DeviceCheck tokens lifetime

Hi!

We are using Device Check tokens to prove that HTTP request comes from iOS device. We found out that both envs - prod and sandbox doesn't limit token lifetime

  • v1/validate_device_token always return true and can be reused for a long period of time per one DCDevice token.
  • v1/update_two_bits also can be reused unlimited number of times per one token (didn't measure the exact number)

Is it true - that lifetime of token generated via DCDevice.generateToken isn't short (minutes) and we should build our own infrastructure to prevent replay attacks?