GoogleAuthUtil like device authentication for iOS to verify that requests originate from an Apple device

Question

Google Auth Util lets Android developers verify that the requests their servers receive come from an Android device.

The device gets a token from Google based on the Google account associated with the device, then the requests from the device are sent with that token to the server, where the server then asks Google if the token is valid. Any keys are kept out of the app source, so malicious folks cannot crack the app and access private keys and fudge requests to the server.

I've looked for a while and it seems Apple doesn't offer anything like this but I was hoping there was something functionally similar I could use for iOS.

Answer 1

Update

While the implicit assumption in the question seems reasonable, it is not actually true. Further readings of the Google sources reveal that the purpose of the Auth Util (and later Firebase) are to authenticate the user and secure the server. Given that the server only sees network traffic, it's possible to replicate the traffic from another client.

In addition, the definition of Android is fairly blurry, as OEM modify the base OS to suit their needs.

This is likely wrong

One option is to use the Apple Push Notification. You can register a device and push notifications specifically to it. When your app loads, it sends a request to the server with its device token and receives what is essentially a session cookie via the APN.

One caveat is that it is not encrypted. You can easily solve this by sending a randomly generated symmetric key in the request. The cookie you get would be encrypted on the server and decrypted using the same key in the iOS device.

This solves the issue of storing keys in the source and proves the requests came from an iOS device.

Of course, this can be simplified by generating a certificate, storing it in the key chain and sending the private key to the server for storage during registration. After the initial registration and validation using APN, subsequent messages can be signed using the device id + certificate public key.

One last issue is that APN can also be used to register OSX devices. I haven't been able to figure out how to exclude those (yet).

Disclaimer: It's been a long day of writing specs. I'm reasonably comfortable with the mechanism of initially registering the iOS device using APN. I may have gotten the encryption parts wrong. If so, comment gently, please.