Hello,
I've already made a previous similar post but it's getting a bit old so I'm re-launching it.
I am currently developing an iOS application using AppCheck with AppAttest. I have read Apple's documentation on AppAttest to understand how it works. However, there is a part I didn't understand.
When the public key is to be shared, Apple will create a certificate to attest that this public key belongs to an official instance of my application. Here is what it says about this verification on the official website :
How does the Apple server identify that the key comes from an official instance of my application ?
I can also rephrase my question as follows: How does the apple server detect an unofficial instance of my application if the data it receives for this check comes from it directly (I assume and I am probably wrong) and can therefore be falsified ?
Is this a secret process to which I cannot have access, this answer would also suit me ?
Thanks for your attention !
Post
Replies
Boosts
Views
Activity
Hello,
I am currently trying to upload a new build of my application on TestFlight and I need to know if my application uses encryption algorithms.
Apart from authentication managed by Firebase and data integrity managed by AppAttest I don't see any other use of encryption in my application.
For me these two features directly use Apple's encryption algorithm but I didn't manage to get this information.
Am I considered as not needing a proof or do I have to provide them anyway?
Thank you for your attention
Hello,
I am currently learning about how App Attest works and there are a few things I don't understand.
First of all for the certificates of the attestation provided by Apple. Once verified, they attest that the associated customer has a genuine Apple device. What is meant by a genuine Apple device, a non-jailbroken device or simply a device that was produced by Apple?
In addition I do not see how these certificates work, how they attest to the authenticity of the device, what they contain?
Then regarding the appId, is it kept in the Secure Enclave? Because if not, a super-user could very well modify the application and then go and modify the appId to put back the original.
Also, can a user use the AppAttest API without going through my application, in order to produce false certificates for example.
Regarding assertion formation for requests, let's imagine that the user does not have a login. The query may possibly be stored on the device in the meantime, will the assertion have already been bound or not?
Finally, since the key pair does not survive the reinstallation of the application. Is there any way to block a device that is suspected of having fraudulent activity?
Thank you for your attention!