Apple’s Attest API tool aims to tighten app security

Apple released a new tool for developers that aims to better protect the user data that flows through iOS apps.

The company’s App Attest API, a new software tool meant to “protect against security threats to your app on iOS 14 or later, reducing fraudulent use of your services,” according to an Aug. 3 bulletin to developers. App Attest API generates a cryptographic key on a user’s device that aims to authenticate that an app is what it appears, and ensure that a phone isn’t transmitting user data to a fraudulent app designed to steal their usernames and passwords or other information.

Security researchers specializing in iPhones have long said that it’s difficult to determine whether hackers have successfully breached an individual device, in part because of the way Apple limits visibility onto its machines. If an app is trying to exceed its authorized permissions, it’s a challenge for forensic researchers to examine that behavior. This API aims to reduce the likelihood that programs are behaving in a malicious way.

Apple’s program resembles Google’s SafetyNet, a mobile security framework designed to protect Android devices from a similar type of threat.

The data protection technique comes as hackers and scammers increasingly have sought to use mobile apps as a foothold into mobile devices. By using one malicious app to infiltrate an iPhone, hackers can collect data from other programs and about device functionality, learning sensitive information, or subscribing victims to expensive paid services without their permission.