Simple question, no biggie.
I'm trying to secure a React-Native application by validating tokens on the backend that were generated by Android SafetyNet and Apple DeviceCheck. I then create an access token to the API after the device passes the attestation/device check on the backend.
My question is, could a hacker bypass Apple's DeviceCheck (and Google's SafetyNet) and still generate a valid token from Apple's API despite the fact that the device is jailbroken?
If a device passes Apple's isSupported check, it is eligible to get the key back from Apple.
Ideally, you should use some code obfuscation tools like arxan/digital.ai which provide static Jailbroken and Dynamic Instrumentation checks. Using this you should aim at obfuscating the code which contains generatekey and attestkey calls.
Why obfuscate these 2?
generatekey - Replacing with the keys owned by the adversary can compromise the rest of the cycle.
attestkey - Prevent Replay and prevent attestationObject portability.
