11

In android there is a way of knowing if the public key from a key pair was generated inside TEE and is, therefore, hardware-backed (https://source.android.com/security/keystore/attestation). I cannot find a way to do that in iOS. Does anyone know if there is a way?

arnau
  • 410
  • 5
  • 12

2 Answers2

3

Similar service is available for iOS 14 as DCAppAttestService

https://developer.apple.com/documentation/devicecheck/dcappattestservice

Tolga Okur
  • 6,753
  • 2
  • 20
  • 19
  • 1
    That service doesn‘t allow using the attested key for general-purpose cryptography though (only for signing authenticity challenges), I think. In that sense, it does not match Android key attestation. – lxgr Mar 01 '21 at 20:42
  • 2
    IIUC, this service allows you to verify the integrity of your app, so if you know that (a) the app was not modified, (b) it is running on unmodified Apple hardware+OS, and (c) you made it generate the key in the secure enclave – then you can be sure that the public key that it sends to your server after it is generated is indeed hardware-backed. The limitation here is that you won’t be able to prove it to someone else, though. – kirelagin Jun 08 '21 at 22:03
-1

Attention: in the meantime my answer is not up to date any more. See Tolga Okur's answer above from Jun 23 2020. For history purposes I won't delete it.

I am not aware of a directly similar possibility, but if your app lives on a not-jailbroken device you can create keys and store them inside of the Secure Enclave of your iOS device and be sure that they are stored securely and can not be compromised. Note that you can only store 256-bit elliptic curve private keys. You can then get the public key from the secret key e.g. by SecKeyCopyPublicKey.

TrailOfBits created an example project where you can lookup more interaction with the Secure Enclave API.

The Secure Enclave itself is protected by a secure boot chain to ensure its separate software is verified and signed by Apple. See: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

David Artmann
  • 4,272
  • 1
  • 16
  • 24
  • 8
    What you are explaining is how to generate a key pair inside secure enclave, but what I want is to be able to ensure the key was generated inside the secure enclave from the server side. Android solves this signing the public key with a key from the vendor which is stored inside the secure element. – arnau Oct 31 '17 at 16:42
  • Yeah, I know, it's a pity that Apple does not provide this possiblity. At least I am not aware of it and the docs do not provide any hint on the topic. Note that Attestation in Android is a relatively young feature, as it needs API level 24 (Android 7, alias Nougat). – David Artmann Oct 31 '17 at 18:58