Apple App Attest
| Plan | Platforms | MASVS |
|---|---|---|
| Enterprise | iOS | MASVS-RESILIENCE-1, MASVS-RESILIENCE-2 |
Summary
Apple App Attest helps verify that requests come from a genuine instance of your iOS app running on a supported Apple device. AppTego uses Apple's attestation service to establish device and app trust, then applies the response policy you configure when validation fails.
Use this control for iOS apps that protect financial data, identity data, regulated records, enterprise access, licensed content, or high-risk account actions.
What It Protects Against
- Requests from modified or repackaged app binaries.
- Scripted API abuse that does not originate from the genuine app.
- Unsupported environments that cannot provide Apple App Attest signals.
- Some classes of device or app tampering when combined with jailbreak, debugger, and hook detection.
How It Works
The protected app performs Apple-supported attestation on eligible devices and AppTego validates the result before treating the device as trusted. The attestation is bound to your app identity and is designed to make request forgery harder for modified clients.
AppTego handles the platform-specific attestation protocol and server-side validation. You configure the app identity, response action, rollout environment, and customer-facing message.
How to Enable the Control
Navigate to Detection & Response from the AppTego portal, and expand the App Integrity And Attestation section. Under this section you will find the Apple App Attest control. Click Enable Configuration, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"AppAttestCheck": {
"detection": true,
"action": "alert",
"title": "Apple App Attest",
"message": "This app instance could not pass the configured App Attest check. Please follow your organization's security guidance before continuing.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables the Apple App Attest response check. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Setup
- Confirm the app has the required Apple Developer configuration for App Attest.
- Open the AppTego Portal.
- Go to App Integrity.
- Create or edit the iOS App Attest configuration.
- Enter the production Bundle ID and Apple Developer Team ID.
- Choose the failure response for Development, Staging, and Production.
- Build a protected iOS app and test on physical devices.
Rollout Guidance
| Stage | Recommendation |
|---|---|
| Development | Use Log or a non-blocking Message response while confirming device coverage. |
| Staging | Test on supported physical devices, older supported iOS versions, and managed devices. |
| Production | Enforce only after you understand unsupported-device and network-failure behavior. |
| Support readiness | Prepare guidance for users on unsupported devices, unofficial builds, or devices that cannot complete attestation. |
User And App Impact
App Attest requires a supported physical Apple device and network access during validation. Simulators cannot provide production attestation. If validation fails, the app follows your configured response, which can include logging, showing a message, redirecting to support guidance, or terminating the app.
Do not use simulator results as production validation for this control. Test on real devices before enforcing.