Device Integrity

Name: Device Integrity
Author: dpearson2699

dpearson2699/swift-ios-skills

Implement and verify Apple App Attest attestation and assertions on the server for sensitive iOS endpoints.

Overview

Device Integrity is an agent skill most often used in Ship (also Build integrations, Operate monitoring) that defines server-side App Attest verification and assertion contracts for iOS apps.

Install

npx skills add https://github.com/dpearson2699/swift-ios-skills --skill device-integrity

What is this skill?

Source-grounded App Attest attestation checklist: CBOR/certificate validation, App ID, environment, counter, and keyId c
Verifies nonce as SHA256(authData || clientDataHash) with clientDataHash = SHA256(challenge)
Names extension OID 1.2.840.113635.100.8.2 for nonce extraction from the credential certificate
Assertion contract guidance for premium or sensitive requests after an attested key exists
Stores verified public key and receipt—not raw attestation blobs—as the durable trust record
eval suite includes app-attest-attestation-verifier and app-attest-sensitive-request-assertion scenarios

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1.7k installs on skills.sh; 713 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You must trust iOS clients on sensitive actions but are unsure which cryptographic and Apple-specific checks the verifier must run before storing credentials.

Who is it for?

Indie developers shipping iOS apps with premium content, account-bound actions, or fraud-sensitive APIs backed by a small custom server.

Skip if: Android Play Integrity-only projects, web-only auth, or teams that will not operate server-side certificate and CBOR validation.

When should I use this skill?

Adding or reviewing server-side App Attest attestation verification, assertion contracts, or storage of verified iOS device keys.

What do I get? / Deliverables

You get a repeatable attestation and assertion verification plan that stores verified public keys and receipts and rejects bad nonces or mismatched key material.

Attestation verification checklist
Assertion request contract for sensitive endpoints
Storage model for public key and receipt

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Device integrity checks gate production releases and protected APIs, so the canonical shelf is ship security even though server code is written earlier. App Attest verification, nonce composition, and fraud-risk storage are application-security concerns, not generic mobile UI work.

Also useful

BuildIntegrations & version control

Also useful

OperateMonitoring & observability

Where it fits

Example use

BuildIntegrations & version control

Implement the attestation POST handler before the iOS client submits keyId and attestationObject.

Example use

ShipSecurity

Run through nonce, OID, and public-key storage checks in a pre-launch security review.

Example use

OperateMonitoring & observability

Tighten assertion requirements when download abuse spikes after launch.

How it compares

Use this App Attest verifier checklist instead of treating the attestation object itself as the long-lived trusted credential.

Common Questions / FAQ

Who is device-integrity for?

Solo builders and small teams adding server-side App Attest to Swift/iOS apps with custom backends.

When should I use device-integrity?

During build when wiring attestation endpoints; during ship security review before launch; during operate when tightening assertion contracts after fraud signals.

Is device-integrity safe to install?

Check the Security Audits panel on this page; the skill guides verification logic—you still must protect signing keys and challenge issuance on your server.

SKILL.md

READMESKILL.md - Device Integrity

{
  "skill_name": "device-integrity",
  "evals": [
    {
      "id": 0,
      "name": "app-attest-attestation-verifier",
      "prompt": "We're adding server-side App Attest verification for an iOS app. The client sends keyId, attestationObject, and the original one-time challenge. What exact checks should the verifier perform before storing anything?",
      "expected_output": "A source-grounded App Attest attestation verification checklist that covers CBOR/certificate validation, nonce composition, App ID and environment checks, credential ID/keyId checks, and storing verified public key plus receipt.",
      "files": [],
      "expectations": [
        "Computes `clientDataHash = SHA256(challenge)`, then verifies the certificate nonce against `SHA256(authData || clientDataHash)` rather than `SHA256(challenge)` alone.",
        "Names the credential certificate extension OID `1.2.840.113635.100.8.2` as the source of the nonce value to compare.",
        "Verifies the App ID/RP ID hash, environment `aaguid`, initial counter, `credentialId`, and keyId/public-key hash relationship.",
        "Stores the verified public key and receipt for future assertion and fraud-risk use instead of treating the raw attestation object as the trusted durable record."
      ]
    },
    {
      "id": 1,
      "name": "app-attest-sensitive-request-assertion",
      "prompt": "Design the App Attest assertion contract for a premium-content download endpoint. The app already has an attested key. What should the client sign and what should the server verify on every sensitive request?",
      "expected_output": "A replay-safe assertion design that signs client data containing a server challenge and request context, then verifies assertion CBOR, signature, RP ID, counter, challenge, and request binding server-side.",
      "files": [],
      "expectations": [
        "Requires a fresh one-time server challenge for the assertion flow and embeds it in the client data.",
        "Includes request context or a request-body hash in the signed client data so the assertion is bound to the sensitive request.",
        "Verifies the assertion signature over `SHA256(authenticatorData || SHA256(clientData))` using the public key stored from attestation.",
        "Checks the RP ID hash, monotonically increasing counter, and embedded challenge before accepting the request."
      ]
    },
    {
      "id": 2,
      "name": "device-integrity-boundary-and-errors",
      "prompt": "Review this plan: cache a DCDevice token for the whole install, use one App Attest key for all users, retry any attestKey failure with a new key immediately, treat invalidKey as an OS update problem, and add OAuth/session-token/certificate-pinning advice to the same device-integrity checklist. What should be corrected?",
      "expected_output": "A boundary-aware correction list that fixes DeviceCheck token reuse, App Attest key scope, retry/error handling, environment behavior, and routes unrelated authentication/network security work to sibling guidance.",
      "files": [],
      "expectations": [
        "States that `DCDevice.generateToken()` tokens are single-use and should not be cached for the whole install.",
        "Requires App Attest keys to be unique per user account on each device and warns against unnecessary key generation because it affects risk metrics.",
        "For `serverUnavailable`, retries attestation later with the same key and same `clientDataHash`; for other attestation errors, discards the key identifier before a new-key retry.",
        "Describes `invalidKey` using Apple-documented causes: already-attested key, unattested assertion key, or service rejection, without attributing it to OS updates or Secure Enclave resets.",
        "Keeps OAuth/session-token design, certificate pinning, and broad networking security out of the device-integrity checklist except as sibling-skill handoffs."
      ]
    }
  ]
}


# Device Integrity Extended Patterns

Overflow re

What is this skill?

Source-grounded App Attest attestation checklist: CBOR/certificate validation, App ID, environment, counter, and keyId c

Verifies nonce as SHA256(authData || clientDataHash) with clientDataHash = SHA256(challenge)

Names extension OID 1.2.840.113635.100.8.2 for nonce extraction from the credential certificate

Assertion contract guidance for premium or sensitive requests after an attested key exists

Stores verified public key and receipt—not raw attestation blobs—as the durable trust record

eval suite includes app-attest-attestation-verifier and app-attest-sensitive-request-assertion scenarios

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1.7k installs on skills.sh; 713 GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildIntegrations & version control

Also useful

OperateMonitoring & observability

Where it fits

Example use

BuildIntegrations & version control

Implement the attestation POST handler before the iOS client submits keyId and attestationObject.

Example use

ShipSecurity

Run through nonce, OID, and public-key storage checks in a pre-launch security review.

Example use

OperateMonitoring & observability

Tighten assertion requirements when download abuse spikes after launch.

SKILL.md

READMESKILL.md - Device Integrity

{
  "skill_name": "device-integrity",
  "evals": [
    {
      "id": 0,
      "name": "app-attest-attestation-verifier",
      "prompt": "We're adding server-side App Attest verification for an iOS app. The client sends keyId, attestationObject, and the original one-time challenge. What exact checks should the verifier perform before storing anything?",
      "expected_output": "A source-grounded App Attest attestation verification checklist that covers CBOR/certificate validation, nonce composition, App ID and environment checks, credential ID/keyId checks, and storing verified public key plus receipt.",
      "files": [],
      "expectations": [
        "Computes `clientDataHash = SHA256(challenge)`, then verifies the certificate nonce against `SHA256(authData || clientDataHash)` rather than `SHA256(challenge)` alone.",
        "Names the credential certificate extension OID `1.2.840.113635.100.8.2` as the source of the nonce value to compare.",
        "Verifies the App ID/RP ID hash, environment `aaguid`, initial counter, `credentialId`, and keyId/public-key hash relationship.",
        "Stores the verified public key and receipt for future assertion and fraud-risk use instead of treating the raw attestation object as the trusted durable record."
      ]
    },
    {
      "id": 1,
      "name": "app-attest-sensitive-request-assertion",
      "prompt": "Design the App Attest assertion contract for a premium-content download endpoint. The app already has an attested key. What should the client sign and what should the server verify on every sensitive request?",
      "expected_output": "A replay-safe assertion design that signs client data containing a server challenge and request context, then verifies assertion CBOR, signature, RP ID, counter, challenge, and request binding server-side.",
      "files": [],
      "expectations": [
        "Requires a fresh one-time server challenge for the assertion flow and embeds it in the client data.",
        "Includes request context or a request-body hash in the signed client data so the assertion is bound to the sensitive request.",
        "Verifies the assertion signature over `SHA256(authenticatorData || SHA256(clientData))` using the public key stored from attestation.",
        "Checks the RP ID hash, monotonically increasing counter, and embedded challenge before accepting the request."
      ]
    },
    {
      "id": 2,
      "name": "device-integrity-boundary-and-errors",
      "prompt": "Review this plan: cache a DCDevice token for the whole install, use one App Attest key for all users, retry any attestKey failure with a new key immediately, treat invalidKey as an OS update problem, and add OAuth/session-token/certificate-pinning advice to the same device-integrity checklist. What should be corrected?",
      "expected_output": "A boundary-aware correction list that fixes DeviceCheck token reuse, App Attest key scope, retry/error handling, environment behavior, and routes unrelated authentication/network security work to sibling guidance.",
      "files": [],
      "expectations": [
        "States that `DCDevice.generateToken()` tokens are single-use and should not be cached for the whole install.",
        "Requires App Attest keys to be unique per user account on each device and warns against unnecessary key generation because it affects risk metrics.",
        "For `serverUnavailable`, retries attestation later with the same key and same `clientDataHash`; for other attestation errors, discards the key identifier before a new-key retry.",
        "Describes `invalidKey` using Apple-documented causes: already-attested key, unattested assertion key, or service rejection, without attributing it to OS updates or Secure Enclave resets.",
        "Keeps OAuth/session-token design, certificate pinning, and broad networking security out of the device-integrity checklist except as sibling-skill handoffs."
      ]
    }
  ]
}


# Device Integrity Extended Patterns

Overflow re

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is device-integrity for?

When should I use device-integrity?

Is device-integrity safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is device-integrity for?

When should I use device-integrity?

Is device-integrity safe to install?

SKILL.md