App Attest Explained: How Letter Star Ensures Fair Play

Letter Star uses Apple’s App Attest framework to ensure every score submitted to our leaderboards comes from a legitimate, unmodified app running on a genuine device. Here’s how it works.

What is App Attest?

App Attest is Apple’s hardware-based attestation framework, introduced in iOS 14. It allows apps to cryptographically prove three things:

1. The app is authentic - It hasn’t been modified or tampered with
2. The device is genuine - It’s a real Apple device, not an emulator
3. The request is fresh - It’s not a replay of an old request

This creates a chain of trust from Apple’s hardware security module all the way to our servers.

How Letter Star Uses App Attest

Initial Device Registration

When you first open Letter Star, your device generates a unique key pair in the Secure Enclave - Apple’s isolated, hardware-based security processor. This key never leaves your device.

1. Your app requests an attestation from Apple’s servers
2. Apple verifies your device is genuine and the app is unmodified
3. Apple returns a cryptographically signed attestation
4. Letter Star verifies the attestation and registers your device

Every Score Submission

Each time you submit a score, Letter Star:

1. Creates a request signature - Your device signs the request with its private key
2. Adds a nonce - A one-time-use number prevents replay attacks
3. Includes timing data - Helps detect automated solving
4. Generates a checksum - Validates the game state hasn’t been manipulated

Our servers verify all of this before accepting your score. If anything doesn’t match, the score is rejected.

Why This Matters

Traditional anti-cheat systems try to detect cheating after it happens. App Attest prevents cheating before it occurs by making it cryptographically impossible to submit fake scores.

What App Attest Prevents

• Modified apps - Can’t bypass the attestation check
• Emulators - Don’t have Apple’s Secure Enclave
• Jailbroken devices - Fail the integrity check
• Man-in-the-middle attacks - Signatures don’t match
• Replay attacks - Nonces ensure requests are one-time use
• Score injection - Checksums validate game state

What Users Get

• Fair competition - Everyone plays by the same rules
• Privacy - No personal data required for verification
• Transparency - Verified badge shows who passed verification
• Trust - Leaderboards you can believe in

The Verification Process

Letter Star implements a multi-layer verification system:

Layer 1: App Attest Verification

Your device proves it’s running genuine Letter Star software on a real Apple device.

Layer 2: Request Signing

Every API request is signed with your device’s private key, proving it came from your verified device.

Layer 3: Nonce Validation

Each request includes a server-provided nonce, ensuring it can only be used once.

Layer 4: Checksum Verification

Game state checksums ensure the score matches the actual game played.

Layer 5: Pattern Analysis

Our backend analyzes timing patterns and solve strategies to detect anomalies.

Technical Implementation

Letter Star’s security architecture uses:

• RS256 signatures - Industry-standard RSA with SHA-256
• JWT tokens - Secure, stateless authentication
• Nonce-based replay protection - Every request is unique
• Hardware-backed key storage - Keys never leave the Secure Enclave
• End-to-end encryption - All communication is TLS 1.3

Privacy by Design

App Attest is privacy-first:

• No personal information is collected
• Device attestation doesn’t track you across apps
• Your private key never leaves your device
• Apple doesn’t know what apps you’re using
• Letter Star only knows your device is verified, not who you are

Common Questions

Q: Can I play without App Attest? Yes! You can play Letter Star and submit scores without verification. However, you won’t get the verified badge and won’t appear in verified-only leaderboard views.

Q: Does this drain my battery? No. Attestation happens once during registration, and request signing is extremely fast with minimal battery impact.

Q: What if I restore my device? You’ll need to verify again. Each device restore generates a new key pair in the Secure Enclave.

Q: Can I transfer my verification to a new device? No. Verification is tied to specific hardware. This is by design - it ensures scores always come from the same device.

Q: Does verification track my location? No. App Attest has no location components. We don’t collect or use location data.

The Future of Secure Gaming

App Attest represents the future of fair play in mobile gaming. By leveraging hardware-based security, we can provide:

• Truly cheat-proof leaderboards
• Zero-trust verification
• Privacy-first authentication
• Seamless user experience

As more games adopt similar technologies, competitive mobile gaming becomes more trustworthy for everyone.

Learn More

Want to dive deeper? Check out:

• Apple’s App Attest Documentation
• Understanding Device Verification - User-focused guide
• Privacy and Security - How we protect your data

---

Ready to get verified? Open Letter Star on your iOS device and follow the verification prompts. The entire process takes less than 10 seconds.