[Skip straight into to the code in our fully working DeviceCheck sample]
Apple announced DeviceCheck at WWDC 2017 which lets developers tie data to a particular iOS device while maintaining user privacy. This API gives app developers 2 bits of data (so 4 possible states) plus a timestamp to store on Apple's server per device, per developer account. These states will be maintained through app deletion, app reinstall, erasing all device content and settings, and transferring devices between users.
It's entirely up to the developer what these 4 states mean but by way of example: say we have a promotion for an app that a user gets a free item on the first install - we can now save the fact that the device has claimed their free item on Apple's servers in a way that can't be gamed by reinstalling the app or resetting the device.
This might seem like a niche use case that can be solved in other ways, but it's a big win for security and privacy as in certain cases we're now able to avoid sending user data or device identifiers and storing them on our servers.
1) Firstly you get an ephemeral token on the device
2) Send this to your server
3) Then your server sets the two bits on Apple's server through an API call. Some time later then the user deletes and reinstalls the app (4 and 5)
6) Get the token again
7) Send this to your server
8) Query Apple's server for your bits for this device (01 in this diagram)
The documentation for this new API was a bit sparse and we didn't come across any working examples so we created a sample NodeJS server and accompanying iOS app. In the app, you can set the 4 different states and then query the state of the device. Get all the code on github.
Marino Software develops apps with security and privacy built in from the very beginning. If security and privacy are an important part of your next app or if you need help preventing app fraud, let's talk.