Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add Apple AppAttest support #1050

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

arianvp
Copy link

@arianvp arianvp commented Sep 10, 2022

This is still extremely WIP but implements attestation as defined https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

Name of feature: Apple AppAttest

Pain or issue this feature alleviates:

Apple AppAttest is a service for attesting App installs of your consumer application.
It is available outside of enterprise settings. It differs slightly from Apple Enterprise Attestation
in that there is no permanent identifier that survives your app install (For privacy reasons). Instead your app generates
a unique key that is used as the identifier.

Next to that (not implemented yet) Apple allows you to detect how many attestation keys were generated over the device's lifetime to assess fraud risk https://developer.apple.com/documentation/devicecheck/assessing_fraud_risk

Why is this important to the project (if not answered above):

Is there documentation on how to use this feature? If so, where?

https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

In what environments or workflows is this feature supported?

iOS apps

In what environments or workflows is this feature explicitly NOT supported (if any)?

Supporting links/other PRs/issues:

@CLAassistant
Copy link

CLAassistant commented Sep 10, 2022

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Sep 10, 2022
@arianvp
Copy link
Author

arianvp commented Sep 10, 2022

FYI: I don't actually have an iOS device to test this. I'm merely following Apple's docs. Hence WIP and not ready for review.

@maraino
Copy link
Contributor

maraino commented Sep 11, 2022

Hi @arianvp, thanks for this, but does this attestation work as an ACME extension?

The new MDA ACMECertificate for enterprises follows more or less this draft to perform attestation using a new ACME challenge. Related wwdc link.

@arianvp
Copy link
Author

arianvp commented Sep 11, 2022

The draft will need some rewordings for this to be 'compliant' . Apart from that it's a slight variation of the existing apple attestation format.

brandonweeks/draft-bweeks-acme-device-attest#4

Apart from that a iOS client library im still writing to give AppAttest a similar client side interface to ACMECertiticate

@maraino
Copy link
Contributor

maraino commented Sep 11, 2022

I have a branch in the CLI that implements the draft with yubikeys.

smallstep/cli#741

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants