WIP: Add Apple AppAttest support #1050
Conversation
|
|
github-actions
bot
added
the
needs triage
|
FYI: I don't actually have an iOS device to test this. I'm merely following Apple's docs. Hence WIP and not ready for review. |
|
Hi @arianvp, thanks for this, but does this attestation work as an ACME extension? The new MDA ACMECertificate for enterprises follows more or less this draft to perform attestation using a new ACME challenge. Related wwdc link. |
|
The draft will need some rewordings for this to be 'compliant' . Apart from that it's a slight variation of the existing brandonweeks/draft-bweeks-acme-device-attest#4 Apart from that a iOS client library im still writing to give AppAttest a similar client side interface to ACMECertiticate |
|
I have a branch in the CLI that implements the draft with yubikeys. |
This is still extremely WIP but implements attestation as defined https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server
Name of feature: Apple AppAttest
Pain or issue this feature alleviates:
Apple AppAttest is a service for attesting App installs of your consumer application.
It is available outside of enterprise settings. It differs slightly from Apple Enterprise Attestation
in that there is no permanent identifier that survives your app install (For privacy reasons). Instead your app generates
a unique key that is used as the identifier.
Next to that (not implemented yet) Apple allows you to detect how many attestation keys were generated over the device's lifetime to assess fraud risk https://developer.apple.com/documentation/devicecheck/assessing_fraud_risk
Why is this important to the project (if not answered above):
Is there documentation on how to use this feature? If so, where?
https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity
In what environments or workflows is this feature supported?
iOS apps
In what environments or workflows is this feature explicitly NOT supported (if any)?
Supporting links/other PRs/issues: