-
App Attest로 앱 보호하기
App Attest를 활용하여 앱을 무단 수정 및 사기로부터 보호하세요. 공격자들이 수정된 앱을 악용하여 데이터를 스푸핑하고 보안 검사를 우회하는 방법과 App Attest가 이러한 위협을 방어하는 방법을 알아보세요. Secure Enclave에 바인딩된 App Attest 키를 생성 및 관리하고, 증명 및 어설션을 검증하며, 사기 지표를 사용하여 악용을 감지하는 방법을 알아보세요. iOS 27에 추가된 새로운 신호들을 포함하여, 모든 Apple 플랫폼에서의 모범 사례를 알아보고 검증을 강화하세요.
챕터
- 0:00 - Introduction
- 1:35 - Protections
- 4:04 - Availability
- 5:02 - Key generation
- 6:12 - Attestation
- 12:10 - Assertion
- 14:58 - Common pitfalls
- 16:27 - Fraud metric
- 19:07 - Next steps
리소스
-
비디오 검색…
-
-
5:07 - Generate a Secure Enclave–bound key
import DeviceCheck let keyID = try await DCAppAttestService.shared.generateKey() -
6:32 - Attestation API
import DeviceCheck let keyId: String = ... let clientDataHash: Data = ... let attestation = try await DCAppAttestService.shared.attestKey(keyId: keyId, clientDataHash: clientDataHash) -
12:33 - Assertion API
import DeviceCheck let keyId: String = ... let clientDataHash: Data = ... let assertion = try await DCAppAttestService.shared.generateAssertion(keyId: String, clientDataHash: Data)
-
-
- 0:00 - Introduction
The threats App Attest is designed to address — modified copies of your app sending valid-looking requests to your server, such as falsified quiz submissions or injected game cheats.
- 1:35 - Protections
Verify genuine Apple hardware, detect app modifications, and secure payloads with assertions.
- 4:04 - Availability
Where App Attest is available, now including macOS 27 and all major platforms though not every app extension type, and how to gate usage with the isSupported API and treat unexpected unsupported responses as a fraud signal.
- 5:02 - Key generation
Create a Secure Enclave–bound key ID and store it in the keychain.
- 6:12 - Attestation
Request and validate attestations, including the macOS key access control property and new authenticator-data extensions.
- 12:10 - Assertion
Sign payloads with attested keys and validate the assertion counter on your server.
- 14:58 - Common pitfalls
Handle new keys for existing users, degrade gracefully on rejection, and assess risk before blocking.
- 16:27 - Fraud metric
The receipt-based fraud metric — an approximate 30-day count of unique attested keys on a device — and how it fits a risk profile to spot a compromised device acting as a broker.
- 19:07 - Next steps
Steps to adopt App Attest: rebuild against the latest SDKs, identify flows that benefit from attestations and assertions, set up your server to validate and track them, and fold the fraud metric into your risk pipeline.