Skip to main content

Apple is stepping up app verification through new App Attest API

The DeviceCheck feature will get an overhaul in iOS 14, with the all-new App Attest API being added for more effective defenses against security threats.

Apple has issued an advisory to iOS app developers, recommending that they make the most of the brand-new application programming interface (API) that will complement their app integrity protection with an extra layer. The functionality is part of the existing DeviceCheck service aimed at minimizing the abuse of code tailored for iOS platform. The most significant thing that changes with App Attest is that a cryptographic key is created on a device to vet the code’s integrity before the product allows access to its server. Essentially, this is a countermeasure for adverse effects caused by compromised apps or ones modified and repurposed to execute dodgy tasks on jailbroken devices. The protection boost will take effect for all users with the official release of iOS 14, which is expected in the fall 2020.

App Attest API to enhance app integrity mechanisms in iOS 14 and later

So, how does App Attest enhance DeviceCheck?

To understand the gist of the upcoming tweaks, let’s go over some basics of what the DeviceCheck service does. Having splashed onto the scene with the public roll-out of iOS 11 back in 2017, it is a firmly established mechanism – technically, an API – that uniquely identifies a mobile device. To set its checks in motion, it hinges on a token generated on the application server side that queries a fragment of binary data assigned to any device that runs the app. This way, a developer can pinpoint gadgets that have participated in a promo campaign. It also allows an app publisher to tag a device that has been previously involved in foul play such as unauthorized removal of ads, adding game cheats, or fraudulent access to premium features.

Whereas this logic appears to be effective enough, there is always room for improvement when it comes to the integrity of products offered on a marketplace as reputable as the App Store. What App Attest does is it complements the token-based facet of DeviceCheck’s functionality with an additional piece of identification data, namely a cryptographic key. This key is created by DCAppAttestService class in order to validate the instance of a specific application executed on a device. Apple verifies the validity of the key, and if the check is passed, the app can interact with its server and request sensitive information from it.

Both app makers and users will benefit from the change

Given that hacked and fraudulently modified applications are a growingly common source for security and privacy issues in the iOS ecosystem, the new App Attest API should reduce the scope of fraud stemming from this form of exploitation. It will allow developers to ascertain that users are running valid versions of their apps. It will also raise the bar for cybercrooks by fending off malicious app copycats that exhibit unwanted behavior such as identity theft, account takeover, and malvertising. Meanwhile, app authors should get the hang of this promising enhancement to make sure their products deliver an ultimately safe user experience from iOS 14 onward.


Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in