dreiAttest implements Apple's DeviceCheck Framework to allow you to verify that request made to your server come from an actual device. Android and Kotlin Multiplatform versions are also available. To use dreiAttest you need to run dreiAttest on your server.
Typically only certain endpoints over which sensitive data can be accessed are protected by dreiAttest. For this reason you define a base URL: requests starting with this base URL are handled by dreiAttest, while requests to other endpoints are simply forwarded to your server. For example if you define the base URL https://example.com/attested
:
- Requests to
https://example.com/login
are not handled by dreiAttest - Requests to
https://example.com/attested/profile-info
are handle by dreiAttest
You should only create a an AttestService
after the user has logged in and pass in your service's user id. dreiAttest will generate a new key every time a user logs in with a different account. Apple counts these keys for you and allows you to identify suspicious login behavior.
For more information on how dreiAttest works read the whitepaper or our blog post.
Add the following to your Podfile:
pod 'dreiAttest', :git => 'https://github.com/dreipol/dreiAttest-ios'
Run pod install
.
Add the following to your Package.swift
file:
dependencies: [
.package(url: "https://github.com/dreipol/dreiAttest-ios", .upToNextMajor(from: "1.0.0"))
]
Import dreiAttest
and Alamofire
:
import dreiAttest
import Alamofire
Once the user has logged in to your app setup the attest service:
do {
let attestService = try AttestService(baseAddress: URL(string: "https://example.com/attested")!, uid: "hello@example.com", validationLevel: .signOnly)
let session = Session(interceptor: attestService, redirectHandler: attestService)
// ...
} catch {
switch error {
case AttestError.notSupported:
// Running in a simulator, in an app extension, or on an Apple Silicon Mac.
default:
// Handle other errors
}
}
If your app doesn't use login you can also omit the uid
. In that case dreiAttest will generate an identifier that uniquely identifies the current installation for you.
You can now use the Alamofire session as you normally would.
DeviceCheck is not supported by the iOS Simulator. During development it may be useful to setup a shared secret on the server to bypass dreiAttest. You can pass this shared secret to the iOS library using the DREIATTEST_BYPASS_SECRET
environment variable or by passing it to the AttestServie
in its initializer.
To use dreiAttest toghether with other interceptors create an Interceptor
like
let interceptor = Interceptor(adapters: [], retriers: [], interceptors: [attestService, authenticationInterceptor, ...])
let session = Session(interceptor: interceptor)