Post

Replies

Boosts

Views

Activity

Comment on How to get in contact with team that manages DeviceCheck
"What happens if I get a pile of tokens from users of my app, and use them in fake requests to your server pretending to be from your app?" I was wondering if this was the case. I use public key pinning in my clients to make it hard to drop mitmproxy in front of the app to harvest tokens, but perhaps they have worked around this. I'll experiment with token expiry on Apple's servers to see if a scripter could accumulate a pile of them in time before they expire. I appreciate your thoughts!
Dec ’24
Comment on How to get in contact with team that manages DeviceCheck
I can only type 500 character comments so I'll reply with a couple messages. Yes, the tokens are all different. I stuff each arriving token into a lookup to prevent replay (incidentally, this was one of my first learnings with DeviceCheck, that tokens will pass validation with apple's servers no matter how many times you send them up!). Sounds like you have experience with this as well
Dec ’24