App Attestation¶
Introduction¶
SAP BTP SDK for iOS v9.1 introduces app attestation (called "managed device attestation" in Apple documentation), a security feature that allows app developers to verify the integrity of their app on a user's device. This is achieved using a cryptographic key that is unique to the device and the app.
Using app attestation, when a user's device requests access to a server-side API, SAP Mobile Services verifies that the request is coming from a legitimate instance of the app on a legitimate device.
This helps to prevent unauthorized access to the server-side API, as an attacker would need both the app and the device's cryptographic key to access the server-side API.
How It Works¶
The SAP BTP SDK for iOS uses Apple's DeviceCheck framework to perform attestation and assertion. The complete process is explained in Establishing your app’s integrity
The SDK verifies the result of attestation and assertion with SAP Mobile Services. An attestation token is issued by SAP Mobile Services after successfully verifying the result of assertion.
The SDK then adds the attestation token to each request that is sent from the application.
Enabling App Attestation¶
You can enable app attestation by using SAP BTP SDK Assistant for iOS v9.1 or by filling in the required information and enabling iOS Attestation in the Attestation tab in mobile services cockpit.
Note
Debug token is not supported in SAP BTP SDK for iOS v9.1.
Once attestation is enabled, add the newly introduced ApplicationAttestationStep to the onboardingSteps and restoringSteps in OnboardingFlowProvider.swift, right after the authentication step.
For example, for an app with OAuth2 authentication:
public var onboardingSteps: [OnboardingStep] {
return [
...
OAuth2AuthenticationStep(),
ApplicationAttestationStep(),
...
]
}
public var restoringSteps: [OnboardingStep] {
return [
...
OAuth2AuthenticationStep(),
ApplicationAttestationStep(),
...
]
}
Note
If you use SAP BTP SDK Assistant for iOS v9.1, the required code is automatically added as part of the app generation process.
You can also use AttestationObserver from SAPFoundation instead of the ApplicationAttestationStep if you prefer.
Initialize an instance of AttestationObserver and register it to SAPURLSession
// Create the AttestationObserver using the initializer
let observer = AttestationObserver(store: persistentStore, sapCpmsSettingsParameters: settingsParameters, sapUrlSession: sapUrlSession, maxAppleServerFailureRetries: 3)
// The observer may be nil if App Attest is not supported on the Apple device
if let observer = observer {
// Register the newly created observer
Task {
_ = await observer.getAttestationSettings()
sapURLSession.register(observer)
}
}
The initializer for AttestationObserver is designed to be failable, and it returns nil if app attestation is not supported on the Apple device.
Note
In SAP BTP SDK for iOS v9.1, app attestation is not supported on the iOS simulator. To use this feature, the app must be run on a physical device.
Once the code changes have been made, add the app attestation capability to the application target. This adds an App Attest Environment key to the entitlement file with a string value denoting the environment that will be used for attestation.
Note
If you have a large user base for your app, Apple recommends enabling attestation in stages to avoid overwhelming Apple servers.
Enforcing App Attestation¶
After you enable attestation, you can enforce it in mobile services cockpit. Enforcing attestation makes it compulsory for a request to have an attestation token in the request header. Otherwise, SAP Mobile Services rejects the request.