Private Access Tokens (PATs) are headlined as something that can eliminate CAPTCHAs, but also includes app-to-server communications in its use cases. Because of this, they seem to perform a very similar function to DeviceCheck, since both aim to attest to the health of the device in question.
I don't really understand the difference between the two and find this confusing. Since PATs are newer and more general, I'm more inclined to adopt them, but where does this leave DeviceCheck? Is it redundant? How does App Attest fit into all of this?
If my goal is to minimize if not eliminiate fraudulent/malicious use of my app's APIs, should I use Private Access Tokens, DeviceCheck, and App Attest simultaneously to maximize my protection? If not, what is accepted to be the best practice?
I admire Apple's dedication to privacy and security, but as a new developer I feel Apple could make it easier for their app developers to find out and implement the latest best practices.
Users can turn off PAT in Settings.
For a website, you can fall back to CAPTCHA etc. What does an app do?
I believe they also don’t work when the app is in the background.
If my goal is to minimize if not eliminiate fraudulent/malicious use of my app's API
As I’ve written in various threads about AppAttest, you need to consider what level of false-positives (i.e. legitimate users who fails your tests) is acceptable for you.