Great, thank you!
Post
Replies
Boosts
Views
Activity
"Based on my experience, I'd say you shouldn't expect to get any useful help from DTS (nor Feedback Assistant, nor anyone else at Apple) for problems like this. If they do have a weakness, they probably already know about it and they aren't going to discuss it with you."
I feared this, but I'm crossing my fingers anyway! Again, thanks for your input
"Have you also used AppAttest?"
I have not, because our client is used in macOS apps too, and AppAttest isn't available there (I don't really understand why, because I don't see that in the docs, but DCAppAttestService.shared.isSupported always returns false on macOS)
Perhaps I should offer it as an enhancement for iOS customers
"What happens if I get a pile of tokens from users of my app, and use them in fake requests to your server pretending to be from your app?"
I was wondering if this was the case. I use public key pinning in my clients to make it hard to drop mitmproxy in front of the app to harvest tokens, but perhaps they have worked around this.
I'll experiment with token expiry on Apple's servers to see if a scripter could accumulate a pile of them in time before they expire. I appreciate your thoughts!
I can only type 500 character comments so I'll reply with a couple messages.
Yes, the tokens are all different. I stuff each arriving token into a lookup to prevent replay (incidentally, this was one of my first learnings with DeviceCheck, that tokens will pass validation with apple's servers no matter how many times you send them up!). Sounds like you have experience with this as well