The iOS ecosystem is often regarded as the safer platform among its competitors. Though iOS devices are less likely to be used to perform fraudulent actions, there are still malicious actors from which businesses need to protect themselves.
The official offering of supported tools intended to fight and prevent fraud on the iOS platform has been steadily expanding over recent years. Those technologies, however, force both the developer and the user to jump through more and more hoops. Unfortunately, privacy measures usually cause more restrictions.
This article gives an overview of the existing techniques and APIs native to iOS that allow developers to harden application security. It weighs all the main pros and cons of methods that are provided by Apple and covers an alternative approach that is successfully deployed in our fraud detection solutions on other platforms.
iOS includes a native fraud protection solution called DeviceCheck. Introduced with iOS 11, `DeviceCheck` framework brought an option to flag devices by permanently writing a tiny amount of data to a device. The API permits to set and retrieve two bits of information. The interpretation of their meaning is left to the application developer (e.g. the bits could be used to store a flag that determines whether the user completed onboarding, applied a one-time discount coupon or anything else that could be represented with a true/false value).