Notarization vs. Attestation: A Security Perspective
A Comparison of Pre-Distribution and Runtime Security: Why Continuous Attestation is the Non-Negotiable Defense Against Agentic AI Threats
Notarization vs. Attestation: A Security Perspective
Defining the Two Mechanisms
These are fundamentally different in when and what they verify.
Notarization is a pre-distribution, supply-chain integrity check. Notarization is a procedure that guarantees apps are secure and devoid of harmful content before users download them. It entails a comprehensive review by a reliable party — typically the OS developer — to confirm the legitimacy and integrity of an application. On Apple platforms, notarization is a review focused on platform policies for security and privacy to maintain device integrity, using a combination of automated checks and human review. Think of it as a passport control at the border — it checks your credentials once before you enter.
Attestation is a continuous runtime verification mechanism. App attestation is a runtime technique used to provide proof that an app is truly authentic and running in a trusted device. It uses a combination of measurements made on the client but checked by a remote attestation server. It is a mechanism used in modern mobile security architectures to cryptographically prove that a mobile application instance is genuine, unaltered, and operating in a trusted environment. It establishes a runtime trust boundary by enabling an app to generate platform- or hardware-backed signed statements (attestation tokens) that validate its identity, integrity, and context to remote servers or backend APIs.
In short: notarization secures the distribution pipeline, while attestation secures every API call at runtime.
How They Differ Structurally
|
Dimension |
Notarization |
Attestation |
|
Timing |
Pre-distribution, one-time |
Continuous, per-session or per-request |
|
Enforcement point |
App store / distribution channel |
Backend API server |
|
What it checks |
Binary integrity, malware, policy compliance |
Device health, app tamper state, runtime environment |
|
Cryptographic chain |
Code signing + ticket stapling |
Cryptographic hash fingerprint of executing code, and optional TEE/Secure Enclave-backed tokens |
|
Defeats |
Malware-laced builds, sideloaded trojans |
Cloned apps, bots, emulators, modified apps |
|
Visibility to attacker |
Opaque (server-side decision) |
Partially opaque (client measures, server decides) |
Unlike client-side protection, mobile app attestation logic is executed on the server, resulting in enforcement that is opaque to attackers. It gives you greater control to instantly change security policies that evaluate the app environment.
The Agentic AI Threat — Why This Changes Everything
This is where the stakes have dramatically escalated. LexisNexis Risk Solutions’ 2026 Cybercrime Report documents a 450% rise in traffic from AI agents in 2025. Unlike traditional automated scripts, AI agents can impersonate people and mimic human actions — such as natural cursor movements across a login screen — with a high degree of credibility. The volume of malicious bot attacks grew 59% globally.
The security model shift is profound. The new agentic AI bots are fundamentally different from legacy bots. Modern AI agents dynamically author and adapt attack code, solving logic challenges and mimicking human behavior with high accuracy. They can generate synthetic install IDs and fingerprints with such fidelity that traditional probabilistic Web Application Firewalls (WAFs) struggle to distinguish them from real users.
The core of the problem is that our defenses have relied on probabilistic signals. Behavioral, network, and fingerprint data provide value, but their efficacy as primary controls is rapidly eroding. The new reality forces a critical shift: instead of asking "Is this a bot?" we must ask "Is this behavior legitimate?" — and demand cryptographic evidence of legitimacy.
This is the crucial insight: notarization is essentially blind to agentic threats, because an agentic attacker doesn't distribute malware — they call your APIs directly from a legitimate-looking environment. Attestation is the more relevant control here, but even it faces pressure: agentic AI attackers run adaptive campaigns — they observe the defense, adjust strategy, and try again. They probe classification boundaries systematically, sending sessions designed to look legitimate and observing what passes. Session-to-session learning means what one session discovers about your defense posture informs the next session's strategy.
Scraping Bots and General API Fraud
For scraping and API abuse, attestation is clearly superior. Traditional approaches like API tokens may seem fine until your backend gets flooded with fake requests from cloned apps, bots, or emulators. App attestation uses a series of integrity tests and measurements to verify an app's integrity. Once integrity is proved, a cryptographic token is provided and shared with backend servers for verification. A range of threats can be blocked including data tampering, unsafe URLs, fake users, and harmful applications.
Notarization does nothing against a sophisticated scraper who simply runs your legitimate, properly-notarized app in an emulator or intercepts its API traffic.
Industry-Specific Recommendations
Healthcare (Highest Priority — PII + PHI + HIPAA)
Electronic health record and telemedicine systems utilize attestation to verify that medical apps accessing sensitive patient data are both authentic and unaltered, thereby supporting privacy, clinical integrity, and regulatory compliance. App attestation ensures that only verified and uncompromised mobile health applications can access backend systems, safeguarding patient information from unauthorized access. By continuously validating app integrity and authenticity in real time, it helps healthcare organizations comply with stringent regulations like HIPAA, reducing the risk of non-compliance penalties.
Recommendation: Runtime attestation (continuous) is non-negotiable. Notarization is table stakes for distribution but insufficient alone. Layer device attestation (Play Integrity / Apple Device Check) plus app-level attestation (Approov, Promon, or equivalent) with backend enforcement.
Fintech (High Priority — transactions, PII, regulatory exposure)
Financial institutions leverage attestation to ensure only legitimate app instances initiate and approve sensitive actions such as transfers, wire instructions, or mobile payments. Attestation-protected endpoints block requests from cloned or tampered banking apps. A fintech app offering referral bonuses can have bots reverse-engineer the API and simulate activity in emulators, flooding the backend and inflating costs and fraud exposure.
Recommendation: Strong app attestation with transaction-level token binding, combined with behavioral analytics as a secondary layer. Notarization alone is trivially bypassed by emulator-based fraud rings — cryptographic proof of device+app integrity is required at the API call level.
Automotive (Emerging Priority — telematics, OTA updates, connected services)
This sector faces a unique threat profile. Automotive apps often control physical systems (remote start, unlock, OTA firmware triggers). A compromised or cloned app calling a vehicle API is not just a data breach — it's a physical safety risk. Both notarization (ensuring no tampered builds reach the fleet update pipeline) and continuous attestation (verifying every telematics API call originates from a genuine, unmodified app on a legitimate device) are critical here. The attack surface extends to third-party service integrations where agentic bots could systematically enumerate VINs, scrape telematics data, or probe for unlock/OTA endpoints.
Recommendation: Defense-in-depth is mandatory. Notarization for supply chain integrity of OTA updates, plus continuous hardware-backed attestation for any API call that touches vehicle state. Certificate pinning and mutual TLS add additional layers.
The Definitive Stack for Maximum Security
Given the agentic AI threat landscape, the strongest posture combines both mechanisms plus additional controls:
- Notarization — secures the build/distribution pipeline, ensures no tampered binaries reach users
- Device attestation (Play Integrity API / Apple DeviceCheck) — confirms the device OS hasn't been compromised, no root/jailbreak
- App attestation (runtime, server-enforced) — cryptographic proof per-request that the app is genuine and unmodified
- Behavioral analytics — secondary layer to catch anomalies even when cryptographic signals pass
- Zero-trust API architecture — treat every request as potentially adversarial regardless of source
Device attestation keeps the foundation solid, while app attestation ensures no impostors slip through. If you want to lock things down, use them together.
The bottom line for healthcare, fintech, and automotive: notarization is necessary but never sufficient. Continuous, server-side runtime attestation with hardware-backed cryptographic proof is the only mechanism robust enough against the current generation of agentic AI adversaries — because behavioral mimicry can defeat probabilistic defenses, but it cannot forge a signed token from Apple's Secure Enclave or Android's TEE.