App Attest receipt update server returning 404 response

Question

endecotp OP

Created Mar ’22

Replies 2

Boosts 3

Views 1.5k

Participants 3

I have an App Attest server implementation which is generally functioning well.

From time to time, however, I get receipts which do not refresh when I send them to Apple's server; I get a 404 response. The docs (https://developer.apple.com/documentation/devicecheck/assessing_fraud_risk?language=objc - "Understanding HTTP Response Codes") say this means "No data available for the supplied receipt".

Once a receipt is in this state it seems "stuck" i.e. it will never return a new receipt.

I have seen this for both the development and production environments.

Does anyone know what this means, and what I should do?

Boost

Answer 1

Frameworks Engineer OP

Apple

Mar ’22

Generally speaking you should hold on to and continue to use the last valid receipt you received.

The data used to compute the risk metric is only stored for a limited time. If there are no further attestation requests for your app on the same device eventually all the data will expire and your requests will start receiving a 404.

If after that point there are further attestation requests for your app on that device, the metric will increase again and you will receive a fresh receipt in response to your request.

1

Answer 2

endecotp OP

Jun ’22

I now have a few months of data to look at.

I have now seen examples where receipts that were failing to refresh with 404s have "come back to life".

A problem is that my exponential backoff means that it can take a while for me to discover that the receipts are working again. So for example, if a user doesn't use the app for 8 weeks then I will have stopped getting refreshed receipts after 3 weeks and after 5 weeks I will only be attempting to refresh every 20 days. This gives quite a long window when I don't have an up-to-date risk metric.

1