Name: Device Integrity
Author: Dpearson2699
Install
Terminal · npx
$npx skills add https://github.com/vercel-labs/agent-skills --skill vercel-react-native-skills
Works with Paperclip
How Device Integrity fits into a Paperclip company.

Device Integrity drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md363 linesmarkdown
Expand
1---2name: device-integrity3description: "Verify device legitimacy and app integrity using DeviceCheck (DCDevice per-device bits) and App Attest (DCAppAttestService key generation, attestation, and assertion flows). Use when implementing fraud prevention, detecting compromised devices, validating app authenticity with Apple's servers, protecting sensitive API endpoints with attested requests, or adding device verification to a backend architecture."4---5 6# Device Integrity7 8Verify that requests to your server come from a genuine Apple device running9your unmodified app. DeviceCheck provides per-device bits for simple flags10(e.g., "claimed promo offer"). App Attest uses Secure Enclave keys and Apple11attestation to cryptographically prove app legitimacy on each request.12 13## Contents14 15- [DCDevice (DeviceCheck Tokens)](#dcdevice-devicecheck-tokens)16- [DCAppAttestService (App Attest)](#dcappattestservice-app-attest)17- [App Attest Key Generation](#app-attest-key-generation)18- [App Attest Attestation Flow](#app-attest-attestation-flow)19- [App Attest Assertion Flow](#app-attest-assertion-flow)20- [Server Verification Guidance](#server-verification-guidance)21- [Error Handling](#error-handling)22- [Common Patterns](#common-patterns)23- [Common Mistakes](#common-mistakes)24- [Review Checklist](#review-checklist)25- [References](#references)26 27## DCDevice (DeviceCheck Tokens)28 29[`DCDevice`](https://sosumi.ai/documentation/devicecheck/dcdevice) generates a30unique, ephemeral token that identifies a device. The token is sent to your31server, which then communicates with Apple's servers to read or set two32per-device bits. Available on iOS 11+.33 34### Token Generation35 36```swift37import DeviceCheck38 39func generateDeviceToken() async throws -> Data {40    guard DCDevice.current.isSupported else {41        throw DeviceIntegrityError.deviceCheckUnsupported42    }43 44    return try await DCDevice.current.generateToken()45}46```47 48### Sending the Token to Your Server49 50```swift51func sendTokenToServer(_ token: Data) async throws {52    let tokenString = token.base64EncodedString()53 54    var request = URLRequest(url: serverURL.appending(path: "verify-device"))55    request.httpMethod = "POST"56    request.setValue("application/json", forHTTPHeaderField: "Content-Type")57    request.httpBody = try JSONEncoder().encode(["device_token": tokenString])58 59    let (_, response) = try await URLSession.shared.data(for: request)60    guard let httpResponse = response as? HTTPURLResponse,61          httpResponse.statusCode == 200 else {62        throw DeviceIntegrityError.serverVerificationFailed63    }64}65```66 67### Server-Side Overview68 69Your server uses the device token to call Apple's DeviceCheck API endpoints:70 71| Endpoint | Purpose |72|----------|---------|73| `https://api.devicecheck.apple.com/v1/query_two_bits` | Read the two bits for a device |74| `https://api.devicecheck.apple.com/v1/update_two_bits` | Set the two bits for a device |75| `https://api.devicecheck.apple.com/v1/validate_device_token` | Validate a device token without reading bits |76 77The server authenticates with a DeviceCheck private key from the Apple Developer78portal, creating a signed JWT for each request.79 80### What the Two Bits Are For81 82Apple stores two Boolean values per device per developer team. You decide what83they mean. Common uses:84 85- **Bit 0:** Device has claimed a promotional offer.86- **Bit 1:** Device has been flagged for fraud.87 88Bits persist across app reinstall. You control when to reset them via the89server API.90 91## DCAppAttestService (App Attest)92 93[`DCAppAttestService`](https://sosumi.ai/documentation/devicecheck/dcappattestservice)94validates that a specific instance of your app on a specific device is95legitimate. It uses a hardware-backed key in the Secure Enclave to create96cryptographic attestations and assertions. Available on iOS 14+.97 98The flow has three phases:991. **Key generation** -- create a key pair in the Secure Enclave.1002. **Attestation** -- Apple certifies the key belongs to a genuine Apple device running your app.1013. **Assertion** -- sign server requests with the attested key to prove ongoing legitimacy.102 103### Checking Support104 105```swift106import DeviceCheck107 108let attestService = DCAppAttestService.shared109 110guard attestService.isSupported else {111    // Fall back to DCDevice token or other risk assessment.112    // App Attest is not available on simulators or all device models.113    return114}115```116 117## App Attest Key Generation118 119Generate a cryptographic key pair stored in the Secure Enclave. The returned120`keyId` is a string identifier you persist (e.g., in Keychain) for later121attestation and assertion calls.122 123```swift124import DeviceCheck125 126actor AppAttestManager {127    private let service = DCAppAttestService.shared128    private var keyId: String?129 130    /// Generate and persist a key pair for App Attest.131    func generateKeyIfNeeded() async throws -> String {132        if let existingKeyId = loadKeyIdFromKeychain() {133            self.keyId = existingKeyId134            return existingKeyId135        }136 137        let newKeyId = try await service.generateKey()138        saveKeyIdToKeychain(newKeyId)139        self.keyId = newKeyId140        return newKeyId141    }142 143    // MARK: - Keychain helpers (simplified)144 145    private func saveKeyIdToKeychain(_ keyId: String) {146        let data = Data(keyId.utf8)147        let query: [String: Any] = [148            kSecClass as String: kSecClassGenericPassword,149            kSecAttrAccount as String: "app-attest-key-id",150            kSecAttrService as String: Bundle.main.bundleIdentifier ?? "",151            kSecValueData as String: data,152            kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly153        ]154        SecItemDelete(query as CFDictionary) // Remove old if exists155        SecItemAdd(query as CFDictionary, nil)156    }157 158    private func loadKeyIdFromKeychain() -> String? {159        let query: [String: Any] = [160            kSecClass as String: kSecClassGenericPassword,161            kSecAttrAccount as String: "app-attest-key-id",162            kSecAttrService as String: Bundle.main.bundleIdentifier ?? "",163            kSecReturnData as String: true,164            kSecMatchLimit as String: kSecMatchLimitOne165        ]166        var result: AnyObject?167        let status = SecItemCopyMatching(query as CFDictionary, &result)168        guard status == errSecSuccess, let data = result as? Data else { return nil }169        return String(data: data, encoding: .utf8)170    }171}172```173 174**Important:** Generate the key once and persist the `keyId`. Generating a new175key invalidates any previous attestation.176 177## App Attest Attestation Flow178 179Attestation proves that the key was generated on a genuine Apple device running180your unmodified app. You perform attestation once per key, then store the181attestation object on your server.182 183### Client-Side Attestation184 185```swift186import DeviceCheck187import CryptoKit188 189extension AppAttestManager {190    /// Attest the key with Apple. Send the attestation object to your server.191    func attestKey() async throws -> Data {192        guard let keyId else {193            throw DeviceIntegrityError.keyNotGenerated194        }195 196        // 1. Request a one-time challenge from your server197        let challenge = try await fetchServerChallenge()198 199        // 2. Hash the challenge (Apple requires a SHA-256 hash)200        let challengeHash = Data(SHA256.hash(data: challenge))201 202        // 3. Ask Apple to attest the key203        let attestation = try await service.attestKey(keyId, clientDataHash: challengeHash)204 205        // 4. Send the attestation object to your server for verification206        try await sendAttestationToServer(207            keyId: keyId,208            attestation: attestation,209            challenge: challenge210        )211 212        return attestation213    }214 215    private func fetchServerChallenge() async throws -> Data {216        let url = serverURL.appending(path: "attest/challenge")217        let (data, _) = try await URLSession.shared.data(from: url)218        return data219    }220 221    private func sendAttestationToServer(222        keyId: String,223        attestation: Data,224        challenge: Data225    ) async throws {226        var request = URLRequest(url: serverURL.appending(path: "attest/verify"))227        request.httpMethod = "POST"228        request.setValue("application/json", forHTTPHeaderField: "Content-Type")229 230        let payload: [String: String] = [231            "key_id": keyId,232            "attestation": attestation.base64EncodedString(),233            "challenge": challenge.base64EncodedString()234        ]235        request.httpBody = try JSONEncoder().encode(payload)236 237        let (_, response) = try await URLSession.shared.data(for: request)238        guard let httpResponse = response as? HTTPURLResponse,239              httpResponse.statusCode == 200 else {240            throw DeviceIntegrityError.attestationVerificationFailed241        }242    }243}244```245 246### Server-Side Attestation Verification247 248Your server validates the attestation object (CBOR), verifies the certificate chain against Apple's App Attest root CA, and stores the public key and receipt for future assertion verification. See [references/device-integrity-patterns.md](references/device-integrity-patterns.md) for the full server verification flow.249 250## App Attest Assertion Flow251 252After attestation, use assertions to sign individual requests. Each assertion253proves the request came from the attested app instance.254 255### Client-Side Assertion256 257```swift258import DeviceCheck259import CryptoKit260 261extension AppAttestManager {262    /// Generate an assertion to accompany a server request.263    /// - Parameter requestData: The request payload to sign (e.g., JSON body).264    /// - Returns: The assertion data to include with the request.265    func generateAssertion(for requestData: Data) async throws -> Data {266        guard let keyId else {267            throw DeviceIntegrityError.keyNotGenerated268        }269 270        // Hash the request data -- the server will verify this matches271        let clientDataHash = Data(SHA256.hash(data: requestData))272 273        return try await service.generateAssertion(keyId, clientDataHash: clientDataHash)274    }275}276```277 278### Using Assertions in Network Requests279 280```swift281extension AppAttestManager {282    /// Perform an attested API request.283    func makeAttestedRequest(284        to url: URL,285        method: String = "POST",286        body: Data287    ) async throws -> (Data, URLResponse) {288        let assertion = try await generateAssertion(for: body)289 290        var request = URLRequest(url: url)291        request.httpMethod = method292        request.setValue("application/json", forHTTPHeaderField: "Content-Type")293        request.setValue(assertion.base64EncodedString(), forHTTPHeaderField: "X-App-Assertion")294        request.httpBody = body295 296        return try await URLSession.shared.data(for: request)297    }298}299```300 301### Server-Side Assertion Verification302 303Your server decodes the assertion (CBOR), verifies the authenticator data and counter, checks the signature against the stored public key, and confirms the `clientDataHash`. See [references/device-integrity-patterns.md](references/device-integrity-patterns.md) for step-by-step server verification.304 305## Server Verification Guidance306 307See [references/device-integrity-patterns.md](references/device-integrity-patterns.md) for full server architecture guidance including attestation vs. assertion comparison, recommended endpoint design, and risk assessment.308 309## Error Handling310 311Handle `DCError` codes from DeviceCheck operations. Key cases:312 313- `.serverUnavailable` — retry with exponential backoff314- `.invalidKey` — key invalidated (OS update, Secure Enclave reset); regenerate and re-attest315- `.featureUnsupported` — fall back to `DCDevice` tokens316- `.invalidInput` — malformed `clientDataHash` or `keyId`317 318See [references/device-integrity-patterns.md](references/device-integrity-patterns.md) for full error handling code, retry strategy, and key invalidation recovery.319 320## Common Patterns321 322### Environment Entitlement323 324Set the App Attest environment in your entitlements file. Use `development`325during testing and `production` for App Store builds:326 327```xml328<key>com.apple.developer.devicecheck.appattest-environment</key>329<string>production</string>330```331 332When the entitlement is missing, the system uses `development` in debug builds333and `production` for App Store and TestFlight builds.334 335See [references/device-integrity-patterns.md](references/device-integrity-patterns.md) for the full integration manager pattern, gradual rollout guidance, and error type definition.336 337## Common Mistakes338 3391. **Generating a new key on every launch.** Generate once, persist the `keyId` in Keychain.3402. **Skipping the fallback for unsupported devices.** Not all devices support App Attest. Use `DCDevice` tokens as fallback.3413. **Trusting attestation client-side.** All verification must happen on your server.3424. **Not implementing replay protection.** The server must track and increment the assertion counter.3435. **Missing the environment entitlement.** Without it, debug builds use `development` and App Store uses `production`. Mismatches cause attestation failures.3446. **Not handling `DCError.invalidKey`.** Keys can be invalidated by OS updates. Detect and regenerate.345 346## Review Checklist347 348- [ ] `DCAppAttestService.isSupported` checked before use; fallback to `DCDevice` when unsupported349- [ ] Key generated once and `keyId` persisted in Keychain350- [ ] Attestation performed once per key; attestation object sent to server351- [ ] Server validates attestation against Apple's App Attest root CA352- [ ] Assertions generated for each sensitive request; server verifies signature and counter353- [ ] `DCError` cases handled: `.serverUnavailable` with retry, `.invalidKey` with key regeneration354- [ ] App Attest environment entitlement set correctly for debug vs. production355- [ ] Gradual rollout considered; feature flag in place for enabling/disabling356 357## References358 359- Extended patterns: [references/device-integrity-patterns.md](references/device-integrity-patterns.md)360- [DeviceCheck framework](https://sosumi.ai/documentation/devicecheck)361- [DCDevice](https://sosumi.ai/documentation/devicecheck/dcdevice)362- [DCAppAttestService](https://sosumi.ai/documentation/devicecheck/dcappattestservice)363- [Establishing your app's integrity](https://sosumi.ai/documentation/devicecheck/establishing-your-app-s-integrity)
Related skills
Alarmkit

Install Alarmkit skill for Claude Code from dpearson2699/swift-ios-skills.
App Clips

Install App Clips skill for Claude Code from dpearson2699/swift-ios-skills.
App Intents

Install App Intents skill for Claude Code from dpearson2699/swift-ios-skills.