Hi, App Attestation API "attestKey(:clientDataHash:completionHandler" returns "DCErrorInvalidKey 3" for some of the users. We have checked for first reason regarding if generated key is already been attested, we are generating new key and challenge every time. Could you please provide more details regarding more details for second reason "The App Attest service rejects the key."
https://developer.apple.com/documentation/devicecheck/dcerror/3585177-invalidkey
for some of the users
Which users? Is this in production? Maybe App Attest is doing its job correctly and not working for users who have hacked your app.
we are generating new key and challenge every time.
What exactly do you mean by that? It's important not to generate new keys too often, as that can look suspicious.
Here is one scenario to consider:
(I've asked previously about best practice for where to store the key ID, but I don't have a good answer.)
If "which users?" turns out to be "users who have replaced their device", or "users who have restored their device from a backup", then something like this could be the cause.
Hi! I know this post is more that 6 months old, but I'm facing the same issue and wondering if there has there been any development on this?
After rolling out some security features using attestation on our app into production, we have been observing the same strange occurrences that @mahashis described and from our logs we could extract some metrics that place the total percentage of affected users in the 5% to 6% of all users using the app, amounting to above ten thousand installations.
Even though it is expected some failures to happen like it is mentioned in the docs and in the comment above from @endecotp (for users migrating devices) and actual unsecured (example: jailbroken?) devices, it's hard to credit that is the case for so such a high percentage of users. Even more so because it happens when attesting a freshly generated key which typically (and per documentation advice) only happens on fresh installations of the app or when a key is reported as invalid from the DCAppAttest service api. This blocks users from logging into the app which after a few tries will effectively give up on the app. They do not return to it and uninstall it from their device.
From our customer support, we were able to discard the unsecured/jailbroken device and sideloading our app hypothesis for all of the users that contacted us with this problem. We have not found any evidence or relation between the version of iOS used (the app supports iOS 15.0+) as we have errors hit on all versions (most prominently on the latest 17.4.x and 17.5.x as they amount to more than 80% of all users which is to be expected)
