App Transfer Impact on DeviceCheck Token/keyid

Question

Created 1d

Replies 1

Boosts 0

Participants 2

Hello,

I was planning to transfer an app to a different Apple Developer account and had a question regarding DeviceCheck behavior after the transfer.

Currently, the app uses the DeviceCheck service with a DeviceCheck key associated with the transferring account.

We are specifically interested in the period immediately after the app transfer, but before the app has been updated under the recipient account.

Could you clarify the following:

Will DeviceCheck validations continue to function after the app transfer using the existing DeviceCheck key and "iss" value associated with the transferor account? Or will DeviceCheck requests begin failing until a new DeviceCheck key is generated under the recipient account and our backend is updated to use the new "iss" value?

Any guidance on the expected transition behavior would be greatly appreciated.

Thank you.

Boost

Answer 1

Engineer OP

Apple

3h

When an app is transferred between developer accounts, the DeviceCheck state (the two bits and timestamp associated with a device) persists across the transfer.

This means that the data previously stored for a device using DeviceCheck will remain accessible and associated with that device, even after the app's ownership changes (assuming the new owner is not changing the Bundle ID).

This persistence is designed to help mitigate fraud, as the state is maintained by Apple and survives app reinstallation, device transfer between users, and even device erasure.

However, the authentication for communicating with the DeviceCheck service relies on a private key and an iss (issuer) value from your developer account.

When an app is transferred to a new developer account, it becomes associated with the recipient's Team ID. Therefore, to continue authenticating requests to the DeviceCheck service for the transferred app, the backend must be updated to use a new DeviceCheck private key generated under the recipient account and the corresponding iss value (the recipient's Team ID).

The original DeviceCheck key and iss value associated with the old team account will no longer be valid for authenticating requests for the app under the new team.

0