DCAppAttestService errors: com.apple.devicecheck.error 3 and 4

Question

Created 2d

Replies 1

Boosts 0

Participants 2

Hello,

we are using DeviceCheck – App Attest in a production iOS app. The integration has been live for some time and works correctly for most users, but a small subset of users encounter non-deterministic failures that we are unable to reproduce internally.

Environment

iOS 14+
Real devices only (no simulator)
App Attest capability enabled
Correct App ID, Team ID and App Attest entitlement
Production environment

Relevant code

let service = DCAppAttestService.shared
service.generateKey { keyId, error in
  // key generation
}
service.attestKey(keyId, clientDataHash: hash) { attestation, error in
  // ERROR: com.apple.devicecheck.error 3 / 4
}
service.generateAssertion(keyId, clientDataHash: clientDataHash) { assertion, error in
  // ERROR: com.apple.devicecheck.error 3 / 4
}

For some users we intermittently receive:

com.apple.devicecheck.error error 3
com.apple.devicecheck.error error 4

Characteristics:

appears random
affects only some users/devices
sometimes resolves after time or reinstall
not reproducible on our test devices
NSError contains no additional diagnostic info

Some questions:

What is the official meaning of App Attest errors 3 and 4?
Are these errors related to key state, device conditions, throttling, or transient App Attest service issues?
Is there any recommended way to debug or gain more insight when this happens in production?

Any guidance would be greatly appreciated, as this impacts real users and is difficult to diagnose. Thank you.

Boost

Answer 1

Engineer OP

Apple

2d

Error 3 is invalidKey. Under normal circumstances, you receive this error if something goes wrong with generating or retrieving the attestation key.

Unfortunately due to a bug, there are some instances, where a user's instance of the app will constantly fail. If these subset of users have had their phones since iOS 17.0 or earlier, this would be explained by a known bug in earlier versions of iOS, which impacts an underlying dependency of DCAppAttestService and is fixed in iOS 17.1.

While we don’t expect any new issues popping up from this point on, unfortunately any device that got stuck in this state from before 17.1 will not be automatically cleared.

While there might be actions for the users to clear this error state, experience taught us that they are just as likely to make matters worse, so we are no longer recommending developers to reach out to their customers to resolve the issue.

One solution would be to treat any app instance in this state which is running on an earlier iOS, or persistently getting this error, as not supporting AppAttest and handle that case otherwise.

Error 4 is serverUnavailable. This is a transient error due to the system not being able able to complete the attestation. If you receive this error, try the attestation again later using the same key and the same value for the clientDataHash parameter. Retrying with the same inputs helps to preserve the risk metric for a given device.

If certain users are stuck with this error permanently, it could be due to a networking issue on heir end.

0