Attestation for iOS app

Question

Hi, We need to prove with as much certainty as possible that the user's phone running our app is not jailbroken and our app is exactly as we shipped it (not modified). We need to be able to verify it both client side and validate it by our server. We were thinking of using the deviceCheck API but our security team is not sure this is good enough. Is there a way Apple recommends we do this?

3.0k

Posted by

nefimoffauspost

Reply

Add a Comment

Answer 1

Don't know if this method is absolutely sure, but hope it can help:

h ttps://medium.com/@pinmadhon/how-to-check-your-app-is-installed-on-a-jailbroken-device-67fa0170cf56

I 'm not sure DeviceCheck is intended for this purpose. I understand it lets you mark some bits on device for further chack ; but not detecting jailbrocken. However, combining with the first method, you could do an initial detection, then mark the device and later test with DeviceCheck.

Hope that helps.

Posted by

Claude31

Add a Comment

Answer 2

Is there a way Apple recommends we do this?

DTS specifically recommends that you not do this. Read this post for an explanation as to why.

I’m currently working with a developer whose app was broken because they were doing exactly this and they did the wrong thing with trust evaluation )-: They are now in the process of shipping an emergency update. That’s not a situation you want to find yourself in.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 3

Check out the Device Check framework for details on using Apple's Attestation service to establish your app's integrity and that the connections to your server are coming from legitimate instances of your app.

Posted by

Technology Evangelist

Add a Comment

Attestation for iOS app

Replies