App Attest receipt update server returning 404 response

I have an App Attest server implementation which is generally functioning well.

From time to time, however, I get receipts which do not refresh when I send them to Apple's server; I get a 404 response. The docs (https://developer.apple.com/documentation/devicecheck/assessing_fraud_risk?language=objc - "Understanding HTTP Response Codes") say this means "No data available for the supplied receipt".

Once a receipt is in this state it seems "stuck" i.e. it will never return a new receipt.

I have seen this for both the development and production environments.

Does anyone know what this means, and what I should do?

Up vote post of endecotp Down vote post of endecotp
268 views
Posted by
endecotp
Reply
Add a Comment

Replies

Generally speaking you should hold on to and continue to use the last valid receipt you received.

The data used to compute the risk metric is only stored for a limited time. If there are no further attestation requests for your app on the same device eventually all the data will expire and your requests will start receiving a 404.

If after that point there are further attestation requests for your app on that device, the metric will increase again and you will receive a fresh receipt in response to your request.

Posted by
Frameworks Engineer
Up vote reply of Frameworks Engineer Down vote reply of Frameworks Engineer

  • Thanks for your reply. I'm not certain that that agrees with what I'm seeing, but I will keep monitoring it and will update this if I see any patterns emerging.

    endecotp

  • I now have more data to look at and the behaviour seems to be as follows: the receipts are issued with a not-before date of about 24 hours later and a not-after date of about 3 months later. Attempts to refresh start to fail with 404 after about 3 weeks. I now retry those failed refreshes with exponential backoff (if you don't do that, 404s quickly come to dominate). I see a very small number of receipts that refresh successfully after a period of failing. I have not yet reached the not-after date for any of these receipts; what should I do when that date arrives? Must the app generate a new key? I do have a mechanism for the server to tell the app to discard and regenerate its key, but the user does see an error message. Fundamentally, I wonder if I need to be using App Attest more frequently to keep Apple's data "fresh"; currently my attested requests are relatively infrequent.

    endecotp
Add a Comment

I now have a few months of data to look at.

I have now seen examples where receipts that were failing to refresh with 404s have "come back to life".

A problem is that my exponential backoff means that it can take a while for me to discover that the receipts are working again. So for example, if a user doesn't use the app for 8 weeks then I will have stopped getting refreshed receipts after 3 weeks and after 5 weeks I will only be attempting to refresh every 20 days. This gives quite a long window when I don't have an up-to-date risk metric.

Posted by
endecotp
Up vote reply of endecotp Down vote reply of endecotp
Add a Comment