Undocumented behavior about risk metric refresh

Question

Hello, I'm developing a server that uses the app attestation feature. During the development, I found the behavior that are not written in the document, I would like to inquire this.

When Apple server returns 404 for risk metric refresh request?

A month after the attestation, receipt is not past expiration time, but 404 is returned from Apple server when I try refresh. And this receipt succeeded in refreshing the risk metric normally if the attestation proceeds again. This behavior is not in the document, but I wonder if it is intended.

Is there a case where an attestation has occurred but the risk metric value does not increase?

I found a case where attestation occurred twice on one device, but when both receipts were refreshed, the risk metric returned 1. Is this an expected behavior? If it is, I would like to know the detailed conditions under which it occurs.

Thank you.

241

Posted by

gbgwon

Reply

Add a Comment

Answer 1

See this thread:

https://developer.apple.com/forums/thread/702845

How are you getting on with App Attest generally? I fear it has too many false positives to deploy in production.

Posted by

endecotp

Add a Comment

Answer 2

Thank you, I also read the thread.

It seems to me that the period during which risk metric refresh is possible is within a month of attestation. After that, 404 is returned. When performs app attest on the device again, I have confirmed that the refresh is successful with the receipt from the previous attestation. This is probably the reason why there are some cases of success again after 404 failure.

How are you getting on with App Attest generally?

Only one attestation is performed while using the app.

There seems to be an Apple internal spec that hasn't been public, I want this to be clearly revealed in order to use this feature properly.

Posted by

gbgwon

Add a Comment

Undocumented behavior about risk metric refresh

Replies