AppCheck with AppAttest getToken producing occasional com.apple.devicecheck.error Code=2

[mattpis-cgi]

Description

Background:

We have rolled out app check to prod over a month ago and we use appcheck to secure our back end.
We dont use it in combination with other firebase frameworks. Our application min iOS version is 15.0. Firebase version is 10.6
For most of our users, AppCheck get token succeeds. We are experiencing issues with small number of users, approximately 10-5%.

Issues:

1: Most of our getToken failures result with error:

error Domain=com.apple.devicecheck.error Code=2 

This error is produced by apples attestation API. Apple docs about error:
https://developer.apple.com/documentation/devicecheck/dcerror/code/invalidinput

Description says:

An error code that indicates when your app provides data that isn’t formatted correctly.

2. Occasionally we receive:

 Error Domain=com.apple.devicecheck.error Code=3 

This error is also produced by apples attestation API. Apple docs about error:
https://developer.apple.com/documentation/devicecheck/dcerror/code/invalidkey
Description says:

You receive this error if something goes wrong with generating, retrieving, or using an App Attest cryptographic key, when:
- we attestKey
- we generateAssertion
- app Attest service rejects the key.

Investigation:

We did try to reproduce with no luck on multiple devices. We tried:

• change region, time and date.
• multiple iOS versions.
• use iCloud keychain storage to retain its data between installations, since framework uses it as a storage.

Non of the above did not help in reproducing the issue.

We are looking for clues and we ask for help to solve this.

Reproducing the issue

Hard to reproduce. We failed to reproduce it.

Firebase SDK Version

10.1

Xcode Version

14.1

Installation Method

Zip

Firebase Product(s)

App Check

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[ncooke3]

Hi @mattpis-cgi, thanks for reporting and sorry for the trouble.

Have you tried reproducing when re-installing the app on a different device?

So something like:

1. install app on device 1 while logged into an iCloud account
2. run the app and confirm an app check token is successfully created/used
3. now, install app on device 2 and log into the same iCloud account
4. run the app and confirm an app check token is successfully created/used

This could help rule out that users re-installing your app on a new device aren't the ones affected.

[mattpis-cgi]

Hi @ncooke3,
thank you for your response and help.
I have tested above scenario multiple times, I did not reproduce an issue.

On top of that I also re-do those tests with keychain sharing to iCloud account enabled. We are able to see that before our attestation attempt Keychain data is present from different device.. This is not casing the issue and we are able to getToken from appcheck.

It seems you guys protect against a keyId having been generated from a previous install of the app or other device.

You said:

This could help rule out that users re-installing your app on a new device aren't the ones affected.

How would the new device installation affect the success/failure of attestation ?

What could be the next steps in reproducing / solving this issue?

Would updating to newest framework fix it? (won't hurt)

[newbstudent]

Having sudden issues with AppCheck myself....I posted this on stackoverflow, reposting here incase it is of any assistance

---

AppCheck suddenly sending invalid tokens for legitimate iOS app instances for Firebase requests

Losing my mind here because the app was working great before my testers and I took a few weeks off of beta testing and now we're testing again and the app is failing and it is tied to AppCheck. Forget exact dates but say worked for all of April and not now, May 12-18 we started trying to test again with minor code updates for the UI, no changes at all to do with AppCheck. If I set AppCheck to UNenforced in the Firebase console, everything works perfectly and I see the "Unverified: Invalid requests" coming in from SOME of my app instances while others are still sending proper verified requests. All the same version of the app (as in exact same build number in TestFlight).

Was using Firebase iOS SDK 10.3.0 when things were working, when things started failing tried updating to latest version (10.9.0) with no resolution.

Using AppAttest as the attestation provider (NOT using DeviceCheck)

Scenario where AppCheck IS still working correctly:

release mode:

Three of my personal devices that are registered to my Apple Developer account are all working (i.e. verified requests) when running the app build distributed via Test Flight (i.e. release mode)

• iOS 15.6, 15.7.* & iOS 16 (16.1 up to 16.4.1 (a) and all versions in between)

• I was using registered debug tokens for these devices during development (with AppCheck set to enforce) when I was running debug builds but have since deleted these tokens, as in there are no registered debug tokens at all.

debug mode:

Registering debug tokens still works for debug builds but of course this isn't likely relevant to my problem

Scenario where AppCheck is NOT working correctly anymore:

Any release mode app instance running on my testers' devices, distributed via TestFlight. Testers were using iOS 16.4 (when things were working), now they are on 16.4.1 and 16.4.1 (a) . I do NOT think it is the iOS version though since my personal devices running 16.4.1 and 16.4.1 (a) are just fine.

So did something change on Apple's end? Firebase's end? Something to do with my personal devices being registered to my Apple Developer account??? Something to do with previously using debug tokens for these devices even though they are deleted now? I don't see a large number of posts about App Attest or App Check failing and imagine if this was a widespread issue it would be all over the place, or am I one of the few people using it???

Fortunately I can still test and publish the app with AppCheck unenforced since I have extensive Firebase security rules in place to protect all user data (which is end to end encrypted anyway) but would still run the risk of an authenticated user hammering the server and bankrupting the company, so ok risk in the short term but need to get it sorted in next few months.

Have tried having testers delete the app, reinstall from TestFlight, no luck. Creating a new build and uploading it to TestFlight to see if that resolved it when everyone updated, no luck.

[mattpis-cgi]

@newbstudent please share stack overflow link.

[newbstudent]

@newbstudent please share stack overflow link.

it was downvoted and closed since I wasn’t asking a specific coding question, so no useful replies there, but here it is:

https://stackoverflow.com/questions/76285673/appcheck-suddenly-sending-invalid-tokens-for-legitimate-ios-app-instances-for-fi

I’ve given up for now on using AppCheck and figuring out the issue, will deploy app without enforcing and just hope it resolves itself. I’ll notice if it’s working again due to appcheck monitor mode statistics. Only backend protection I have is all of my Firestore and Storage security rules require an authenticated user as a minimum requirement.

[ian-sayles]

I had issues with AppCheck not working earlier this year, #10561

Did like @newbstudent and switched it off, not ideal, but it does not look when good when user install your app and its broken from day one.

[marcinreliga]

I am facing similar issues as mentioned above. Specifically I get some percentage of users that are failing this call:

AppCheck.appCheck().token(forcingRefresh: forcingRefresh) { [weak self] result, error in
    ...
}

with the following error:

com.firebase.appCheck Code=0 (and underlying error from Apple: com.apple.devicecheck.error Code=2)

Most of those users were able to get the token at least once, at some point in the past. I store those tokens locally, so I'm able to log their expiration date, and in many cases they expired months ago. That would mean that AppCheck.appCheck().token(...) is failing for those users repeatedly since then.

I have found a way to reproduce the com.apple.devicecheck.error Code=2, however only by using the DCAppAttestService directly (not via Firebase AppCheck). It happens in the following scenario:

1. Generate the key (DCAppAttestService.shared.generateKey(...) and store the keyID in the keychain.
2. Attest the key (DCAppAttestService.shared.attestKey(...)). <-- works fine at this point
3. Delete the app and install it again.
4. Attest the key again, using the key that was generated for the previous app installation.

In the above scenario the fix that works for me is to generate the key once again, for the current app installation, and then use that new key for attestation.

I wonder if the same error (but via Firebase AppCheck) might be caused by the same (or similar) scenario? And if so, how to make it work?

[neugartf]

Hey @ncooke3!
Is this being checked on? 🙇