Registration function can throw DCError invalidKey error

[tujlaky]

Describe the bug Our user had our mobile application previously installed and had a successful registration. She deleted the app and later reinstalled it and after tried to run the registration again. After running the registration (https://docs.adyen.com/issuing/3d-secure/oob-auth-sdk/?tab=requirements-swift_2#step-4-register-device) after the reinstall she started to get an invalidKey error. (Error Domain=com.apple.devicecheck.error Code=3) with the message: The operation couldn’t be completed.

User tried the following to fix the issue with no luck:

• She tried to reinstall the app and start the process again
• She tried to re-register multiple times
• She checked the date and time settings (it is automatic)
• She tried to restart the phone

After checking our logs I see multiple users with similar issues.

I have found a similar issue what firebase had before: https://github.com/firebase/firebase-ios-sdk/issues/11264 https://github.com/firebase/firebase-ios-sdk/pull/11986

I have found this article too: https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity This says in the and that on reinstall the key should be regenerated.

From this it looks like to me that in this case the key should be reset and the registration should be started over. This is only possible from inside the SDK because from outside we can't reset the key.

To Reproduce

I can't reproduce the issue currently locally but we have multiple cases in the logs when this is happening for the users.

Expected behavior The SDK should reset the attestion key and try again the registration in this case.

Smartphone (please complete the following information):

• Device: iPhone SE (second gen)
• OS: iOS 17.2
• Version: AdyenAuthentication 2.0

[mohammedDehairy]

@tujlaky

Thanks for reaching out and flagging this problem!

From this it looks like to me that in this case the key should be reset and the registration should be started over. This is only possible from inside the SDK because from outside we can't reset the key.

The SDK already regenerate the key with every registration calls, so this seems to me like a bug from apple, not sure how to mitigate it 🤔

We'll investigate this, and get back to you if we figure it out, we'll maybe reach out to apple to clarify this

[mohammedDehairy]

@tujlaky

May i ask about your use case of the SDK?

• Do you use the SDK to register cards, bank accounts, or something else?
• Do you limit registration calls to when the app is reinstalled or when a new instrument is being registered, i.e card, bank account ..etc? or do you register more frequently?

that would help withe investigation

Thanks!

[tujlaky]

• We use the SDK to register cards to 3DS and authorise the card payments for 3ds
• Currently we don't have any limitations: you can register when online payment is enabled for the card and the card is yours and the card is active
• We have a register button and when we detect that you registered the card already we show a re-register button
• We store in a local setting when the card was registered already (this was removed with the uninstall)

[tujlaky]

I have some questions regarding the implementation:

• Do you have a solution like this in place? https://github.com/firebase/firebase-ios-sdk/pull/11986/files#diff-c4372f4337decb4bd980b30c063e5c0d3035d531143ae30aee4aad3b86598ecbR330
• You say that you create a new key in every generation but I think for this to work you should clean the previous key
• Do you have this removal too in place?
• I think you should handle the error similarly how Firebase is doing it

[mohammedDehairy]

Thanks @tujlaky for the suggestion!

i think Firebase if i am not mistaken -i haven't dived deep into their code- is just keeping a storage of apparently one credential id, thats why they reset it when they receive this error, our use case is different, the SDK can manage any number of credentials, e.g the user can register multiple cards/bank accounts...etc per app per device, so with new registration we can't reset the storage since this could be simply be a new card/bankaccount...etc, not to mention that deleting old credentials will not help with this error

BTW i have sent a question to apple developer support regarding this issue and waiting for a response from their side, otherwise i don't know how to proceed, will let you know if i get a response from apple dev support

[tujlaky]

Do you create different keys per registration? So for example if I do the registration twice on the same device with the same card? Or what do you use for the attestation key?

[mohammedDehairy]

Do you create different keys per registration? So for example if I do the registration twice on the same device with the same card?

Yes, technically you can register the same card twice with two different credentials, and if so, then both registrations work, then both will work, but the SDK cannot detect this, because the SDK is agnostic about the "thing" that you're registering, so the app side + the compliant backend has to make sure that a card is registered once per device per app unless the user deliberately deleted the card themselves, then obviously they can register again

[tujlaky]

That part is clear. I think we talk about two different things here. I see from outside what is stored but I don't see where it is stored.

Like how firebase does this: https://github.com/firebase/firebase-ios-sdk/blob/f73effb932abc204548ef4671ff62191ee2e1065/FirebaseAppCheck/Sources/AppAttestProvider/Storage/FIRAppAttestKeyIDStorage.m#L28

They use the following key: com.firebase.FIRAppAttestKeyIDStorage. And that is not unique so that could fail.

So for example when I call the authenticate method on the SDK: https://docs.adyen.com/issuing/3d-secure/oob-auth-sdk/?tab=requirements-swift_2#step3-auth-authenticate-cardholder

How do you know which stored registration should be used if I have multiple registrations on my device? Do you use the device id which is coming from the API to store the registration data? https://docs.adyen.com/issuing/3d-secure/oob-auth-sdk/?tab=requirements-swift_2#step-2-initiate-registration

I think in that case that will be unique.

[mohammedDehairy]

How do you know which stored registration should be used if I have multiple registrations on my device? Do you use the device id which is coming from the API to store the registration data?

To understand how this works, i am afraid i have to explain our architecture and i don't think i am free to share more unfortunately, but our solution is different than Firebase one, not to mention the use case is different

[tujlaky]

@mohammedDehairy do you have any update on this?

Our customer is still can't use the online payment in our app.

[mohammedDehairy]

@tujlaky

Thanks for following up!

i have submitted a bug report to apple a month ago, still got no response unfortunately!