iOS 14 introduces new 'App Attest' API to cut down on app fraud

Posted:
in General Discussion edited August 2020
Apple in iOS 14 will introduce a new DeviceCheck feature called App Attest that boosts the security of apps on the platform.

Credit: Apple
Credit: Apple


DeviceCheck is an iOS framework, first introduced in iOS 11, that can help developers cut down on the fraudulent use of their apps.

In iOS 14, Apple is adding a new API to the framework called App Attest. Like DeviceCheck, App Attest aims to cut down on the inappropriate use of developer servers through compromised apps.

As Apple notes in developer documentation, apps can be modified and distributed outside of the App Store, leading to versions of those apps with unauthorized features like "game cheats, ad removal, or access to premium content."

App Attest adds a safeguard against this problem by verifying the integrity of an app using a cryptographic key. By verifying that this cryptographic key is sound, a developer could verify that an app hasn't been tampered with before sharing access to sensitive data.

Apple does note that "no single policy can eliminate all fraud," and adds that App Attest isn't able to pinpoint a device with a compromised operating system. Together with the DeviceCheck framework, however, developers can get data to perform a "overall risk assessment."

The App Attest feature will launch with iOS 14, which is expected to debut in the fall.

Comments

  • Reply 1 of 11
    SpamSandwichSpamSandwich Posts: 33,408member
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    lkruppiOSDevSWE
  • Reply 2 of 11
    nicholfdnicholfd Posts: 660member
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    And why do they need to use a blockchain to verify authenticity?  They can already do that...
    Gilliam_Batessuperklotonwilliamlondon
  • Reply 3 of 11
    nicholfd said:
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    And why do they need to use a blockchain to verify authenticity?  They can already do that...
    Because I think Spammy learned a new word and wanted to see if he could use it in a sentence. 😈
    williamlondonh4y3sdarkvaderwatto_cobra
  • Reply 4 of 11
    SpamSandwichSpamSandwich Posts: 33,408member
    nicholfd said:
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    And why do they need to use a blockchain to verify authenticity?  They can already do that...
    Because I think Spammy learned a new word and wanted to see if he could use it in a sentence. 😈
    No, it’s because on-blockchain authentication would be completely transparent and verifiable.
    iOSDevSWEh4y3s
  • Reply 5 of 11
    mknelsonmknelson Posts: 845member
    nicholfd said:
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    And why do they need to use a blockchain to verify authenticity?  They can already do that...
    Because I think Spammy learned a new word and wanted to see if he could use it in a sentence. 😈
    No, it’s because on-blockchain authentication would be completely transparent and verifiable.
    But what would be in the blockchain? The encryption key or perhaps a checksum?

    Blockchain is more useful to track the history of things like parts/maintenance history, product origins, shipping tracking. I don't see any inherent benefit to determine if somebody hacked an app for themselves or for distribution (you can do that by extracting from a backup, editing and then restoring).
  • Reply 6 of 11
    SpamSandwichSpamSandwich Posts: 33,408member
    mknelson said:
    nicholfd said:
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    And why do they need to use a blockchain to verify authenticity?  They can already do that...
    Because I think Spammy learned a new word and wanted to see if he could use it in a sentence. ߘ覬t;/div>
    No, it’s because on-blockchain authentication would be completely transparent and verifiable.
    But what would be in the blockchain? The encryption key or perhaps a checksum?

    Blockchain is more useful to track the history of things like parts/maintenance history, product origins, shipping tracking. I don't see any inherent benefit to determine if somebody hacked an app for themselves or for distribution (you can do that by extracting from a backup, editing and then restoring).
    App authentication (which is open and transparent) provides device stability and trustworthiness. Bad actors (developers who violate trust) would be unable to fake authenticity. Attempts to hack apps or push out fakes would be easily discovered.
    edited August 2020
  • Reply 7 of 11
    Shouldn't the OS be making this check rather than a possibly modified app?
  • Reply 8 of 11
    flydogflydog Posts: 1,015member
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    Between Apple and some anonymous forum poster, I'm going to assume Apple knows what it is doing in this regard. 

    And by the way, blockchain and hashgraph rely on cryptographic keys.
    watto_cobra
  • Reply 9 of 11
    flydogflydog Posts: 1,015member

    Shouldn't the OS be making this check rather than a possibly modified app?
    You don't see the obvious problem of exposing a malicious app to the OS?   And how would that be better?  Are you arguing that hackers would somehow guess the correct key and use it in the modfied app?

    Tell us more professor. 
    watto_cobra
  • Reply 10 of 11
    flydog said:

    Shouldn't the OS be making this check rather than a possibly modified app?
    You don't see the obvious problem of exposing a malicious app to the OS?   And how would that be better?  Are you arguing that hackers would somehow guess the correct key and use it in the modfied app?

    Tell us more professor. 
    Developer, not professor. I am suggesting that if an app can be modified, you can't trust the app to check itself. You need some other code not in the app, for example in the operating system, to check that the app is valid. Otherwise the first thing a hacker would do is to modify the code that compares the checksums.
    Obviously if iOS itself can be modified to disable the security code, all bets are off but as you know it is impossible to hack iOS (that's a joke, son).
    SpamSandwich
  • Reply 11 of 11
    crowleycrowley Posts: 8,865member
    mknelson said:
    nicholfd said:
    Some day Apple will get informed and use blockchain or Hashgraph to verify apps. Every app sold should be assigned a ‘coin’ which verifies its authenticity and quality.
    And why do they need to use a blockchain to verify authenticity?  They can already do that...
    Because I think Spammy learned a new word and wanted to see if he could use it in a sentence. 😈
    No, it’s because on-blockchain authentication would be completely transparent and verifiable.
    But what would be in the blockchain? The encryption key or perhaps a checksum?

    Blockchain is more useful to track the history of things like parts/maintenance history, product origins, shipping tracking. I don't see any inherent benefit to determine if somebody hacked an app for themselves or for distribution (you can do that by extracting from a backup, editing and then restoring).
    But some guy on the internet told me that the blockchain can solve anything!
    watto_cobra
Sign In or Register to comment.