devicecheck | Reduce fraudulent use of your services by managing device | REST library

This app attest step is to verify the certificate chain. You will get 2 certificates in attestation request i.e. under x5c[0], x5c[1]. These are leaf and intermediate certificates.

To verify the certificate chain, x5c[0] certificate should be signed by x5c[1] and x5c[1] certificate should be signed by Apple App attest root certificate.

Sample code for this

"Octet string" is just a spec phrase that modern languages call "byte array". You've extracted the value as of octs, and should compare that value to whatever nonce you're supposed to compare it against.

How does Firebase App Check using iOS DeviceCheck work?

In short, SDKs will ask the AppCheck SDK for a special AppCheck token when making a request. When using App Check is configured to use DeviceCheck, it will generate the requested token with the help of the DeviceCheck framework.

I am not understanding what exactly is happening under the hood ...

And here's a little more detail to help clarify things:

The AppCheck SDK uses AppCheckProviders to generate app check tokens. There are 4 types of AppCheckProviders:

1. AppAttestProvider
2. DeviceCheckProvider
3. AppCheckDebugProvider
4. Custom providers that you create as a subclass of AppCheckProvider

For certain Firebase SDKs that support AppCheck enforcement (i.e. Firestore), they will ask the AppCheck SDK for an AppCheck token when sending a request. The AppCheck SDK generates a token using one of the 4 AppCheckProviders listed above. You can customize which provider is used by using AppCheck's AppCheck.setAppCheckProviderFactory(_:) API. I wrote more about it's purpose in this answer.

... I want to make sure it is working correctly

If you're able to see request metrics in the Firebase console, AppCheck is implemented correctly and working. If you've enabled enforcement, you should start to see some enforced requests in the metrics graph.

Could someone explain to me how Device Check works in this scenario with Firebase ...

So when the AppCheck SDK is using the DeviceCheckProvider (this provider is the default one!), the AppCheck SDK will be creating AppCheck tokens with the help of Apple's DeviceCheck framework.

how it (Device Check) is different from iOS App Attest that Firebase also supports?

The answer here can be found in Apple's documentation for DeviceCheck.

In short, the difference is in the two names.

Device Check is useful for verifying that requests are originating from an actual device. For example, let's say you have an iOS app and are using Firebase AppCheck with the DeviceCheckProvider. If you enable enforcement, only requests coming from actual devices should be successful. So if I try to hit your backend API by curl'ing a request from the command line, it should get rejected since there is no token to confirm the request is coming from an actual device. This protects the backend from such abuse.

App Attest is part of the Device Check framework and offers more advanced verification by attesting that the request is coming from a valid instance of your app. To understand why this is useful, consider your iOS app is configured to use Firebase AppCheck with the DeviceCheckProvider. Let's say a hacker recompiles your app onto an actual device. In this case, DeviceCheck's effectiveness diminishes as requests sent from this malicious copy are technically coming from an "actual device" so a valid token will be generated. App Attest's more advanced attestation can attest that the request is coming from a valid instance of your app. In this example, the hacker's copy would not be a valid instance.

At this point, you might be wondering why you would ever use DeviceCheck when you can use the more advanced App Attest and the reason is OS availability: App Attest is only available for iOS 14.0+.

I hope this answered your questions! 🙂

After a while I came up with the following solution. The $x5c field contains a list of certificates, all in binary form. I wrote the folowing converter to create a ready-to-use certificate in PEM format, which does the following:

1. base64 encode the binary data
2. break lines after 64 bytes
3. add BEGIN and END markers (also note the trailing line-break on the end certificate line)

In integration testing section, according to official firebase document:

In addition to manual testing, Firebase Authentication provides APIs to help write integration tests for phone auth testing. These APIs disable app verification by disabling the reCAPTCHA requirement in web and silent push notifications in iOS. This makes automation testing possible in these flows and easier to implement. In addition, they help provide the ability to test instant verification flows on Android.

On Android, call setAppVerificationDisabledForTesting() before the signInWithPhoneNumber call. This disables app verification automatically, allowing you to pass the phone number without manually solving it. Note that even though reCAPTCHA and/or SafetyNet are disabled, using a real phone number will still fail to complete sign in. Only fictional phone numbers can be used with this API.

The point of the challenge is to avoid replay attacks, so it can be any randomised string. A UUID would be fine. It doesn't need to be a secret.

The challenge string is combined with the transaction data and a hash is generated. You send the hash to and you send that to generateAssertion and receive the assertion object. You then send this to your server along with the request data.

Now your server can combine the received request data with the challenge (which it knows, since it sent it to the client initially), generate the same hash and validate the attestation.

The server-side attestation article provides detail on the challenge data:

Provide a Challenge

Every time your app needs to communicate attestation data to your server, the app first asks the server for a unique, one-time challenge. App Attest integrates this challenge into the objects that it provides, and that your app sends back to your server for validation. This makes it harder for an attacker to implement a replay attack.

When asked for a challenge, provide your app with a randomized data value, and remember the value for use when verifying the corresponding attestation or assertion objects sent by the client. How you use the challenge data depends on the kind of object that you need to validate.

Allright so this is a bug. I reproduced your issue using the python docker container, only installing the latest tensorflow. What fixed it, was renaming code.py to test.py (or anything else for that matter). This means this this is for sure a tensorflow issue. During import tensorflow, python will for some reason also import your code.py. Will you file an issue or should I?

I used to have this problem too, but I decided to use a $0 non-consumable purchase since that will be recorded in the Apple receipt file. Depending on what you need it for, this could be the simplest way to do something similar to DeviceCheck without adding your own server component

it->capabilities is the std::vector capabilities of the Device pointed to by the current iterator it. To iterate over capabilities you'd do: