Skip to content

Apple Push Notification Key

Service Name: Apple Push Notification Service (APNs)

Service Description: Apple Push Notification service (APNs) is a platform notification service that enables third-party app developers to send notification data to applications installed on Apple devices.

Service Address: https://developer.apple.com/notifications/

Validation Type: API Auth

IP Allow list: Does not exist at the key level, but Apple maintains a list of IP addresses for APNs servers that you should whitelist.

Secret Access Scope: Grants the ability to send push notifications to iOS, iPadOS, macOS, tvOS, and watchOS devices through Apple's Push Notification service.

Secret Revokement URL: https://developer.apple.com/account/resources/authkeys/list

Secret Example: MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgPaXyFvZfNydDEjxgjUCUxyGjXc QxiulEdGxoVbasV3GgCgYIKoZIzj0DAQehRANCAASLvYXL3HE1PxCM2qAzA6iUUwVmvKGRvafB4 KpVhbnrtuSXwruUGXMNRIr3K5UA6odCPsxB5U9CG0cKZdWvtw3X

Suspicious Activity Investigation Instructions:

  • Review APNs feedback service for delivery failures or errors
  • Check your app's server logs for unusual notification sending patterns
  • Monitor Apple Developer account for unauthorized key creation or modifications
  • Analyze notification sending metrics for unexpected spikes or patterns
  • Review device token registrations for suspicious patterns

Mitigation Instructions:

  • Log in to your Apple Developer account at

https://developer.apple.com/account/

  • Navigate to "Certificates, Identifiers & Profiles" section
  • Select "Keys" from the left sidebar
  • Locate the compromised key in the list
  • Click on the key and select "Revoke"
  • Confirm the revocation
  • Generate a new key for your application
  • Update your server configuration with the new key
  • Deploy the updated configuration to your notification servers
  • Verify that notifications are working properly with the new key