Hello,
I am currently learning about how App Attest works and there are a few things I don't understand.
First of all for the certificates of the attestation provided by Apple. Once verified, they attest that the associated customer has a genuine Apple device. What is meant by a genuine Apple device, a non-jailbroken device or simply a device that was produced by Apple? In addition I do not see how these certificates work, how they attest to the authenticity of the device, what they contain?
Then regarding the appId, is it kept in the Secure Enclave? Because if not, a super-user could very well modify the application and then go and modify the appId to put back the original.
Also, can a user use the AppAttest API without going through my application, in order to produce false certificates for example.
Regarding assertion formation for requests, let's imagine that the user does not have a login. The query may possibly be stored on the device in the meantime, will the assertion have already been bound or not?
Finally, since the key pair does not survive the reinstallation of the application. Is there any way to block a device that is suspected of having fraudulent activity?
Thank you for your attention!