WWDC26 · 20 min · App Services / App Store, Distribution & Marketing / Business & Education / Privacy & Security

Secure your apps with App Attest

Harness App Attest to protect your app from unauthorized modification and fraud. Uncover how attackers exploit modified apps to spoof data and bypass security checks, and how App Attest defends against these threats. Learn to generate and manage App Attest keys bound to the Secure Enclave, validate attestations and assertions, and use the fraud metric to detect abuse. Discover best practices across all Apple platforms, including new signals in iOS 27 to strengthen your validation.

Watch at developer.apple.com ↗

Transcript all transcripts

Chapters

0:00 — Introduction
1:35 — Protections
4:04 — Availability
5:02 — Key generation
6:12 — Attestation
12:10 — Assertion
14:58 — Common pitfalls
16:27 — Fraud metric
19:07 — Next steps

Code shown on screen · 3 snippets

Generate a Secure Enclave–bound key swift · at 5:07 ↗

import DeviceCheck

let keyID = try await DCAppAttestService.shared.generateKey()

Attestation API swift · at 6:32 ↗

import DeviceCheck

let keyId: String = ...
let clientDataHash: Data = ...
let attestation = try await DCAppAttestService.shared.attestKey(keyId: keyId, clientDataHash: clientDataHash)

Assertion API swift · at 12:33 ↗

import DeviceCheck

let keyId: String = ...
let clientDataHash: Data = ...
let assertion = try await DCAppAttestService.shared.generateAssertion(keyId: String, clientDataHash: Data)

Resources

Documentation W3C Authenticator Data
Documentation About System Integrity Protection on your Mac
Documentation DeviceCheck