Is Attestation All We Need? Fooling Apple's AppAttest API

Explore the intricacies of Apple's AppAttest API and its vulnerabilities in this Hack In The Box Security Conference talk. Delve into the technology from a reverse engineering perspective, examining weak implementations and bottlenecks that allow for easy bypassing of security checks. Gain insights into proper usage techniques for software developers, and understand the limitations and benefits of this anti-tampering solution. Learn about client-side protections, resource integrity checks, and various bypass scenarios. Discover the speaker's background in information security, covering areas such as bug hunting, penetration testing, and red team operations. Analyze the validation steps, risk metrics, and assertion object verification process involved in AppAttest API implementation. Consider the implications for iOS versions and evaluate whether this technology should be implemented in your projects.

Intro
Igors background
Agenda
Coverage
Clientside protections
What is tampering
Antitampering methods
Resource integrity check
Trust
AppAttest API
Sample App
Generate Initial Key
Generate Hash Value
TestKey Function
Apples Server
AppAttest Object
Validation Steps
Risk Metric
Assertion Object
Verification
Assertion Object Validation
Does it mean we are protected
Not clear acceptance
Possible hooking patching
Bypass scenarios
Bypass Scenario 1
Bypass Scenario 2
iOS Versions
Validation
Benefits
Limitations
Should you implement it
Caveats
In conclusion
Resources
Thank you