Verify backend calls from iOS app

Question

I am trying to find an equivalent of this Android verification but for iOS.

Initially posted in a blog post but now incorporated into the main android documentation, the verification lets you know 3 things: Then, you know that:

1. The token was issued by Google.
2. The token was sent to a device that was being operated by the person identified in the payload's email field.
3. The token was obtained by the Android app identified by the Client ID in the payload’s azp field.

The key point is that:

GoogleAuthUtil will observe that the Android app and the web client ID are in the same project, and without user approval, return an ID token to the app, signed by Google.

Therefore, I am able to verify backend calls, without disrupting the user.

Is there somethings similar for iOS from Apple, where I can get a ID token signed by Apple when Apple will observe that the iOS app and the web client ID?

I have found a SO question trying to find something similar, but I am hoping for a simpler solution. That question was more than a year ago, so I am hoping there maybe a better answer, possibly with the new CloudKit web services.

Answer 1

Luckily I've come across this thread on stackexchange where the user Iwaz left a comment.

Iwaz is pointing at Apple's DeviceCheck Framework that can be used to verify if a call to your API comes from an actual installation of your iPhone App.

According to the docs it works as follows:

1. Get the current DCDevice by calling DCDevice's currentDevice method.
2. From that DCDevice call its generateTokenWithCompletionHandler method to obtain a token.
3. Send that token along with your other data when making requests to your API.
4. In your API server code, call Apple's API by providing the token to validate it as described here.