The traffic image didn't come through in the original post. Here it is.
lzell2
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Post
Replies
Boosts
Views
Activity
(Post replies, not comments.)
Thanks for the tip.
No, what I mean is, if I, an attacker, have my own trivial app, and I collect tokens that my users send to my server (no MITM needed). Then I send those tokens to your app's API.
These would return non-200s from Apple's servers when the token was validated in the server-to-server call. It's actually quite tricky to get DeviceCheck to pass in the first place. A bunch of things need to be true:
An App Identifier in your developer dashboard must match the bundle identifier of your app exactly
The app must be signed using a certificate from the team account that has that App Identifier
A DeviceCheck secret key (used for the backend-to-backend communication) must be created from the same account as 1 and 2.
The fact that it's hard to get right gave me some confidence that it was also hard to forge. Now, I'm not so sure