Insight Author
Tim Colla
Senior Software Developer

How to Prevent Fraud Without Compromising User Privacy

Getting started with DeviceCheck on iOS 11

October 24, 2017
Marino Insights Cover Image

A Big Win for Security and Privacy on iOS 11

[Skip straight into to the code in our fully working DeviceCheck sample]

Apple announced DeviceCheck at WWDC 2017 which lets developers tie data to a particular iOS device while maintaining user privacy. This API gives app developers 2 bits of data (so 4 possible states) plus a timestamp to store on Apple's server per device, per developer account. These states will be maintained through app deletion, app reinstall, erasing all device content and settings, and transferring devices between users.

It's entirely up to the developer what these 4 states mean but by way of example: say we have a promotion for an app that a user gets a free item on the first install - we can now save the fact that the device has claimed their free item on Apple's servers in a way that can't be gamed by reinstalling the app or resetting the device. 

This might seem like a niche use case that can be solved in other ways, but it's a big win for security and privacy as in certain cases we're now able to avoid sending user data or device identifiers and storing them on our servers.

How DeviceCheck Works

From the Privacy and Your App WWDC 2017 session

1) Firstly you get an ephemeral token on the device

2) Send this to your server

3) Then your server sets the two bits on Apple's server through an API call. Some time later then the user deletes and reinstalls the app (4 and 5) 

‍From the Privacy and Your App WWDC 2017 session

6) Get the token again

7) Send this to your server

8) Query Apple's server for your bits for this device (01 in this diagram)

Best Practices

  • Have a way for users to get in touch if their device state isn't correct for them (like if the phone has been given to someone else).
  • Interpret the data taking into consideration when it was set. If a state was updated a year ago this might mean something different to you than if it was updated last week. 
  • Take care changing UI based on these states - make sure a legitimate first time user doesn't get a welcome back message.

Sample Implementation

The documentation for this new API was a bit sparse and we didn't come across any working examples so we created a sample NodeJS server and accompanying iOS app. In the app, you can set the 4 different states and then query the state of the device. Get all the code on github.

We Can Help you with Secure App Development

Marino Software develops apps with security and privacy built in from the very beginning. If security and privacy are an important part of your next app or if you need help preventing app fraud, let's talk.

!@THEqQUICKbBROWNfFXjJMPSvVLAZYDGgkyz&[%r{\"}mosx,4>6]|?'while(putc 3_0-~$.+=9/2^5;)<18*7and:`#

More from the blog

More blog posts