Device attestation vs App attestationSolved

Yeah, this is such an interesting topic when it comes to devices security and integrity. importantly device attestation is the real deal when it comes to securing a system. If the device itself is compromised, does it even matter if an app is clean? You’re still running it in a risky environment. Apple’s device attestation with ACME certificate enrolment requests, checks if the device is legit before allowing access to sensitive resources. That’s a major line of defence right there.

https://support.apple.com/en-in/guide/deployment/dep28afbde6a/web

https://www.trio.so/blog/device-attestation/

Bruh, but what if the app is the weak link? Say you got a verified device, but some shady app manages to sneak in. Now what? That’s where app attestation flexes, it makes sure only the real, untampered apps get to talk to your backend. No sketchy third-party APIs hijacking your data. Think of it as a VIP pass check for apps, no fakes allowed.

I found a thread discussing app attestation here in Hexnode connect and a few others, I will link it below.

https://www.hexnode.com/forums/topic/app-attestation/

https://www.appsealing.com/app-attestation/

App attestation

Those are some good insights, man. If security’s a priority, cutting corners isn’t an option. If it’s a controlled environment with company-owned devices, device attestation might be enough. But if you’re dealing with a mix of personal and work devices, you’ve gotta double down with app attestation too.

Facts. At the end of the day, both have their place. Device attestation keeps the foundation solid, while app attestation ensures no impostors slip through. If you really want to lock things down, use them together. Better safe than sorry, right?