Safeguard your accounts, promotions, and content

Hello. My name is Katherine Nepo. I'm a program manager with the App Store Trust and Safety team. In this video, my colleague Jeremy Stober and I will show you how to safeguard your accounts, promotions, and content. Today, we will discuss the importance of designing for trust and safety and present a suite of tools that you can use to protect your apps and your customers from attackers. Jeremy will walk you through account risks and promotion abuse. I will close by talking about content risks. The Apple platform is designed to help your business grow and thrive with experiences that are trusted, safe, and fair for you and your customers. We're going to review how Sign in with Apple brings the simplicity and security of two-factor authentication to your app. We will then learn how you can protect promotions and offers and defend the integrity of your app with DeviceCheck and App Attest.

Your features are exciting to your customers and may be attractive to attackers. If your app includes the ability to create and manage accounts, supports user-generated content, offers promotional pricing, or includes premium content, it may be a target for fraud and abuse. There are many types of abuse that can happen after you publish your app. Let's take a closer look at three of them.

In many app experiences, accounts are used to protect users' assets. Attackers, eager to gain access, seek new ways to take over customer accounts and steal their data.

If your app offers promotions, you may be targeted by attackers seeking to take advantage of your discounts or otherwise manipulate your app or server. These attackers can be opportunistic individuals or large-scale operations. Attackers can scrape servers for valuable content and steal legitimate apps to modify, repackage, and resell them outside of the App Store, which can impact your business. I will now turn it over to Jeremy to talk about your account risks and how you can protect your users. Thank you, Katherine. I'll begin by talking about account risks that you should be aware of as an app developer.

Many apps and services require customers to create accounts. However, several problems can arise from managing customer accounts. For example, there is an incentive for others to compromise the security of your customers' valuable accounts. Accounts can be taken over through no fault of yours. Your users might be vulnerable to sophisticated phishing attacks, have their passwords leaked from unaffiliated services, or be the victim of misplaced trust. According to the Anti-phishing Working Group, an international consortium, the number of reported phishing attacks observed by its members doubled over the course of 2020. Since user accounts are valuable, attackers may target them.

In addition to account compromises, if you use customer feedback in your app, for example, to power a ratings or recommendation system, you may be creating a situation where that feedback can be used for illicit gain. This might incentivize the creation of high volumes of fake accounts that are used to manipulate these systems. Fake account creations can overload infrastructure, disrupt user experience, and impact the overall authenticity of the app experience you are working hard to craft.

There are other forms of abuse that can arise from inauthentic account creation. For example, if users can communicate with each other, then there may be an incentive to send unsolicited advertising over the platform you create using fake accounts. This can adversely impact the customer experience and your reputation.

Apple offers a few tools that developers can use to better manage account risks. One method to avoid a number of issues with account management is to adopt Sign in with Apple. Integrating with Sign in with Apple will allow you to benefit from Apple's robust and ongoing efforts to keep customer accounts secure. Sign in with Apple is protected by Apple's two-factor authentication. Customers on Apple devices can sign in and re-authenticate with Face ID or Touch ID any time. The benefits to integrating with Sign in with Apple are not limited to security. The credential return on first authorization includes a flag that indicates with a high degree confidence that a user is real and not a bot.

This flag can be checked on the client. If a flag indicates a user is likely real, no additional challenge is needed. However, if the platform is unsupported, or the value returned is unknown, a challenge to the user is recommended to prevent scripted traffic. To provide this flag, Apple uses a private, secure, on-device machine learning model in combination with service side inferences based on account activity. With Sign in with Apple, you can take advantage of Apple's world-class security and industry-leading antifraud protections. If you are not using Sign in with Apple, there are a number of tools that you can use to improve account security and prevent inauthentic account creations. There are several videos describing ways to encourage strong and unique passwords without increasing user friction. Watch "One tap account security upgrades" and "Autofill everywhere" for more information.

For inauthentic account creation, prevention means making risk-based decisions using the data you are able to collect from the account creation request like email domain and other account details that may be part of your sign-up flow.

As part of your strategy, you may want to limit the number of account creations that can happen on a single Apple device. Limiting account creation on physical devices will make it more difficult to create large numbers of fake accounts. Apple offers an API called DeviceCheck that can help with this. Using this API, you can effectively limit account creations on authentic Apple devices. You may be promoting your business with free or discounted items in your app. Next, I'll talk about an example of how this can be abused.

Suppose you want to offer an in-app promotion to grow your business. Depending on the type of app, this could be anything from a free sandwich to a discounted trial. You may find, however, that uptake of the special offer comes at a cost, as some people abuse the promotion by re-downloading the app multiple times.

Using the DeviceCheck API, you can limit the number of promotion redemptions per device while protecting user privacy.

The service allows you to set two bits of information on each device in a way that's strongly tied to device authenticity and that can be read back even after a complete reset of the device.

At a high level, the use of DeviceCheck will allow you to verify that the device is real and allow you to query previously set values of the two permitted bits. You have the ability to set and change the bits as you please. In the case of a free promotion, you can use the value of the return bits to determine if the device has been used to redeem the promotion in the past. You can also choose to set the bits per device on account creation instead, which would offer a robust new signal tied to verified hardware that you can use in rate limiting account creation in your app.

After a period of time, you can choose to reset the bits. This will facilitate reuse of the promotion on a time period that you control and could help manage situations where devices change hands.

More details are available in the videos "Privacy and your apps" as well as the video “Mitigate fraud with App Attest and DeviceCheck.” Katherine will now talk about ways to protect your content and APIs from inauthentic clients. Thank you, Jeremy. Let's walk through some of the risks potentially posed to your content.

Your content is valuable and may be an attractive target for attackers. An attacker can develop and distribute unauthorized software that allows unpermitted access to your app's premium content. This illicit access may negatively impact your earnings and create opportunities for cheating and deception. Such abuses may undermine the trust of your users and ultimately harm your business.

To help you protect the integrity of your app experiences, we created App Attest, which provides app protection starting with iOS 14 and tvOS 15. App Attest enables you to verify that the apps connecting to your servers are the apps that you published on the App Store, unmodified and running on genuine Apple devices.

Leveraging Apple's secure enclave processor, iOS and tvOS generate a cryptographic attestation of your app's identity which you can send to your server for verification before making your critical assets available. App Attest is easy to use. With only a few exchanges between your app and your server you can verify the identity of the app requesting your content. For more information on App Attest, including how your server can perform verification, please check out the "Mitigate fraud with App Attest and DeviceCheck" technical video.

The tools we discussed today will enable you to guard your apps, your users, and your content. Implement Sign in with Apple to secure your accounts from attackers and prevent access to your valuable data. Use DeviceCheck to prevent abuse of your promotional offerings. And protect your content with App Attest by validating the authenticity of the apps connecting to your server before serving their requests. Thank you for watching. We look forward to seeing your businesses grow and thrive in a fair, safe, and trusted environment. [percussive music]