Open jeroenleenarts opened 4 years ago
bigshebang
commented
4 years ago What's the ask for this issue? Do we want to add content about how to use DeviceCheck correctly and then how to attack it?
I am doing some research on this so can probably assist if I have more of an outline of the desired outcome of this issue.
cpholguera
commented
4 years ago That'd be great @bigshebang. Please think of something from the tester/attacker perspective. If you have a draft or proposal for outline you can gladly share it with us before start writing.
jeroenleenarts
commented
4 years ago I'm in the proces of seeing if I can get a more formalized example / implementation of this.
cpholguera
commented
3 years ago Hi @jeroenleenarts, any news on this? Thanks!
jeroenleenarts
commented
3 years ago @cpholguera not at the moment. I have run some tests to investigate the DeviceCheck APIs involved.
The effect is that the app running a device check can be validated as having requested and received a valid signature from Apple. Not sure how playback scenarios work yet.
It is something I tried pitching at my place of work. The net benefit was understood, but not prioritized.
cpholguera
commented
3 years ago Thanks a lot for the update. Let us know once you have more details, we'll be looking forward to it 😊
cpholguera
commented
3 years ago Any news on this @jeroenleenarts? 😊
iOS:
Description: I think Apple's DeviceCheck API can be used to mitigate app tampering. I can imagine there are use cases where you want to prevent against copy-cat or otherwise re-signed clients.
Image using https://developer.apple.com/documentation/devicecheck/dcdevice/2902276-generatetoken to obtain a Token on device and verify-ing it with a Device Validation Request as described on https://developer.apple.com/documentation/devicecheck/accessing_and_modifying_per-device_data
Only apps that provide a valid token are allowed to receive some key piece of information that is required later on in the interaction between the app and it's server. The key piece of info could be a unique nonce or even the private key of a server generated key pair allowing follow up requests to be signed, thus indicating by delegation that the app is in fact the one true app as intended by its creator.