Post

Replies

Boosts

Views

Activity

Reply to How AppAttest works ?
What is meant by a genuine Apple device -> that means the device has a certificate signed by a CA that chains up to Apple's App Attest Root CA. The appId is stored in your certificate and in each assertion. Super user can modify app id all he wants, he can't modify it in the certificate where Apple put it in on their (Apple's) servers. can a user use the AppAttest API without going through my application, in order to produce false certificates for example - the premise is that Apple keeps their Root CA private keys secure. If those were ever to be compromised then the answer would be yes. However, if that were to happen there would be much bigger issues all up. Regarding assertion formation for requests, let's imagine that the user does not have a login -> if the user does not have a login, don't generate said assertion? it's pretty simple. Is there any way to block a device that is suspected of having fraudulent activity -> that implementation detail is entirely up to your application code.
Jul ’21
Reply to App Attest Key Generation
So I doubt Apple will ever disclose this implementation detail of their proprietary hardware. However, the general overview is provided here: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave I would guess that they use some sort of Cryptographically secure pseudo random function to generate the EC curve points and would not use any hardware identifiers nor other keys to generate the points.
Jun ’21
Reply to AppAttest Assertion - signature verification failing
Which crypto library are you using on node side? Note that Apple's signature comes back ASN.1 Encoded as a Sequence of two integers, and the integers are positive big ints meaning they may have a leading 0x0 byte appended to them. In some frameworks (e.g. .Net) they expect a r|s signature format so you have to extract r and s out of the sequence sent by the device, remove leading 0x0 bytes if present and feed that to your crypto framework.
Jun ’21