Hello, I'm developing a server that uses the app attestation feature. During the development, I found the behavior that are not written in the document, I would like to inquire this.
- When Apple server returns 404 for risk metric refresh request?
A month after the attestation, receipt is not past expiration time, but 404 is returned from Apple server when I try refresh. And this receipt succeeded in refreshing the risk metric normally if the attestation proceeds again. This behavior is not in the document, but I wonder if it is intended.
- Is there a case where an attestation has occurred but the risk metric value does not increase?
I found a case where attestation occurred twice on one device, but when both receipts were refreshed, the risk metric returned 1. Is this an expected behavior? If it is, I would like to know the detailed conditions under which it occurs.
Thank you.
It seems to me that the period during which risk metric refresh is possible is within a month of attestation. After that, 404 is returned.
Yes, we only store related data for 30 days for privacy considerations. So 404 is expected after the expiration of the data retention period.
Is there a case where an attestation has occurred but the risk metric value does not increase?
For the same app on the same device, we treats repeated attestation (i.e. extract same attestation request) as a single event because essentially there is no new certificate issued from Apple side.