I was checking out the documentation for attestKey(_:clientDataHash:completionHandler:) method. The general idea is for our app to use these measures to assert its legitimacy with any server requests for sensitive or premium content. How often can I use attestKey(_:clientDataHash:completionHandler:) to generate an assertion object? Is it ok if we create this object one for each end point? Like create an assertion object for premium content, for profile update and chat messages? There is no clear message around how many times we can generate an attestation object. There is a mention here that we do it once per user per device. Do any one have an opinion or knowledge around this?
Asked
Active
Viewed 377 times
1
DesperateLearner
- 1,115
- 3
- 19
- 45
-
Basically, you `attestKey` once per user per app install (e.g. if you can't find the key id in the keychain), you then send that to your backend service which checks the attestation data and stores the public key; and for each sensitive request you use `generateAssertion` method which gives you a signature of the hash of your data; your backend can then check that a) the hash matches and b) the signature of the hash is from a key you attested before. – zaitsman Jun 30 '21 at 00:22