App Attest - Namespace UserDefaults Key by Device for App Attest Key

[benedelstein]

Description

If you get a new phone and transfer your apps from your previous phone, your app attest key id is persisted from the transfer. Attesting with this key id fails, because the key should be limited to 1 device. I've had this happen to countless users who get new phones.

Reinstalling the app fixes it.

This was mentioned here: #10561
see https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity#3579384

I see you're storing app attest key ids using UserDefaults in this file, which will be persisted across phone transfers and iCloud backups. You could either namespace the user defaults key using the device id or use a restricted keychain item.

This might be a bit of a breaking change, so you could migrate users from the old key location to the new one.

Reproducing the issue

Install app on phone with app attest App Check provider set up
Get a new phone, transfer data from old phone
Try to attest with new phone (fails)
Delete and reinstall app on new phone (works)

Firebase SDK Version

10.9

Xcode Version

14.3

Installation Method

Swift Package Manager

Firebase Product(s)

App Check

Targeted Platforms

iOS

Relevant Log Output

DCError.Code.invalidKey https://developer.apple.com/documentation/devicecheck/dcerror/3585177-invalidkey

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[andrewheard]

Hi @benedelstein, in Firebase https://github.com/firebase/firebase-ios-sdk/releases/tag/10.17.0 we're now clearing the stored key ID from UserDefaults if attestKey:clientDataHash:completionHandler: fails due to DCErrorInvalidKey (#11986 for details). This should happen the first time an app is launched after being restored on a new device, or if the key is invalid for any other reason.

I've held off on exploring using the identifierForVendor as a key prefix since this would require auditing / documentation around potential privacy implications. We did consider migrating to the keychain (#11962) but went forward with handling DCErrorInvalidKey specifically instead.

Please let me know if Firebase 10.17 resolves this issue in your app.

[google-oss-bot]

Hey @benedelstein. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[google-oss-bot]

Since there haven't been any recent updates here, I am going to close this issue.

@benedelstein if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.