Is Attestation All We Need? Fooling Apple's AppAttest API
Hack In The Box Security Conference via YouTube
Overview
Syllabus
Intro
Igors background
Agenda
Coverage
Clientside protections
What is tampering
Antitampering methods
Resource integrity check
Trust
AppAttest API
Sample App
Generate Initial Key
Generate Hash Value
TestKey Function
Apples Server
AppAttest Object
Validation Steps
Risk Metric
Assertion Object
Verification
Assertion Object Validation
Does it mean we are protected
Not clear acceptance
Possible hooking patching
Bypass scenarios
Bypass Scenario 1
Bypass Scenario 2
iOS Versions
Validation
Benefits
Limitations
Should you implement it
Caveats
In conclusion
Resources
Thank you
Taught by
Hack In The Box Security Conference