Skip to content
  • There are no suggestions because the search field is empty.

Does Approov Work with Apple AppAttest?

Yes. Approov is compatible with Apple App Attest, and Approov can use App Attest as an additional iOS attestation signal alongside Approov’s own app and runtime protections.

Apple App Attest is part of Apple’s DeviceCheck framework. It helps an app prove to a backend that it is a valid instance of the app running on an Apple device. The app creates a cryptographic key on the device, Apple attests to the validity of that key, and the backend verifies the attestation result before trusting the client. Apple positions App Attest as a way for servers to more confidently provide access to sensitive resources from legitimate app instances. 

That makes AppAttest a useful hardware-backed signal for iOS apps, but it can have some key limitations. In addition, App Attest can add backend complexity: your app and server need to manage challenges, attestations, assertions, key identifiers, Apple validation, environment configuration, and replay protection. Apple’s own server-side guidance describes this challenge-and-response model, including the need for a unique one-time challenge from the server.

Approov can simplify this, and make your app more secure by integrating AppAttest into the Approov attestation flow.

How Approov works with AppAttest

When the Approov App Attest integration is enabled, the Approov SDK requires the iOS device to perform a valid Apple AppAttest attestation in addition to Approov’s other checks. Approov includes the server-side AppAttest integration, so your backend does not need to implement Apple’s App Attest validation flow directly. If the App Attest checks fail, Approov does not generate valid Approov tokens for that iOS device.

Approov also performs App Attest assertion checks on subsequent Approov fetches from the device. These assertions use keys held in the device’s Secure Enclave, helping confirm that later requests are still coming from the same device that passed the original AppAttest attestation.

In other words, AppAttest becomes one of the signals Approov can enforce before issuing valid Approov tokens to your app.

Why use Approov with AppAttest?

AppAttest is a strong Apple platform feature, but it is iOS-specific and does not replace broader mobile app protection. Approov adds a cross-platform attestation layer that can also evaluate the app, runtime environment, and request context before your backend accepts API traffic. In our related article, we explain why relying only on Apple DeviceCheck or App Attest may not be enough against advanced attacks such as instrumentation, token harvesting, replay, and device-farm abuse.

Using Approov with AppAttest gives iOS teams a way to combine Apple’s hardware-backed attestation signal with Approov’s broader mobile API protection model.

What developers need to know

There are a few important implementation notes:

App Attest is supported from iOS 14. Devices running earlier iOS versions, or devices without suitable hardware support such as simulators, will not be protected by App Attest. Approov’s documentation notes that teams supporting older iOS versions may want to consider Apple DeviceCheck as well as, or instead of, App Attest. Approov also integrates with DeviceCheck, which you can read the documentation here.

To use App Attest in production, Apple requires the AppAttest capability and entitlement to be configured for the app. Approov’s documentation walks through the required Apple configuration and the Approov CLI steps, including adding the Apple Team ID, checking AppAttest status, controlling assertion rate, rate-limiting new attestations, and optionally adding Apple fraud lookups.

How to enable it

To enable AppAttest and Approov together, you will need to follow these steps:

  1. Configure App Attest for your iOS app in your Apple developer account.
  2. Add the App Attest entitlement to the app.
  3. Register the appropriate app and Apple Team ID with Approov.
  4. Enable App Attest in Approov using the documented CLI flow.
  5. Monitor App Attest status flags and tune assertion or rate-limit settings as needed.

For the full implementation steps, follow the Approov Apple AppAttest Integration documentation. It covers the required Apple setup, Approov CLI commands, status flags, assertion rate controls, attestation rate limiting, and optional fraud lookup configuration.