Sci-Tech

Use App Attest and DeviceCheck to prevent fraud in iOS

Published

2 months ago

July 9, 2024

App Attest and DeviceCheck are important to retain revenue.

App developers can minimize fraud by using App Attest and DeviceCheck, two tools provided by Apple. Here’s how to use them to prevent unauthorized modifications to your app, and to prevent users from illegitimately acquiring premium content.

As an app developer, there are a few ways that you can make money from your creations. However, not everyone may be willing to pay, but still want to access some paid premium features.

Developers seek to avoid this sort of behavior. This is where Apple’s App Attest and DeviceCheck step in.

By using Apple’s DeviceCheck framework, you can ensure only authorized users can access premium content and promotions.

DeviceCheck

Apple provides the DeviceCheck framework to help your app reduce attempted fraudulent use of premium app features.

DeviceCheck helps mitigate fraud on promotional offerings in apps.

For example, if your app offers promotions or premium content, some users may try to abuse the features to get multiple free items. They could do this by uninstalling and then re-installing your app.

The DeviceCheck framework allows your app to see if a particular hardware device has already received a promotional offer.

These checks are tied to the Secure Enclave in each Apple device. They’re combined with an Apple Account and a private cryptographic key to ensure authorization.

Two device state bits stored by Apple along with a timestamp

Per device, per developer

Persistent across hardware device resets

The two bits stored by Apple tie each Apple developer to a known state for any previously registered promotions per app. Along with the timestamp you can use the bits any way you like in order for your app to determine promotion status.

DeviceCheck keeps track of devices on a per-device basis, per app developer.

The DeviceCheck state is saved across device resets, should the Apple device be completely reset to factory condition.

These checks can be used by your app to see if a given promotion was previously used by any app by any Apple Account on any Apple device.

App Attest

App Attest is also part of the DeviceCheck.framework and allows you to track any given service your app features in order to determine if that service is one your app recognizes.

In order to use App Attest you will need either a server or cloud-based service to receive hardware-based tokens from the user’s device, along with an App Attest request. Your server must then forward these app requests on to an Apple App Attest server for verification.

If the Apple server returns that the app and service are valid, your server informs the sending device that the request is valid.

Since each request is tied to specific device hardware info, requests can’t be forged or copied for other devices.

App Attest also prevents illegitimate copies of premium app or service features from being copied from one device to another.

Three easy pieces

App Attest provides three key pieces of info your app can use to verify that a request came from an authentic, authorized Apple device:

Genuine Apple device

Authentic application identity

Trustable payload

Checking for a genuine Apple device allows you to verify that the app and premium content are, in fact, being run on a real Apple device.

Authentic application identity makes sure that the app which is making the request is your app and that it is a legitimate copy. One which has been downloaded from the App Store.

Trustable payloads can be checked to confirm the premium feature or promotional content is authorized, has been purchased, and has not been tampered with.

By using these three pieces of info, your app can make sure the content should be available to the user. This prevents hackers and jail-breakers from attempting to download or reuse premium content paid for and authorized on another Apple device.

The genuine device check is accomplished by a an examination of a secure key pair on the device, which is used by the Secure Enclave. It’s combined with an App Attest request from the device which is generated using the valid key pair.

Secure key pairs are part of what is called Public Key Infrastructure (PKI) which uses encryption to create secure keys and sends them over a network.

By using secure keys and digital signatures, an app and device can confirm a request originates from who it claims to.

PKI is extremely secure and even the most performant supercomputers in the world require years to crack it.

When your app makes an App Attest request, it can use the secure keys to do so, which can then be verified by the server. Each secure key is unique per installation and are not synced or copied across devices.

An encoded copy of each requesting app’s Bundle ID is also sent with each request for verification.

Generating a key attestation.

Adding App Attest to your app

To add App Attest to your app in Xcode, you must first include the DeviceCheck.framework in the Build Info tab in each project target’s frameworks pane.

In order to use App Attest in your app, the app must be running on a device with a Secure Enclave. Therefore you must always check for the ability to use App Attest in your app before you actually do so.

There are also three parts to adding App Attest to your app:

Generating an AppAttest key

Verifying keys

Generating and verifying assertions

To create an AppAttest key in your app’s code, use the .shared property on the DCAppAttestService class object like this:

let appAttestService = DCAppAttestService.shared

This creates a local variable named appAttestService from the .shared property and stores a copy of the shared service object.

Once you have an instance of the .shared property, you can use it to create a key:

Code to generate a device key for Apple's App Attest.

Generating a device key for App Attest.

In the above code, you first get a shared instance of the DCAppAttestService class. Then you check its .isSupported property to make sure AppAttest is available on this device, and then generate a key with the .generatekey method.

If .generatekey returns an error, you check for it and handle it, else the key is returned in keyId.

Once you have the key, you can then store it away for later use – most likely in an object you defined and created previously.

The DeviceCheck.framework also supports Objective-C interfaces if you are still using that language instead of Swift.

If the .isSupported property returns NO or the key returns nil you can’t use AppAttest in your app.

Be aware there are some cases in which code may still return NO for the .isSupported. Even if the device does have a Secure Enclave in it (usually if the code is called from an app extension).

Your app must be prepared to handle these cases as well. In these situations assume the caller is untrusted, then devise your own code logic based on a set of risk assessment rules to determine if the premium features should be allowed.

This approach is a second-best validation when the .isSupported property returns NO.

Validate key

Assuming you do have a valid key from the above code, the next step is to validate or attest the key.

To do this your app will need to create a one-time server challenge. This challenge is designed to attest the key you generated with a challenge from your server, which validates the key in combination with user account info.

You will need to also devise server-side code to do this for each key attest occurrence.

Key attestation provides an additional level of security by preventing man-in-the-middle and replay attacks.

The first step in this process is to generate a key attestation. You use the same app attest server object as above, but with the .attestKey method.

Using this method, you pass the original keyID, a client data hash, an attestationObject, and an optional error variable which the .attestKey method takes as input.

On return, the attestationObject can be used for the server challenge.

The purpose of the .attestKey method is to use the device’s private key to create an opaque hardware attestation request. One tied to the key and this specific device.

This hardware attestation is then sent to an Apple attestation server for hardware verification. Once verified, the Apple server will return an anonymous attestation object to your app.

Only Apple’s server knows how to verify the device at a hardware level based on the info sent to it, thus making it very difficult for hackers to intercept the request and return a false positive that enables the premium features.

Once the app receives the response from Apple and makes sure it is valid, the app should then send the response along with any custom payload to your server for final verification.

This rather complex process, combined with Apple’s hardware verification and a private key, makes it very difficult for anyone to hack your premium features and enable unauthorized content.

There are four additional sections in the DeviceCheck framework documentation that you’ll want to check out:

Accessing and modifying per-device data

Assessing fraud risk

Establishing your app’s integrity

Validating apps that connect to your server

Handling errors

In the above code, we saw some of Apple’s DeviceCheck APIs return an optional error code.

Your app should handle these codes and inform the user if any errors occur.

Check out the documentation for the DCDevice and DCError classes in the DeviceCheck framework.

You can also obtain user displayable error codes from any DeviceCheck framework API which returns a DCError by getting the value of its .Code property. This is defined as an enum (a number) which can be mapped to a set of predefined Apple error codes.

Using a standard Swift/C case statement, you can then map an error code result to a user-displayable string your app shows to the user.

Currently, there are five predefined DCError codes set by Apple:

featureUnsupported

invalidInput

invalidKey

serverUnavailable

unknownSystemFailure

featureUnsupported means that some or all of the DeviceCheck API isn’t available. invalidKey means the key you tried to use failed.

On any error return from an Apple API or the key attestation, your app should display an appropriate localized text string to the user, informing them why it didn’t work.

You can also check the global variable DCErrorDomain after errors to determine the domain of the last occurring error.

Think of error domains as categories errors are organized into. By using the DCErrorDomain string, you can give users additional useful info on what type of error occurred.

DeviceCheck and AppAttest are welcome additions to Apple app development. By using them in your app, you can secure your premium features and revenue without too much extra work.

Source link

Up Next

Customers told to sign up to security service

Don't Miss

Chinese Tesla rival BYD agrees $1bn Turkey EV plant deal

Click to comment

Sci-Tech

Thieves snatched his phone in London

Published

1 day ago

September 6, 2024

Graham Fraser

Akara Etteh had his phone stolen as he walked out of a Tube station.

Akara Etteh Akara Etteh — Akara Etteh had his phone stolen as he walked out of a Tube station.

Early on a Saturday morning in April, Akara Etteh was checking his phone as he came out of Holborn tube station, in central London.

A moment later, it was in the hand of a thief on the back of an electric bike – Akara gave chase, but they got away.

He is just one victim of an estimated 78,000 “snatch thefts” in England and Wales in the year to March, a big increase on the previous 12 months.

The prosecution rate for this offence is very low – the police say they are targeting the criminals responsible but cannot “arrest their way out of the problem”. They also say manufacturers and tech firms have a bigger role to play.

Victims of the crime have been telling the BBC of the impact it has had on them – ranging from losing irreplaceable photos to having tens of thousands of pounds stolen.

And for Akara, like many other people who have their phone taken, there was another frustration: he was able to track where his device went, but was powerless to get it back.

Phone pings around London

He put his iPhone 13 into lost mode when he got home an hour or so later – meaning the thieves couldn’t access its contents – and turned on the Find My iPhone feature using his laptop.

This allowed Akara to track his phone’s rough location and almost immediately he received a notification to say it was in Islington. Eight days later, the phone was pinging in different locations around north London again.

In a move says he “wouldn’t recommend” with hindsight, he went to two of the locations his phone had been in to “look around”.

“It was pretty risky,” he said. “I was fuelled by adrenaline and anger.”

A map showing the phone's locations popping up across London, before appearing in China.

He didn’t speak to anyone, but he felt he was being watched and went home.

“I am really angry,” he said. “The phone is expensive. We work hard to earn that money, to be able to buy the handset, and someone else says ‘screw that’.”

Then, in May, just over a month after the theft, Akara checked Find My iPhone again – his prized possession was now on the other side of the world – in Shenzhen, China.

Akara gave up.

It is not uncommon for stolen phones to end up in Shenzhen – where if devices can’t be unlocked and used again, they are disassembled for parts.

The city is home to 17.6 million people and is a big tech hub, sometimes referred to as China’s Silicon Valley.

Police could not help

In the moments after Akara’s phone was stolen, he saw police officers on the street and he told them what had happened. Officers, he said, were aware of thieves doing a “loop of the area” to steal phones, and he was encouraged to report the offence online, which he did.

A few days later, he was told by the Metropolitan Police via email the case was closed as “it is unlikely that we will be able to identify those responsible”.

Akara subsequently submitted the pictures and information he had gathered from the locations where his stolen phone had been. The police acknowledged receipt but took no further action.

The Metropolitan Police had no comment to make on Akara’s specific case, but said it was “targeting resources to hotspot areas, such as Westminster, Lambeth and Newham, with increased patrols and plain clothes officers which deter criminals and make officers more visibly available to members of the community”.

Lost photos of mum

Many other people have contacted the BBC with their experiences of having their phones taken. One, James O’Sullivan, 44, from Surrey, says he lost more than £25,000 when thieves used his stolen device’s Apple Pay service.

Meanwhile, Katie Ashworth, from Newcastle, explained her phone was snatched in a park along with her watch, and a debit card in the phone case.

“The saddest thing was that the phone contained the last photos I had of my mum on a walk before she got too unwell to really do anything – I would do anything to get those photos back,” the 36-year-old says.

Again, she says, there was a lack of action from the police.

“The police never even followed it up with me, despite my bank transactions showing exactly where the thieves went,” she said.

“The police just told me to check Facebook Marketplace and local second-hand shops like Cex.”

‘Battle against the clock’ for police

So why are the police seemingly unable to combat this offence – or recover stolen devices?

PC Mat Evans, who has led a team working on this kind of crime for over a decade within West Midlands Police, admitted that only “quite a low number” of phones that are stolen actually get recovered.

He says the problem is the speed with which criminals move.

“Phones will be offloaded to known fences within a couple of hours,” he said.

“It’s always a battle against the clock immediately following any of these crimes, but people should always report these things to the police, because if we don’t know that these crimes are taking place, we can’t investigate them.”

And sometimes just one arrest can make a difference.

“When we do catch these criminals, either in the act or after the fact, our crime rates tank,” he said.

“Quite often that individual has been responsible for a huge swathe of crime.”

But the problem is not just about policing.

In a statement, Commander Richard Smith from the National Police Chiefs’ Council, which brings together senior officers to help develop policing strategy, said it would “continue to target” the most prolific criminals.

“We know that we cannot arrest our way out of this problem,” he said.

“Manufacturers and the tech industry have an important role in reducing opportunities for criminals to benefit from the resale of stolen handsets.”

Tracking and disabling

Mr Evans told the BBC phone snatchers will often wrap stolen phones in tinfoil to block its signal – meaning the device will only give a location when it is shown to others to be sold

PC Mat Evans PC Mat Evans — Mr Evans told the BBC phone snatchers will often wrap stolen phones in tinfoil to block its signal – meaning the device will only give a location when it is shown to others to be sold

Stolen phones can already be tracked and have their data erased through services such as “Find My iPhone” and “Find My Device”, from Android.

But policing minister Dame Diana Johnson said this week the government wanted manufacturers to ensure that any stolen phone could be permanently disabled to prevent it being sold second-hand.

Police chiefs will also be tasked with gathering more intelligence on who is stealing phones and where stolen devices end up.

A growing demand for second-hand phones, both in the UK and abroad, is believed to be a major driver behind the recent rise in thefts, the government said.

The Home Office is to host a summit at which tech companies and phone manufacturers will be asked to consider innovations that could help stop phones being traded illegally.

PC Evans said there was “no magic bullet”, but he said there was one thing manufacturers could do which would be “enormously helpful” to the police – more accurate tracking.

“At this moment in time, phone tracking is okay,” he said.

“But it’s not that scene in Total Recall yet, where you’re able to run around with a tracking device in your hand, sprinting down the road after a little bleeping dot.

“I appreciate it’s a big ask from the phone companies to make that a thing, but that would be enormously helpful from a policing perspective.”

Apple and Android did not provide the BBC with a statement, but Samsung said it was “working closely with key stakeholders and authorities on the issue of mobile phone theft and related crimes”.

Additional reporting by Tom Singleton

Source link

Sci-Tech

Google abusing ad tech dominance, UK competition watchdog finds

Published

1 day ago

September 6, 2024

Chris Vallance

Google uses anti-competitive practices to dominate the market for online advertising technology, a UK watchdog has provisionally found.

The potentially unlawful behaviour could be harming thousands of UK publishers and advertisers, an investigation by the Competition and Markets Authority (CMA) has warned.

It accuses Google of preventing rivals from “competing on a level playing field” with its own tech for the billions of pounds spent by UK businesses on online advertising.

Google said the watchdog’s findings were “flawed” and said it would respond.

According to the CMA, the vast majority of businesses use Google’s services when placing digital ads on websites.

Google maintains it has a strong business incentive to help UK firms thrive, and argues that advertisers choose to use Google because its products work well and help their businesses grow.

The watchdog will now consider representations from Google before deciding what action to take.

If Google is found to have broken competition law, the watchdog could impose a financial penalty of up to 10% of annual worldwide group turnover and issue legally binding directions to the firm.

“We’ve provisionally found that Google is using its market power to hinder competition when it comes to the ads people see on websites,” Juliette Enser, the CMA’s interim executive director of enforcement, said in a statement.

She pointed out that many businesses were able to keep their digital content free by using revenue from digital adverts, which reach millions of people across the UK.

“That’s why it’s so important that publishers and advertisers – who enable this free content – can benefit from effective competition and get a fair deal when buying or selling digital advertising space,” she wrote.

But Google’s vice president of global ads, Dan Taylor argued the search giant’s advertising technology helped websites and apps fund their content, and effectively reach new customers.

“The core of this case rests on flawed interpretations of the ad tech sector. We disagree with the CMA’s view and we will respond accordingly,” he wrote.

Google’s activities in ad tech are also subject to continuing probes by the US Department of Justice and the European Commission.

Competition economist Dr Cristina Caffarra, told the BBC that while the CMA’s statement of objections certainly presented “another headache” for Google, the regulator was merely “joining the club” of those who have already taken action.

“The UK is by no means some sort of pathfinder here,” she said.

The Department of Justice, state of Texas – which along with nine other states sued Google over alleged abuse of its ad tech dominance in 2020 – and the EU are all far ahead, Dr Caffarra added.

In 2023, EU competition regulators told Google it might need to sell part of its ad-tech business to address their concerns.

But the tech-giant has argued this would be a “disproportionate” step.

Separately, Google is seeking to appeal a UK court decision in June to allow a £13.6bn collective-action lawsuit against it to proceed.

The case alleges the search giant behaved in an anti-competitive way which caused online publishers in the UK to lose money.

Google has vowed to oppose the claim “vigorously and on the facts”.

Additional reporting by Liv McMahon

Source link

Sci-Tech

Could PS5’s old-school adventure be a lesson for Sony?

Published

2 days ago

September 6, 2024

Tom Richardson

Bot the difference: Astro Bot features dozens of cameos from well-known PlayStation characters

Sony A screenshot of Astro Bot - a white, cute robot with light blue eyes - dressed to resemble Kratos, the protagonist from God of War. Astro has a beard, and wears a leather outfit with lots of buckles and a fur collar. Astro stands next to a chopping block, holding a large axe and is surrounded by logs. — Bot the difference: Astro Bot features dozens of cameos from well-known PlayStation characters

It’s just a few hours before reviews of one of the year’s biggest PlayStation 5 releases arrive, and its director is talking about food.

Buffets, to be precise.

You might get a lot for your money, but how do you feel afterwards?

“Bloated, you’ve eaten too much and you just want to go and sleep,” says Nicolas Doucet, head of Sony-owned studio Team Asobi.

Gamers are fond of food metaphors. Developers don’t just make games, they “cook”. If you’re spoilt for choice with high quality new releases, you’re “eatin’ good”.

But Nicolas is referring to the sense that blockbuster publishers have tended to have an all-you-can-eat approach when it comes to making games.

For a while now, the industry’s biggest players have been focused on producing open-world titles offering dozens of hours of gameplay, or on attempts to muscle into the lucrative online market.

Both genres have produced some huge hits, but Nicolas wonders if there is an appetite for something more like “that two-course meal that is going to be just the right amount”.

Astro Bot could be just the recipe Sony has been looking for.

Earlier this week the Japanese company announced it was pulling Concord – one of its other recent big games – from sale after a tepid response from critics and players.

The online shooter is the latest high-profile bid to corner the so-called “live service” market dominated by the likes of Fortnite and Apex Legends that’s failed to attract a large audience.

But in a quiet year for first-party PlayStation releases, Astro Bot has received some of the highest review scores of 2024 and some critics say it’s one of Sony’s best in ages.

At its heart it’s an old-school 3D platformer that’s crammed full of references to PlayStation’s 30-year history.

The game’s main objective is to rescue 300 Astro Bots hidden around various themed levels, with about half of those decked out in cosplay to resemble characters from the console’s past.

But as much as it’s a nostalgic reminder of Sony’s great successes, could it also be a lesson for the company’s future?

Catstro Bot: Astro Bot picks up powers throughout the game that allow it to change size, shape and, in one case, species

Team Asobi Five white, robotic cats with black screens for faces train their bright blue LED eyes on a board decorated to look like a piece of cheese with a mouse in the middle. A smaller robot peeks through a hole in the middle of the board, his blue eyes looking nervously to the side. — Catstro Bot: Astro Bot picks up powers throughout the game that allow it to change size, shape and, in one case, species

If you’re one of the world’s 60 million PlayStation 5 owners, you’re almost certainly familiar with Astro Bot.

The cute mascot character appeared in 2020’s Astro’s Playroom, a short, three-hour adventure pre-installed on every machine.

It was designed to act as a tech demo for the hardware and its advanced controller, but people loved it.

“And it did highlight perhaps the fact that people are craving for these kind of games,” says Nicolas.

Releasing a 3D platformer in 2024 is, on paper, a daunting prospect. Nicolas admits the genre – a staple of the PlayStation 2 era – isn’t very common these days.

And, he says: “The ones that do exist are very, very high quality from people who’ve been making them for years and years.”

It’s also a genre Sony has moved away from recently, and its biggest releases have been more adult, cinematic titles such as God of War and The Last of Us.

Nicolas thinks this is a sign of audiences, and the developers making games for them, maturing.

But he admits that left a gap which Team Asobi – a relatively young studio – was eager to fill.

“I think there needs to be more games that are there just to relax, have a little bit of fun, that are not dramatic, that are not necessarily heavily story driven, where you can just mess around with a game and it’s fun,” says Nicolas.

“But, of course, it needs to be executed well.”

Astro Bot’s been widely praised for its polish, attention to detail and the way it plays, drawing comparisons with Mario – for many, the undisputed king of 3D platformers.

Nicolas considers descriptions of Astro Bot as “old school” a compliment and that going “back to basics” helped with the game’s development.

As concerns grow over spiralling budgets, Astro Bot was made in three-and-a-half years by a team of about 65 people – a relatively short time and small staff by modern standards.

Nicolas says the game’s bite-sized nature – it’s divided across 50 short, playable stages – helped to simplify development and made it easier to “swap things around”.

“Whereas when you’re tied to something that is one storyline, one timeline that is set, it’s very difficult,” he says.

“You have less flexibility.”

The PS5’s DualSense controller is a key part of the Astro Bot experience, throbbing and humming as players jet into a new level

Team Asobi A screenshot shows Astro Bot clinging to a flying PS5 controller as it swoops close to the surface of the sea, throwing spray up into the air. Rocky obstacles line the route to his destination - a distant island with a wrecked ship on its shore. — The PS5’s DualSense controller is a key part of the Astro Bot experience, throbbing and humming as players jet into a new level

Sony will now be hoping that Astro Bot’s glowing reception translates into big sales, but comparisons with Concord’s swift fall have already begun.

It’s also shone a light on characters Sony could revive, and prompted some people to question whether the company will shift its recent focus on the live-service market.

Under previous PlayStation boss Jim Ryan, the company announced plans to launch 12 online-focused games. It’s since scaled that back to six.

As for single-player titles, some of Sony’s biggest in-house studios haven’t yet revealed PS5 projects.

Hermen Hulst, one of two new CEOs in charge of Sony’s gaming division, told the BBC in a statement it was “very important we offer a wide variety of titles to our community” and that “Astro Bot fills an important part of our portfolio”.

He praised Team Asobi for creating “something special that is light-hearted and delightful” with “incredibly fun gameplay”.

Astro Bot is also “a great opportunity for families to game together”, he said.

Nicolas opts not to comment on the Concord situation or bigger, strategic moves, but he does agree with his boss that Astro Bot has given PS5 a game that can “bridge generations”.

Many reviewers have remarked on how cameos from the past have reminded them of growing up with Crash Bandicoot, Jak and Daxter or the cast of Ape Escape – characters that set them on the path to becoming gamers.

Nicolas says he often gets messages from parents who’ve played Astro’s Playroom with their children talking about their experiences, and he hopes that the new game will create more shared moments.

“I’m really happy that, besides the game itself, there’s a greater good, if you like, that we’re able to tell stories like that,” he says.

“And I really hope that we can brighten some people’s homes thanks to that experience.”

Additional reporting by Tom Gerken.