AppAttest attestKey returns invalid key error

Dear Experts,

I have App Attest deployed in an app that is currently in TestFlight. Its works OK most of the time.

For one particular user, however, attestKey fails with DCErrorInvalidKey for a new key that it has just created.

I have some insight into what the app is doing because I send diagnostics to the server. It seems that for this user, the sequence of events is:

  1. Initially the app has no key ID saved.
  2. The user initiates an action that requires App Attest-signed communication with my server.
  3. The app calls generateKey which seems to succeed.
  4. The app fetches a challenge from the server.
  5. The app calls attestKey.
  6. attestKey returns DCErrorInvalidKey.
  7. The app doesn't save the key ID persistently, so next time the same thing happens.

attestKey really shouldn't fail with the invalid key error for a key that it has just created, should it?

What could be going on here?

Up vote post of endecotp Down vote post of endecotp
501 views
Posted by
endecotp
Reply
Add a Comment

Replies

Does anyone know what the expected behaviour is on a hacked device? Presumably App Attest is expected to fail; does it fail by returning DCErrorInvalidKey from attestKey?

Posted by
endecotp
Up vote reply of endecotp Down vote reply of endecotp
Add a Comment

FB13679917

Posted by
endecotp
Up vote reply of endecotp Down vote reply of endecotp
Add a Comment

I've now found that these users also fail DeviceCheck's device validation.

Posted by
endecotp
Up vote reply of endecotp Down vote reply of endecotp
Add a Comment