Apple urges developers to not use DeviceCheck for anything beyond basic device verification, and if you’re a developer that’s also misusing it, then you should definitely cease that—there are probably more reliable ways to check whether it’s the same user trying to access an account from a device or not.
For example, you might use this data to identify devices that have already taken advantage of a promotional offer that you provide, or to flag a device that you’ve determined to be fraudulent.
Yeah? That makes perfect sense, don’t use it beyond a basic device verification, for example verifying if the device has already been used in a promo or stolen.
Those are instances where you need to check the device itself not the user.
Sounds reasonable…
But then, why would you use it?
Oh, ok. Wait, what? But…
Luckily Apple strictly controls the App Store and will never allow apps to abuse this, right? Right?
Yeah? That makes perfect sense, don’t use it beyond a basic device verification, for example verifying if the device has already been used in a promo or stolen.
Those are instances where you need to check the device itself not the user.