheck/accessing_and_modifying_per-device_data, I understand that a 403 error indicates "The specified action isn't allowed". Yet, I would like to clarify under what specific circumstances this error would be returned. Please note that we do not encounter a 403 error outside the aforementioned timeframe, which leads us to believe there is no issue with our basic implementation.

How to uniquely identify the device to prevent fraudulent activity in any financial Apps? since UUID also gets changed on every installation, is there any option to track the device like how it is done with IMEI number ? Note: Our App is targeted for normal Appstore users.

HI, Since more than a Month i am trying to solve the issue. Issue is as under Developer program end dates on apple developer account / app and in mac book's setting> manage subscription are different. In developer application not showing renew button. When i am trying to renew from mac book manage subscription option (When wrong date is mentioned) Its giving an error that could not purchase subscription. I got 7 days extension from apple and my corrected date (in apple account on website) got properly extended. Please solve this issue on priority. I am attaching screenshots for your reference.

I have observed few users if their OS upgrades than the DeviceCheck generateAssertion API fails. Is it expected that we need to attest/register new key id iOS version is updated ?

There seem to be an issue with the DeviceCheck Framework where in rare cases the public key (ECC P-256) embedded inside the attestation object returned from DCAppAttestService.attestKey(_:clientDataHash:completionHandler:) has X and Y coordinates with mismatching length. Sometimes X or Y has 31 bytes instead of the expected 32 bytes. This can easily be reproduced by generating and attesting multiple keys using DCAppAttestService.generateKey(completionHandler:) and DCAppAttestService.attestKey(_:clientDataHash:completionHandler:). Every now and then the public key embedded inside the attestation object has X and Y coordinates with mismatching length (number of bytes). Added a Swift snippet at the bottom that shows example on how to generate and detect this. I would expect the ECC P-256 public key X and Y coordinates to always be 32 bytes long. As mentioned in the Web Authentication spec for example. I've attached an example attestation object (in base64 encoded CBOR) that has an embedded public key with mismatching X and Y coordinate length (Y is 31 bits, and not the expected 32 bits). The file was generated using the Swift snippet below. The snippet was built using Xcode 14.3 (14E222b) and ran on iPhone XR with iOS 15.7.1 (19H117). A feedback ticket has also been submitted regarding this issue: FB12235865 Swift snippet to generate and check attestation objects: import DeviceCheck import CryptoKit import SwiftCBOR // https://github.com/valpackett/SwiftCBOR ​ func generateAttestationObjects() { for i in 0..<1000 { DispatchQueue.main.asyncAfter(deadline: .now() + TimeInterval(i)) { DCAppAttestService.shared.generateKey { keyId, error in guard let keyId else { print("\(i): Failed to generate key: \(error)") return } ​ print("\(i): Generated keyId: \(keyId)") ​ DCAppAttestService.shared.attestKey( keyId, clientDataHash: Data(hex: "01020304")! ) { attestationObject, error in guard let attestationObject else { print("\(i): Failed to get attestation: \(error)") return } ​ do { let attestationObjectBytes = [UInt8](attestationObject) ​ if case let .map(decodedAttestationObject) = try CBOR.decode(attestationObjectBytes) { print("\(i): Successfully decoded Attestation object (CBOR)") ​ if case let .byteString(authData) = decodedAttestationObject["authData"] { ​ let attestedCredentialData = [UInt8](authData.dropFirst(37)) ​ let credentialIdLengthBuffer = [UInt8](attestedCredentialData[16..<18]) let credentialIdLength = Int(credentialIdLengthBuffer.reversed().withUnsafeBytes { $0.load(as: UInt16.self) }) let credentialId = [UInt8](attestedCredentialData[18..<(18 + credentialIdLength)]) let credentialPublicKeyBuffer = [UInt8](attestedCredentialData.dropFirst(18 + credentialIdLength)) ​ if let decodedCredentialPublicKey = try CBOR.decode(credentialPublicKeyBuffer) { ​ if case let .byteString(xCoordinateBuffer) = decodedCredentialPublicKey[-2], case let .byteString(yCoordinateBuffer) = decodedCredentialPublicKey[-3] { let xCoordinateLength = xCoordinateBuffer.count let yCoordinateLength = yCoordinateBuffer.count ​ if xCoordinateLength != yCoordinateLength { print("\(i): X/Y Coordinate length mismatch! X: \(xCoordinateLength), Y: \(yCoordinateLength)") } else if xCoordinateLength != 32 || yCoordinateLength != 32 { print("\(i): X/Y Coordinate length mismatch! X: \(xCoordinateLength), Y: \(yCoordinateLength)") } else { print("\(i): X/Y Coordinates OK") } } } } } } catch { print("\(i): Error decoding Attestation object (CBOR): \(error)") } } } } } } An attestation object with a embedded public key with mismatching X and Y coordinate length (base64 encoded CBOR): appattest-object-mismatching-x-y-base64.txt

Is it possible to clear out the existing DeviceCheck state on a developer account? (either ourselves or via Apple support) We recently built a feature that leverages DeviceCheck and did a trial run of that feature. Now there's this trial data stored in DeviceCheck that we'd like to clear out so we can start from a clean slate. I wanted to check what our options are to do this. Thanks!

I'm trying to prevent my App from running on jailbroken devices. For React Native apps, there is Firebase App Check, wich integrates with App Attest and DeviceCheck. I wonder, is App Attest with DeviceCheck able to detect that my App is running on a jailbroken device? I see other posts about jailbeaking on this forum, but they are mostly (or perhaps all of them) older than DeviceCheck. Which is why I'm repeating the question but asking specifically about DeviceCheck and App Attest.

Hello developers and apple support team. Im was quite surprised why it's not possible to get SecKey reference for key which was generated using DCAppAttestService.generateKey() Case 1. So after self.iosDeviceAttestationManager.generateKey { keyId, error in guard let keyId = keyId else { promise(.failure(error!)) return } promise(.success(keyId)) } Then Im converting keyId from string to Data using guard let keyIdData = Data(base64Encoded: keyId) else { return Fail(error: Errors.someError).eraseToAnyPublisher() } P.S. Actually I have tried convert keyId as pure string to data but it also does not work let keyIdData = keyID.data(using: .utf8)! Then Im trying to obtain this key using standard keychain API. let getquery: [String: Any] = [ kSecClass as String: kSecClassKey, kSecAttrApplicationTag as String: keyIdData, kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecReturnRef as String: true] var item: CFTypeRef? let status = SecItemCopyMatching(getquery as CFDictionary, &item) guard status == errSecSuccess else { print("SecItemCopyMatching failed. Status = \(status)") return nil } Which return me SecItemCopyMatching failed. Status = -25300 Which means that itemNot found in keychain. Why it's happening? Case 2. I have tried other way around to create ECKey using let access = SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .privateKeyUsage, nil) let ECKeySize = 256 let attributes: NSDictionary = [ kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: ECKeySize, kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecPrivateKeyAttrs: [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: keyTagData, kSecAttrAccessControl: access as Any ] ] var error: Unmanaged<CFError>? guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else { error!.takeRetainedValue() as Error return nil } and then trying to attest this key using self.iosDeviceAttestationManager.attestKey(keyId, clientDataHash: clientDataHash) { data, error in guard let data = data else { promise(.failure(error!)) return } promise(.success(data)) } But this gives me error Error Domain=com.apple.devicecheck.error Code=3 "(null)" Which states fot InvalidKey So is there any way how I could get reference to attested key to later use it for signing/verification purposes? Thanks, in advance!

I'm writing some PHP code in my server in order to use the Apple devicecheck service when getting a request from my iOS app. When testing locally (dev environment) everything seems to work fine, however when testing from my online host the connection to the Apple service is failing with the error: cURL error 35: error:0A000152:SSL routines::unsafe legacy renegotiation disabled Has anyone else encountered this issue with DeviceCheck? From what I've been able to investigate, it seems that the issue is related to the OpenSSL versions in the client (in this case, my online host) and the server (Apple servers), with the latter being on a lower patch version. This is causing the connection to fail with the 'unsafe legacy renegotiation disabled' error message. If this is indeed the cause of the issue, is there no other solution than to wait for Apple to patch their servers? Or is there something that I can do on my end to resolve this? Any help or guidance would be appreciated.

As documented in this article (by Apple), it is apparent that calls to the DeviceCheck App Attest API (DCAppAttestService.attestKey(_:clientDataHash:completionHandler:)) might be subject of throttling from Apple's side. Apple servers might throttle attestation traffic from a particular app to avoid becoming overwhelmed if too many instances of your app make this call simultaneously. That could happen if you have a lot of users that simultaneously receive an app update enabling App Attest. Me and my team are planning to launch a new feature in our app that utilise Apple’s DeviceCheck framework to attest cryptographic keys for our users. And as part of our internal development process and risk analysis routine, we would love to get more details about this throttling. Do anyone have any numbers on when Apple might start to throttle our API calls? Is there a limit on requests per hour or something? And is it possible to get an exception from this throttling?

Hello, I would simply like to know where i can find the information regarding the quotas and limits for using DeviceCheck / AppAttest APIs please. Thanks

I'm testing out an app that will be using the DeviceCheck framwork / API to enable a one-time free trial. I'm testing using the deveopment URL provided in the documentation (https://api.development.devicecheck.apple.com). I had set the bits for one of my test iOS devices several days ago. Today when I went to do some additional testing the query_two_bits response came back with "200 Bit State Not Found" - what the API apparently returns for a device that has never had the DeviceCheck value set. I tried it several times before I executed another update_two_bits call, which succeeded. Subsequent calls to the query endpoint returned 200 OK and the expected bit values.It's probably worth mentioning that the unexpected behavior happened after I had deleted and re-installed the app. The app's bundle ID did not changed, but I did enable Push Notifications yesterday.My question is: is the development version of DeviceCheck less "permanent" than the production version (i.e. does everything get deleted after X days)?Or, unlike in the production environment, does deleting and reinstalling the app change something that causes DeviceCheck to not recognize the device by subsequently generated DC tokens?Or does making a change to the app's configuration in AppStoreConnect (i.e. enabling Push) make some change that causes DeviceCheck to not recognize the device by subsequently generated DC tokens?Or is it most likely that something has broken in my environment or code?Thanks -S

How often does the devicecheck values reset on DEV environment? From what I see, it seems to be 24h. Can anyone confirm?

DeviceCheck: generateToken() fails to return token in Xcode Cloud for macOS. The device token is always nil. How does one write test with that API ? Skipping the test is an option but then defeats the purpose.