[zimmerfrei]

Both iOS and recent Androids have by now a form of app attestation: the server can tell if the caller is the legitimate app or not (with good enough confidence - as everything, it's not unbreakable).

Doesn't that make obfuscation kind of pointless? Even if your knock-off app knows everything about the API of the original service, it won't be able to use it because it is not the genuine app or maybe it is but it is not running in a real iOS/Android device.

Or maybe this is only meant to include non-Android certified phones (= China)?

[3eed]

DeviceCheck on iOS support iOS 11 and up. Which would cut off 7% of users[1], a bit extreme. But when the time comes when you don't have to cut off anyone, it'll be very interesting to see what'll happen on iOS. Someone will bypass it? Death of reverse engineering? Who knows. On Android, an HN user mentioned in the previous post that it's a solved problem[2].

[1]: https://developer.apple.com/support/app-store/ [2]: https://magiskmanager.com/

[zemnmez]

seems like something having a rooted os would fix pretty quickly

[power78]

Seems like the creator of Magisk Manager could not get around Android's implementation: https://twitter.com/topjohnwu/status/1245956080779198464?s=1...

[whs]

I tried adding safetynet attestation on launch for all Android clients and ran into rate limit pretty fast. (iirc it's about 10k/hr)

Devicecheck have no such problem though, but it doesn't really feel designed for the use case - you need to implement an anti replay system yourself.