Skip to content

APNS P8 Key

Service Name: Apple Push Notification Service

Service Description: Apple Push Notification service (APNs) is Apple's cloud service that enables third-party application developers to send push notifications to iOS, iPadOS, macOS, watchOS, and tvOS devices.

Service Address: https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants the ability to send push notifications to Apple devices through the Apple Push Notification service. The P8 key specifically is a token-based authentication method that replaced the older certificate-based method.

Secret Revokement URL: https://developer.apple.com/account/resources/authkeys/list

Secret Example: MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgPaXyFvZfNydDEjxgjUCUxyGjXcQxiulEdGxoVbasV3GgCgYIKoZIzj0DAQehRANCAASLTGMPm7YgCqh0S1qQtqy71Qu4pWa8XQK+jzYvdKGq0/0+kMHwdJHvVQONMtA3f1mg2xaQP1QYkHKUfyRuZ2Hd

Suspicious Activity Investigation Instructions:

  • Review Apple Developer account for unauthorized key creation or modifications
  • Check APNs logs for unusual notification patterns or volumes
  • Monitor for unexpected push notifications being sent to user devices
  • Review application server logs for unauthorized APNs API calls
  • Verify if the compromised key is being used from unexpected IP addresses or locations

Mitigation Instructions:

  • Log in to your Apple Developer account at https://developer.apple.com/account/
  • Navigate to "Certificates, Identifiers & Profiles" section
  • Select "Keys" from the left sidebar
  • Locate the compromised P8 key
  • Click the "Revoke" button next to the key
  • Confirm the revocation
  • Generate a new P8 key for your application
  • Update your server configuration with the new key
  • Verify that push notifications are working correctly with the new key