Remove the Constraints of iOS App Attest and DeviceCheck

There is an assumption in developer circles that the iOS platform is inherently more secure than Android. Various reasons exist for why this bias persists - Apple’s closed ecosystem, restrictions on user customization, and stringent App store reviews are a few of the primary influencers. However, this is not the case.
In fact, studies have shown iOS apps are as prone, if not more so, to attacks as their Android counterparts. Thus, iOS applications greatly benefit from security solutions like code obfuscation and encryption, as well as developers that employ secure software development best practices. Once out on the App Store and on your users’ devices, your iOS app is at risk to threats from bad actors. Solutions like app attestation and threat monitoring help to protect your APIs against attackers and mitigate these risks.
Apple has built a native mobile app attestation, Apple App Attest, and a device integrity framework, DeviceCheck, to reduce threats. However, these solutions have limited functionality and scope while lacking the insights and robust defenses iOS apps require to combat today’s threats. We’ll dig deeper into why these solutions should be complemented with a robust mobile app attestation approach, which insights matter, and what a comprehensive solution to mobile app attestation resembles.
What is App Attest and DeviceCheck
DeviceCheck is a native device-attestation service built by Apple for iOS applications. DeviceCheck, originally developed for the release of iOS 11, is an API framework developers can leverage to evaluate and control the state of an iOS, iPadOs, or watchOS device. It has two primary functions: persistent bit storage (commonly referenced as “two-bits”) and client-integrity functionality (App Attest).
“Two-bit” storage
“Two-bit” storage was the original function of DeviceCheck. Through this technology, developers store two binary digits (bits) of data on Apple servers for each device interacting with their app. The bits are persistent across app uninstalls, device resets, and different user accounts, even if they exist on the same device.
The way it works is your app generates a unique, anonymous token on the user’s device. The token is then sent to your app’s server on the backend. Once received, your backend server makes an API call to Apple’s DeviceCheck servers and provides the device token. The Apple server either queries the current state of the two bits or updates them, if needed.
Many ecommerce apps, among others, leverage DeviceCheck to manage their promotions and offers. For instance, if an app has a limited time promotion or offers a free trial, DeviceCheck will prevent a user from claiming the offer multiple times. Since the device has been marked, this will remain true even if the app is reinstalled on that device or a new user account is created.
Fraud flagging is another valuable use case for marking known devices engaged in dishonest activity. Using DeviceCheck, a fraudulent device that’s identified by other monitoring systems can be signaled by setting a bit on Apple’s servers. Once applied, your application(s) on that device will query that bit to enforce tougher rules or block that app entirely.
App Attest
App Attest was later introduced with the release of iOS14 to beef up DeviceCheck. The main goal of App Attest is to authenticate and verify the integrity of your app binary. App Attest obtains a verdict that an app attempting to reach your servers is not tampered with or modified and is a genuine app signed by Apple.
The service uses the Secure Enclave, which is a dedicated hardware security component that’s installed on Apple devices. A cryptographic attestation key is generated in the Secure Enclave, which is then used by Apple’s servers to verify this key was created by an unmodified version of your app on a genuine Apple device. Afterwards, your server can leverage this attestation key pair to authenticate future requests that they are coming from a legitimate install of your application.
All iOS applications concerned with mobile security can benefit from an attestation service like App Attest. However, there are certain use cases that app attestation can be particularly beneficial. For instance, gaming applications using App Attest can help against mobile app tampering in sideloaded apps by bad actors looking to gain an advantage. This is essential to maintaining game integrity so there is a level playing field amongst users.
Other App Attest use cases include securing financial transactions, protecting gated or premium content, and increasing overall API security by removing unauthorized access to your APIs by bots or modified apps.
Benefits of App Attest and DeviceCheck
In addition to the use cases outlined earlier, App Attest and DeviceCheck offer several security benefits for iOS developers.
Affirms app integrity
App Attest assists developers in verifying the genuineness of an application attempting to contact their servers. In doing so, developers can quickly distinguish between an application that has been tampered with and one that has not. Apps that have unauthorized modifications are detected as well and will be invalidated through app attestation. This results in significant barriers for attackers seeking to redistribute modified versions of applications with premium features for free on the App Store.
Prevention from common attacks
Replay attacks are a widespread technique used by malicious actors. Attackers will capture valid attestation requests and then replay them in an attempt to gain server access. Since App Attest uses one-time, unique challenges for attestation requests, it renders this approach mute. Man-in-the-middle (MITM) attacks are another popular attack vector. Apple’s solution is to assign an attestation key with requested payloads. This signature key serves as a marker that verifies the data that is being exchanged between an app and a server remains unaltered and communication has not been intercepted.
Protect sensitive resources and data
Limiting server access to verified users and genuine devices inherently protects vital resources and data within applications. For e-commerce and financial apps, it reinforces transaction security within the app by providing an additional layer of security that the request is coming from a verified source. It also adds another layer of security on the server-side by strengthening API security.
When an app makes an API request, attestation verifies the call is coming from a genuine version of the application before granting access, preventing API abuse and unauthorized access. Streaming and gaming apps benefit from this protection as well. Apps such as these and others with premium content are able to limit access to unmodified apps and ensure users are legitimate to protect their IP.
Hardware-backed security
Apple is famous for their hardware-backed approach when it comes to mobile security. App Attest and DeviceCheck are no different. The Secure Enclave is testament to Apple’s commitment to protecting users with hardware-backed security practices. It’s integrated into the user’s Apple device and generates, then stores, the cryptographic keys required to access the app servers. The private key is nearly impossible to extract from user devices, which makes an attacker’s job that much more difficult.
Emphasis on user privacy
On the other side, DeviceCheck provides an anonymous token that contains zero personally identifiable information. The token is unique to each device to interact with the DeviceCheck service, which makes the developer’s job that much easier when searching for fraudulent devices.
Constant device state management
We mentioned earlier the “Two-bit” approach that DeviceCheck employs to verify device authenticity. Due to the data of each device being stored permanently on Apple’s servers, it makes it fairly simple for developers to implement and then update bits. The same can be said for fraud flagging. Once tampered devices have been made known, the two-bit data can be updated to block these devices and implement stricter rules.
Apple’s Two-bit security method isn’t a “set it and forget it” approach. Rather, it establishes a constantly moving target that adapts with attackers, and an attempt to stay one step ahead.
Combining the approaches of App Attest and DeviceCheck provides iOS developers with a more layered mobile application security framework. However, there are restrictions with these mechanisms that prevent them from being a more complete app attestation strategy.
The constraints of App Attest and DeviceCheck
Native app attestation and device integrity solutions like Apple’s App Attest and DeviceCheck provide a good baseline for a multi-layered mobile security framework. However, many mobile apps require a robust approach to API security and mobile app attestation. A limited approach doesn’t provide the insights or capabilities that many mobile apps, specifically larger ones or ones that deal with sensitive information, need to protect themselves and their users.
Limited client integrity checks
As mentioned, Apple’s attestation solution centers its attention on the binary code of the application. While beneficial, this covers a small subset of your application. DeviceCheck may employ its two-bit storage as a method to enforce business logic, but it does not conduct device integrity checks. It also does not prevent runtime attacks or identify if the app is operating on a jailbroken device.
Similarly, App Attest provides limited protections.
Apple has stated that their solution cannot “definitively pinpoint a device with a compromised operating system”. An attacker can leverage a compromised device to engage in common runtime attacks like hooking.
The attestation service only verifies app integrity on disk, which means it only protects against threats from app package tampering. It cannot assure code integrity in memory, dramatically increasing the application’s susceptibility to runtime tampering methods that result in modifications like disabling ads or accessing premium content without payment.
Incomplete device coverage
Both App Attest and DeviceCheck are limited to iOS devices. The Secure Enclave requirement further limits which Apple devices can apply the App Attest and DeviceCheck capabilities. iPhone 5 or older devices are unable to support Secure Enclave, which means users are either left without a solution or app developers are left to provide a different security solution for these users.
Many publishers have Android and iOS versions of their apps, as well as multiple applications with different versions. These publishers will need to use different solutions for their Android and iOS apps to ensure full coverage as well as a different approach for older iPhone devices. This may result in different levels of insight and visibility, as well as different levels of protection, which is a less than ideal scenario for developers looking to synthesize insights into their mobile app protection strategy.
Limited analytics and visibility
App Attest provides a limited app attestation solution. As such, analytics are quite limited and leave developers looking for historical trends disappointed. Real-time data is non-existent: App Attest does not provide granular data nor security controls. It records an approximation of attestations on a given device, lacking the ability to dig deeper at the device level or a specific attestation result. Developers looking to stay on top of the latest threats will have difficulty keeping up with attackers.
Difficult to scale
App publishers wishing to expand beyond iOS apps will have trouble scaling up using native solutions like App Attest or DeviceCheck. Apple has also been known to throttle requests made via its App Attest service during times of high demand or large-scale updates, in order to prevent overloading its servers. Because the quotas and rate limits Apple uses are not publicly available, nor is a Service Level Agreement available, developers also do not have the option to increase their rate limit.
This level of unpredictability is unsatisfactory, especially for large-scale apps that have hundreds of thousands or even millions of daily users. To scale security efforts for these apps is a considerable mountain to climb, as the number of requests made increases exponentially with the growth of their applications.
DeviceCheck’s limited utility (two-bit)
The two-bit storage functionality is essential to DeviceCheck. As a core functionality, it is useful for simple fraud flagging and for verifying limited timed events like promotions. But for complex fraud detection scenarios, it poses a challenge. The two-bit storage is limited to only two bits of information. This means more granular information that would offer greater clarity to developers assessing fraud situations is not available. The chance for false positives is also greater, with not much data to look into these instances, frustrating users and developers alike.
An unrestricted solution to app attestation
App Attest and DeviceCheck deliver a basic app attestation and device attestation solution for iOS app developers. Unfortunately, the tools leave critical areas lacking protection that can be taken advantage of by malicious actors. The lack of cross-platform synergy and visibility into attestation results magnifies the problem when trying to stay ahead of attackers. For organizations seeking more comprehensive, scalable approaches, there are app attestation and mobile app security solutions available that are not burdened by the constraints that App Attest and DeviceCheck inherently face.
Guardsquare’s mobile app attestation addresses the gaps faced by developers using App Attest when attempting to implement a robust app attestation solution. With Guardsquare, you have the visibility you need and the protection your app requires to guarantee it's your app interacting with your APIs. Mobile app attestation from Guardsquare comes with historical insights and granular security policy controls to make it easier to review attestation results and build threat defenses for your iOS and Android apps.
Single platform for Android and iOS
Guardsquare provides mobile application security products that support both Apple and Google ecosystems. Similarly, our app attestation has tailored support for your Android and iOS applications. Rather than having to manage two different tools with varied insights, Guardsquare provides a single solution to attest your Android and iOS applications.
Both Android and iOS applications receive enhanced security with actionable insights into attestation results. Thus, there’s no visibility gaps in security or insights among your applications. You can also compare results between apps by simply toggling between dashboards for each app, then examine every individual result.
Flexible server-side control & fine-grained security policies
Unlike App Attest and DeviceCheck, Guardsquare’s mobile app attestation is built to be flexible and dynamic. Attestation policies are intertwined with RASP protections and can be easily toggled on or off, without requiring coding. These policies can also be updated directly by developers based on real-time data and pushed out immediately via instant modifications. This capability is vital to ensuring a quick response to new or emerging threats after they have been identified.
Continuous updates against emerging threats
Guardsquare's app attestation uses the security policies you implement to determine an attestation verdict. Policies are driven by data from the user’s app and device. Guardsquare continuously researches and updates its threat detections—independent of your app updates or policy changes—to protect against emerging attack techniques. This ensures your application stays current and secure. By leveraging Guardsquare’s expertise, you can better keep pace with the evolving speed of attackers.
Unrivaled breadth of app attestation policies and insight depth
Guardsquare’s comprehensive app attestation policies cover everything from threats to application integrity to attacks affecting device integrity. The app attestation results these policies deliver illustrate historical trends and detailed insights so developers can identify the exact reason that led to a failed API request. Granular visibility with historical views informs developers and their teams with vital information to constantly improve the security posture of their mobile app.
These insights provide a level of analysis and threat coverage not available within the App Attest or DeviceCheck frameworks. With these insights, developers have the context needed to reduce false positives and definitively assess if a user is contacting your servers via a genuine app version on a secure device.
Conclusion
Relying on native solutions to solve development challenges is often beneficial. But in the case of mobile app attestation, going all-in on native solutions like App Attest and DeviceCheck can expose developers to security gaps, even for iOS apps. While some security is better than none, other solutions offer better protections and insights while giving developers more control in how to administer their app’s security at scale.
App attestation from Guardsquare provides the fine-grained security controls and deep insights needed to tailor your app’s protection against sophisticated attacks. To learn more about how app attestation can protect your APIs against attacks and abuse, contact Guardsquare today.