deviceCheck API usage

I know device check is set and get two bit information. Can we use that API directly or indirectly to store and get app/jws/jwt tokens?

Replies

Can we use that API directly or indirectly to store and get app/jws/jwt tokens?

Probably not. Presumably you’re using JWT to identify users, and DeviceCheck was designed to make it unusable for that task.

Can you explain more about the background to your query?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

This question is related to https://forums.developer.apple.com/thread/120839


I wanted to store a static/hardocoded key/token in the app but couldn't find a promising solution. So I thought of checking whether Apple provides any mechanism to store and retrieve the token.

I wanted to store a static/hardocoded key/token in the app but couldn't find a promising solution.

This is not an intended use case for DeviceCheck.

What you’re trying to implement here is a form of DRM, a topic that has come up many times here on DevForums. You can find my take on it here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I read the forum thread that you shared here. Is there any article or documents available about DRM in apple developer website?

Is there any article or documents available about DRM in apple developer website?

No. If you follow the link in that post I referenced, you’ll find an explanation as to why DTS doesn’t support DRM development.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Are you suggesting to use SQLite to store static text securely? Can we use Keychain as well?

Are you suggesting to use SQLite to store static text securely?

No, I’ve not mentioned SQLite in this thread at all.

Can we use Keychain as well?

It’s certainly possible to store arbitrary small credentials in the keychain, and such credentials are protected by all of the standard protections the system gives to keychain items [1]. However, based on your previous posts it seems like you want to pre-populate the keychain with a credential, and that’s not possible. The only way to get an item into the keychain is to add it programmatically.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] See the iOS Security document, which you can find a link to in the Security Resources pinned post.

The only way to get an item into the keychain is to add it programmatically.

>>>>> yes, we know that the hardcoded string can be added to keychain programatically. The question here is, "will storing the key which is harcoded in the app in keychain be secured?"

Define 'secured'...


Docs on 'security' linked here: https://developer.apple.com/security/


Doc on Security/API CollectionKeychain Services here.


Fairplay docs center on implementation, not policy.