Since device check APIs (attestation) are not available for extensions like share extension and widget extension (at least in 26 and according to documentation still in 27) - is there any best practice how to still protect endpoints which are also called from these extensions? And subquestion: is there a technical limitation in iOS design that made it impossible to also support extensions.
is there any best practice how to still protect endpoints which are also called from these extensions
Do checkout the Privacy and Security QA which may have some alternative suggestions.
is there a technical limitation in iOS design that made it impossible to also support extensions.
There are a very large number of extensions, that make it infeasible to open up App Attest to all of them, without being able to test the behavior across all of them. That has been the main motivation to limit App Attest to specific types of extensions.
If there is enough developer demand, we can certainly investigate enabling App Attest for other extension types.
Please do file a feedback assistant request with your concern, https://developer.apple.com/feedback-assistant/.
