Undocumented behavior about risk metric refresh

Hello, I'm developing a server that uses the app attestation feature. During the development, I found the behavior that are not written in the document, I would like to inquire this.

  1. When Apple server returns 404 for risk metric refresh request?

A month after the attestation, receipt is not past expiration time, but 404 is returned from Apple server when I try refresh. And this receipt succeeded in refreshing the risk metric normally if the attestation proceeds again. This behavior is not in the document, but I wonder if it is intended.

  1. Is there a case where an attestation has occurred but the risk metric value does not increase?

I found a case where attestation occurred twice on one device, but when both receipts were refreshed, the risk metric returned 1. Is this an expected behavior? If it is, I would like to know the detailed conditions under which it occurs.

Thank you.

Answered by Engineer in 790540022

It seems to me that the period during which risk metric refresh is possible is within a month of attestation. After that, 404 is returned.

Yes, we only store related data for 30 days for privacy considerations. So 404 is expected after the expiration of the data retention period.

Is there a case where an attestation has occurred but the risk metric value does not increase?

For the same app on the same device, we treats repeated attestation (i.e. extract same attestation request) as a single event because essentially there is no new certificate issued from Apple side.

See this thread:

https://developer.apple.com/forums/thread/702845

How are you getting on with App Attest generally? I fear it has too many false positives to deploy in production.

Thank you, I also read the thread.

It seems to me that the period during which risk metric refresh is possible is within a month of attestation. After that, 404 is returned. When performs app attest on the device again, I have confirmed that the refresh is successful with the receipt from the previous attestation. This is probably the reason why there are some cases of success again after 404 failure.

How are you getting on with App Attest generally?

Only one attestation is performed while using the app.

There seems to be an Apple internal spec that hasn't been public, I want this to be clearly revealed in order to use this feature properly.

It seems to me that the period during which risk metric refresh is possible is within a month of attestation. After that, 404 is returned.

Yes, we only store related data for 30 days for privacy considerations. So 404 is expected after the expiration of the data retention period.

Is there a case where an attestation has occurred but the risk metric value does not increase?

For the same app on the same device, we treats repeated attestation (i.e. extract same attestation request) as a single event because essentially there is no new certificate issued from Apple side.

Undocumented behavior about risk metric refresh
 
 
Q