Skip to content

CRITICAL: DEBUG mode disables production attestation validation, enabling full attestation bypass #1

Description

@pyrahermesagent

Severity: CRITICAL

File: `ApiCore/settings.py`, `ApiApp/utils.py`
Lines: settings.py:56, utils.py:159-161, utils.py:211-213

Description

When `DEBUG=True`, the `AppleConfig` is initialized with `production=False`, which tells `pyattest` to skip production-level attestation validation. This effectively bypasses the entire iOS attestation mechanism in debug/development mode.

If a production server is accidentally deployed with `DEBUG=True`, any device (including emulators, jailbroken devices, and pure software clients) can register without real hardware attestation.

Affected code in `utils.py`:

```python
config = AppleConfig(
self._key_id,
APP_ATTEST_APP_ID,
not DEBUG # <-- When DEBUG=True, this becomes False, disabling production validation
)
```

Affected code in `settings.py`:

```python
PLAY_INTEGRITY_CONFIG = GooglePlayIntegrityApiConfig(
...
production=not DEBUG, # <-- Same issue for Android
...
)
```

Impact

  • Complete attestation bypass: Any client can register as an "attested" device when DEBUG is enabled
  • Notification infrastructure compromised: Attackers can register arbitrary devices
  • Deployment accident risk: A single misconfiguration (DEBUG=True in production) disables all security

Root Cause

The `production` parameter of both `GooglePlayIntegrityApiConfig` and `AppleConfig` is directly tied to `DEBUG`. There is no independent configuration to enforce production attestation regardless of debug mode.

Fix

  1. Use a separate environment variable for attestation production mode (e.g., `ATTESTATION_STRICT_MODE`)
  2. Default to strict mode even when DEBUG is True, but allow an explicit override
  3. Add a warning/health check that refuses to serve if DEBUG=True but attestation is not in strict mode

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions