Title

Protecting APIs with DeviceCheck, App Attest & WebAuthn

Description

This talk is all about Apple's underutilised DeviceCheck framework and how you can use this framework to protect your server-side APIs from fraudulent use. We'll dive into detail on App Attest and its use of Secure Enclave, CBOR encoding and the WebAuthn standard which is also used for Passkeys. I'll talk through a reference implementation of the required server-side validation built in Swift using Vapor.

Introduction to DeviceCheck framework

I'll explain how DeviceCheck can be used:

• prevent users reusing offers and promotions in your app if they delete and reinstall it or even completely reset the device. All of this works in a privacy-friendly way without you knowing the identity of users.
• detect and prevent access to your APIs from fraudulent copies of your app, this is the best answer to the question: “how do I secure API keys that my app needs?”

Asymmetric Cryptography

I'll give a brief introduction to asymmetric cryptography and how we can validate that tokens our app has have come from Apple and have not been tampered with. I'll build on this by explaining how the Secure Enclave gives us assurance that device keys cannot be copied or removed from the device. This means that a device can continue to authenticate with us over time, and we can be totally sure that it is the same device as before.

App Attest

I'll talk through my reference implementationfor App Attest which includes both the iOS client app and server-side validation using Swift and Vapor.

We'll cover the implementation of App Attest step-by-step:

1. issuing a challenge from your backend
2. using that challenge to fetch an app attestation object on iOS
3. decode and validate the CBOR attestation object on your server
4. communicating with Apple's service to check for additional indicators of fraud
5. re-asserting as the same device for future requests

Industry Standards

Finally, I will touch on some emerging industry standards:

• App Attest is built on the WebAuthn standard which is the same standard that is used for Passkeys. This standard uses CBOR key-value data encoding, which is more efficient than JSON but is not human readable.
• An alternative Client Attestation standard is also being developed as an extension of OAuth 2.0 which most apps use for login. This standard uses the JWT data format that app developers are more familiar with as access and refresh tokens.

Position

Software Engineer at Deloitte LLC

Bio

Oliver is an experienced software engineer based in London. After attaining an IET accredited master's degree in Computer Science from the University of York, he started his career building websites in PHP and JavaScript, before pivoting into native iOS development. He has worked on highly-rated mobile apps for airlines, healthcare organisations and even government departments. Oliver was shortlisted for British Computer Society's Engineer of the Year 2024.