I wonder about security around Apple Wallet Passes API hosted by passes' issuer - it sounds quite reasonable to assume that deviceLibraryIdentifier and serialNumber are (or should be) difficult to guess (even to be discovered by brute force program), but how to secure the Log endpoint (https://developer.apple.com/documentation/walletpasses/log_a_message) to ensure that "spam" log messages are not accepted from anyone, but only actual log messages from Apple are accepted?
Links:
https://developer.apple.com/library/archive/documentation/PassKit/Reference/PassKit_WebService/WebService.html
https://developer.apple.com/documentation/walletpasses
Links:
https://developer.apple.com/library/archive/documentation/PassKit/Reference/PassKit_WebService/WebService.html
https://developer.apple.com/documentation/walletpasses