Apple Adds App Attest API to Device Check Services

Apple introduced a new addition to its DeviceCheck services: the App Attest API. DeviceCheck includes a collection of Apple services that aim to reduce fraudulent use of services by managing device states. The App Attest API generates a cryptographic key on a device that is used to validate the integrity of an app before a server provides sensitive data access. Instead, an Apple server is used until the API can verify that the request has come from a non-compromised version of an app.

The App Attest API will be used on iOS versions 14 and later. In operation, whenever an app requests data from a server, the App Attest API will ask the server for a unique, one-time challenge. If passed, the communication will be permitted.

The App Attest API establishes an app's integrity, validates apps connected to a server, and assesses fraud risk. Apps cannot rely on their own logic for security checks because compromised apps can falsify results. The shared instance of App Attest can certify that a key belongs to a valid app instance. Validating apps provides the flip side of integrity checks. Once a server verifies the attestation object, the embedded public key, and other information is extracted. Fraudulent activity isn't a perfect science, but App Attest provides a metric-based approach related to the approximate count of unique attestations for a particular app on a device. A higher than expected count could be an indication that a device hosts multiple instances of a particular app.

Apple has provided a development environment where developers can prepare and onboard users to the new feature gradually. Apps can also use a test environment to validate themselves. Visit the DeviceCheck services site to learn more.

Be sure to read the next Security article: Daily API RoundUp: VPNAPI, HypeAuditor, CloudCulate, Qwilr, eDRV