App Integrity

Apple does not provide any supported way for you to check your app’s integrity. iOS already does that by default. And if that system check has been subverted, adding your own check is of limited utility because, without the system check, there’s nothing protecting your checking code.

Adding your own app integrity checking is equivalent to implementing a DRM scheme. There’s a bunch of problems with doing this:

• From a business perspective, it puts you in an arms race with your attackers, which is not good.

• Given the above, you have to decide on a threat model and, from that, work out how much effort you’re going to invest in developing your DRM scheme. This is something I’ve posted about before on the old DevForums, and recently resurrected on this thread.

• From a technical perspective, DRM schemes tend to involve lots of ugly low-level code, code that is tightly bound to the OS implementation, and thus more likely to fail as the system evolves.

• If you’re lucky these problems crop up as you develop your app. If you’re unlucky, and your DRM scheme fails due to an OS update or a new hardware release, you end up inconveniencing your legitimate users, and that’s really bad.

For this and other reasons, DTS does not support DRM scheme development.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I'm looking for any guidance if apple uses the Secure Enclave for the following:

In App Purchase Reciepts

FairPlay DRM

I know ApplePay uses the Enclave, but what would be nice is for me to get the iPhone hardware to encrypt "something" that I can validate on my server. I'm not sure if I can accomplish that with FairPlay, In App Purchase reciepts, etc.

I don't want to create my own hardware DRM, just want to use yours.

… what would be nice is for me to get the iPhone hardware to encrypt "something" that I can validate on my server.

You need to think more clearly the mechanics of this. Specifically, pay attention to this quote from my earlier post:

iOS already does [app integrity checking by default. And if that system check has been subverted, adding your own check is of limited utility because, without the system check, there’s nothing protecting your checking code.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,

I have similar question.

Is any document for App has to guarantee integrity in iOS by Apple?

We'd like to get support's assist for solve some issues of ISMS (information Security Management System) that Korean IT security law. It has to be update each years and we are under consulting for renew ISMS license.

* The issue as follows;

'Integrity problem; App runs when hash key of the app has tampered'

* Consult's solution;

App has to guarantee integrity.

* The reappearance test steps;

step 1) Check 'SHA256' hash

step 2) Randomly select and falsify app for brake integrity

step 3) Check 'SHA256' hash

step 4) App available to run

Just let us know if you need more info or check for it.

Is any document for App has to guarantee integrity in iOS by Apple?

The iOS Security document has Apple’s official description of iOS’s security architecture. I’m not going to comment beyond that because it’s clear that your question is more about the legalities of compliance to a government-mandated standard rather than anything technical.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, we found could use tools like objection and Frida to debug the app and modify the return value of function to change app behavior on non-jailbreak devices. and the security company suggest us to do code integrity check and debugger detection to prevent these tools. Then how could we made it on ios? as found both not allowed by Apple now, thanks

This thread is very old and there’s been one significant change since then, namely the introduction of the App Attest service. For the details, see Establishing Your App’s Integrity.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo thanks for your answer, let me double confirm. our company hired an IT Audit company, and they provide a report saying: we need to do code integrity check and debugger detection. Previously, apple provide a way https://developer.apple.com/library/archive/qa/qa1361/_index.html to detect debugger, now the api is private. So for for the 2 issues: code integrity check and debugger detection. the official solution will be https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity, right? thanks.

we need to do code integrity check and debugger detection

On what platform? ’cause back when I wrote QA1361 there was only macOS (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

should we use QA1361 to detect debugger in ios?

IMO there’s no point doing this at a technical level. iOS prevents apps from being debugged unless they’re signed with the get-task-allow entitlement. Apps that you distribute via standard distribution channels (the App Store, TestFlight, In-House (Enterprise)) can’t be signed with the get-task-allow entitlement. And if someone has compromised a device such that they can defeat the get-task-allow entitlement check, they could just as easily defeat a P_TRACED check.

IMO App Attest is the only meaningful extra protection you can apply to your app.

However, my experience is that “IT Audit” teams offer up a lot of advice that doesn’t make sense from a technical perspective. So, whether you “should” follow their advice kinda depends on the relationship between you, your auditors, and your management. And I’m not going to step in to that particular ‘love’ triangle (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"