DeviceCheck

RSS for tag

Access per-device, per-developer data that your associated server can use in its business logic using DeviceCheck.

DeviceCheck Documentation

Posts under DeviceCheck tag

18 Posts
Sort by:
Post not yet marked as solved
0 Replies
63 Views
Hello everyone, I am using Apple's DeviceCheck API in my Swift application which will check if the device is registered on Apple's server or not and based on the bits I have set I am updating the values in my own database. These values will help me to differentiate the new devices through which the users are getting logged in to my application and I will give them some digital reward poits to use my application on their new devices. Everything is working fine for me in the development environment as I get the right response when I am using the development API i.e. https://api.development.devicecheck.apple.com but it do not work as intended when I am using the production API i.e. https://api.devicecheck.apple.com/
Posted Last updated
.
Post not yet marked as solved
0 Replies
51 Views
Hi we are developing a appattestation devicecheck feature . we would like to is there a limit on creating a DCAppAttestService.generateKey() ? what happens to the cryptographic key in the Secure Enclave that already created when we call the DCAppAttestService.generateKey() again . Does it overrides the old keypair OR does it create a new key always
Posted
by jey_samy.
Last updated
.
Post not yet marked as solved
1 Replies
298 Views
I have a question regarding the usage of the DeviceCheck API. We have been using https://api.development.devicecheck.apple.com/v1/validate_device_token for checking device tokens. However, we encountered frequent HTTP response status code 403 between 16:50 and 17:15 Japan time on June 29th. According to the official documentation at https://developer.apple.com/documentation/devicecheck/accessing_and_modifying_per-device_data, I understand that a 403 error indicates "The specified action isn't allowed". Yet, I would like to clarify under what specific circumstances this error would be returned. Please note that we do not encounter a 403 error outside the aforementioned timeframe, which leads us to believe there is no issue with our basic implementation.
Posted Last updated
.
Post not yet marked as solved
2 Replies
242 Views
How to uniquely identify the device to prevent fraudulent activity in any financial Apps? since UUID also gets changed on every installation, is there any option to track the device like how it is done with IMEI number ? Note: Our App is targeted for normal Appstore users.
Posted Last updated
.
Post not yet marked as solved
1 Replies
197 Views
HI, Since more than a Month i am trying to solve the issue. Issue is as under Developer program end dates on apple developer account / app and in mac book's setting> manage subscription are different. In developer application not showing renew button. When i am trying to renew from mac book manage subscription option (When wrong date is mentioned) Its giving an error that could not purchase subscription. I got 7 days extension from apple and my corrected date (in apple account on website) got properly extended. Please solve this issue on priority. I am attaching screenshots for your reference.
Posted
by TechPisat.
Last updated
.
Post not yet marked as solved
1 Replies
321 Views
There seem to be an issue with the DeviceCheck Framework where in rare cases the public key (ECC P-256) embedded inside the attestation object returned from DCAppAttestService.attestKey(_:clientDataHash:completionHandler:) has X and Y coordinates with mismatching length. Sometimes X or Y has 31 bytes instead of the expected 32 bytes. This can easily be reproduced by generating and attesting multiple keys using DCAppAttestService.generateKey(completionHandler:) and DCAppAttestService.attestKey(_:clientDataHash:completionHandler:). Every now and then the public key embedded inside the attestation object has X and Y coordinates with mismatching length (number of bytes). Added a Swift snippet at the bottom that shows example on how to generate and detect this. I would expect the ECC P-256 public key X and Y coordinates to always be 32 bytes long. As mentioned in the Web Authentication spec for example. I've attached an example attestation object (in base64 encoded CBOR) that has an embedded public key with mismatching X and Y coordinate length (Y is 31 bits, and not the expected 32 bits). The file was generated using the Swift snippet below. The snippet was built using Xcode 14.3 (14E222b) and ran on iPhone XR with iOS 15.7.1 (19H117). A feedback ticket has also been submitted regarding this issue: FB12235865 Swift snippet to generate and check attestation objects: import DeviceCheck import CryptoKit import SwiftCBOR // https://github.com/valpackett/SwiftCBOR ​ func generateAttestationObjects() { for i in 0..<1000 { DispatchQueue.main.asyncAfter(deadline: .now() + TimeInterval(i)) { DCAppAttestService.shared.generateKey { keyId, error in guard let keyId else { print("\(i): Failed to generate key: \(error)") return } ​ print("\(i): Generated keyId: \(keyId)") ​ DCAppAttestService.shared.attestKey( keyId, clientDataHash: Data(hex: "01020304")! ) { attestationObject, error in guard let attestationObject else { print("\(i): Failed to get attestation: \(error)") return } ​ do { let attestationObjectBytes = [UInt8](attestationObject) ​ if case let .map(decodedAttestationObject) = try CBOR.decode(attestationObjectBytes) { print("\(i): Successfully decoded Attestation object (CBOR)") ​ if case let .byteString(authData) = decodedAttestationObject["authData"] { ​ let attestedCredentialData = [UInt8](authData.dropFirst(37)) ​ let credentialIdLengthBuffer = [UInt8](attestedCredentialData[16..<18]) let credentialIdLength = Int(credentialIdLengthBuffer.reversed().withUnsafeBytes { $0.load(as: UInt16.self) }) let credentialId = [UInt8](attestedCredentialData[18..<(18 + credentialIdLength)]) let credentialPublicKeyBuffer = [UInt8](attestedCredentialData.dropFirst(18 + credentialIdLength)) ​ if let decodedCredentialPublicKey = try CBOR.decode(credentialPublicKeyBuffer) { ​ if case let .byteString(xCoordinateBuffer) = decodedCredentialPublicKey[-2], case let .byteString(yCoordinateBuffer) = decodedCredentialPublicKey[-3] { let xCoordinateLength = xCoordinateBuffer.count let yCoordinateLength = yCoordinateBuffer.count ​ if xCoordinateLength != yCoordinateLength { print("\(i): X/Y Coordinate length mismatch! X: \(xCoordinateLength), Y: \(yCoordinateLength)") } else if xCoordinateLength != 32 || yCoordinateLength != 32 { print("\(i): X/Y Coordinate length mismatch! X: \(xCoordinateLength), Y: \(yCoordinateLength)") } else { print("\(i): X/Y Coordinates OK") } } } } } } catch { print("\(i): Error decoding Attestation object (CBOR): \(error)") } } } } } } An attestation object with a embedded public key with mismatching X and Y coordinate length (base64 encoded CBOR): appattest-object-mismatching-x-y-base64.txt
Posted
by Smed1.
Last updated
.
Post not yet marked as solved
0 Replies
277 Views
Is it possible to clear out the existing DeviceCheck state on a developer account? (either ourselves or via Apple support) We recently built a feature that leverages DeviceCheck and did a trial run of that feature. Now there's this trial data stored in DeviceCheck that we'd like to clear out so we can start from a clean slate. I wanted to check what our options are to do this. Thanks!
Posted
by tristanf.
Last updated
.
Post not yet marked as solved
0 Replies
355 Views
I'm trying to prevent my App from running on jailbroken devices. For React Native apps, there is Firebase App Check, wich integrates with App Attest and DeviceCheck. I wonder, is App Attest with DeviceCheck able to detect that my App is running on a jailbroken device? I see other posts about jailbeaking on this forum, but they are mostly (or perhaps all of them) older than DeviceCheck. Which is why I'm repeating the question but asking specifically about DeviceCheck and App Attest.
Posted
by dmelo.
Last updated
.
Post not yet marked as solved
2 Replies
1.1k Views
Hello developers and apple support team. Im was quite surprised why it's not possible to get SecKey reference for key which was generated using DCAppAttestService.generateKey() Case 1. So after self.iosDeviceAttestationManager.generateKey { keyId, error in guard let keyId = keyId else { promise(.failure(error!)) return } promise(.success(keyId)) } Then Im converting keyId from string to Data using guard let keyIdData = Data(base64Encoded: keyId) else { return Fail(error: Errors.someError).eraseToAnyPublisher() } P.S. Actually I have tried convert keyId as pure string to data but it also does not work let keyIdData = keyID.data(using: .utf8)! Then Im trying to obtain this key using standard keychain API. let getquery: [String: Any] = [ kSecClass as String: kSecClassKey, kSecAttrApplicationTag as String: keyIdData, kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecReturnRef as String: true] var item: CFTypeRef? let status = SecItemCopyMatching(getquery as CFDictionary, &item) guard status == errSecSuccess else { print("SecItemCopyMatching failed. Status = \(status)") return nil } Which return me SecItemCopyMatching failed. Status = -25300 Which means that itemNot found in keychain. Why it's happening? Case 2. I have tried other way around to create ECKey using let access = SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .privateKeyUsage, nil) let ECKeySize = 256 let attributes: NSDictionary = [ kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: ECKeySize, kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecPrivateKeyAttrs: [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: keyTagData, kSecAttrAccessControl: access as Any ] ] var error: Unmanaged<CFError>? guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else { error!.takeRetainedValue() as Error return nil } and then trying to attest this key using self.iosDeviceAttestationManager.attestKey(keyId, clientDataHash: clientDataHash) { data, error in guard let data = data else { promise(.failure(error!)) return } promise(.success(data)) } But this gives me error Error Domain=com.apple.devicecheck.error Code=3 "(null)" Which states fot InvalidKey So is there any way how I could get reference to attested key to later use it for signing/verification purposes? Thanks, in advance!
Posted Last updated
.
Post marked as solved
1 Replies
629 Views
The addresses api.devicecheck.apple.com and api.development.devicecheck.apple.com are down, at the moment. Why isn't this service listed in the developer status monitor (https://developer.apple.com/system-status/)?
Posted
by xdrond-w.
Last updated
.
Post not yet marked as solved
0 Replies
637 Views
I'm writing some PHP code in my server in order to use the Apple devicecheck service when getting a request from my iOS app. When testing locally (dev environment) everything seems to work fine, however when testing from my online host the connection to the Apple service is failing with the error: cURL error 35: error:0A000152:SSL routines::unsafe legacy renegotiation disabled Has anyone else encountered this issue with DeviceCheck? From what I've been able to investigate, it seems that the issue is related to the OpenSSL versions in the client (in this case, my online host) and the server (Apple servers), with the latter being on a lower patch version. This is causing the connection to fail with the 'unsafe legacy renegotiation disabled' error message. If this is indeed the cause of the issue, is there no other solution than to wait for Apple to patch their servers? Or is there something that I can do on my end to resolve this? Any help or guidance would be appreciated.
Posted
by fcollf.
Last updated
.
Post marked as solved
5 Replies
2.1k Views
Hello, I've already made a previous similar post but it's getting a bit old so I'm re-launching it. I am currently developing an iOS application using AppCheck with AppAttest. I have read Apple's documentation on AppAttest to understand how it works. However, there is a part I didn't understand. When the public key is to be shared, Apple will create a certificate to attest that this public key belongs to an official instance of my application. Here is what it says about this verification on the official website : How does the Apple server identify that the key comes from an official instance of my application ? I can also rephrase my question as follows: How does the apple server detect an unofficial instance of my application if the data it receives for this check comes from it directly (I assume and I am probably wrong) and can therefore be falsified ? Is this a secret process to which I cannot have access, this answer would also suit me ? Thanks for your attention !
Posted
by Sheezen.
Last updated
.
Post not yet marked as solved
0 Replies
722 Views
As documented in this article (by Apple), it is apparent that calls to the DeviceCheck App Attest API (DCAppAttestService.attestKey(_:clientDataHash:completionHandler:)) might be subject of throttling from Apple's side. Apple servers might throttle attestation traffic from a particular app to avoid becoming overwhelmed if too many instances of your app make this call simultaneously. That could happen if you have a lot of users that simultaneously receive an app update enabling App Attest. Me and my team are planning to launch a new feature in our app that utilise Apple’s DeviceCheck framework to attest cryptographic keys for our users. And as part of our internal development process and risk analysis routine, we would love to get more details about this throttling. Do anyone have any numbers on when Apple might start to throttle our API calls? Is there a limit on requests per hour or something? And is it possible to get an exception from this throttling?
Posted Last updated
.
Post not yet marked as solved
2 Replies
1.3k Views
I'm testing out an app that will be using the DeviceCheck framwork / API to enable a one-time free trial. I'm testing using the deveopment URL provided in the documentation (https://api.development.devicecheck.apple.com). I had set the bits for one of my test iOS devices several days ago. Today when I went to do some additional testing the query_two_bits response came back with "200 Bit State Not Found" - what the API apparently returns for a device that has never had the DeviceCheck value set. I tried it several times before I executed another update_two_bits call, which succeeded. Subsequent calls to the query endpoint returned 200 OK and the expected bit values.It's probably worth mentioning that the unexpected behavior happened after I had deleted and re-installed the app. The app's bundle ID did not changed, but I did enable Push Notifications yesterday.My question is: is the development version of DeviceCheck less "permanent" than the production version (i.e. does everything get deleted after X days)?Or, unlike in the production environment, does deleting and reinstalling the app change something that causes DeviceCheck to not recognize the device by subsequently generated DC tokens?Or does making a change to the app's configuration in AppStoreConnect (i.e. enabling Push) make some change that causes DeviceCheck to not recognize the device by subsequently generated DC tokens?Or is it most likely that something has broken in my environment or code?Thanks -S
Posted
by ssokol.
Last updated
.
Post not yet marked as solved
0 Replies
604 Views
How often does the devicecheck values reset on DEV environment? From what I see, it seems to be 24h. Can anyone confirm?
Posted Last updated
.