jamie bowser - a touch(id) of ios security
TRANSCRIPT
![Page 1: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/1.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
A Touch(ID) of iOS Security
![Page 2: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/2.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
About me…• Cigital (3 years)
• Technical Strategist - Mobile (iOS)• Sr. Consultant (iOS Tooling)• Consultant (MDM Implementation
and iOS Security guidelines)• KeyBank (12+ years)
• Application Security Program Owner (web, mobile, mainframe)
• Java Web Developer (external and internal sites)
• Other ( x+y/z years)• NASA UNIX Administrator / Web
administrator• Developer• iOS Developer (Touch Unlock by:
Reconditorium Limited)
![Page 3: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/3.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Presentation Scope
• In• Use of Touch ID in third-party
applications• How to spot Local Authentication• Bypass-ability
• Out• Apple Pay Usage• iOS (Apple) Usage
![Page 4: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/4.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TOUCHID OVERVIEW
![Page 5: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/5.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
What really is TouchID
• Touch ID is Apple's biometric fingerprint authentication technology. • Reads fingerprint and stores a “mathematical representation” of
the fingerprint in the ”Secure Enclave”• Secure Enclave is a “walled off architecture” from the rest of the device
view hardware• Able to store multiple fingerprint representations
• Client Side Authentication• Biometric• Possible form of Second Factor Authentication
![Page 6: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/6.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture
• Changed with each major release of iOS since released• Getting better.?.?.?.?.?.
• Currently 3 options to discuss• Option1 – iOS 7 Release - Initial TouchID release• Option 2 – iOS 8 Release• Option 3 – iOS 9 Release
![Page 7: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/7.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 1
• Architecture is not visible to iOS Applications – other than Apple’s Applications
TouchID SensorSecure Enclave
Hardware protected connection
Fingerprint Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
![Page 8: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/8.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 1
• No Third-party Implementation Available • No “Public” API• Only Public API usage in Apple AppStore
![Page 9: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/9.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 2
• Architecture becomes visible to iOS Applications – in addition to Apple’s Applications
TouchID SensorSecure Enclave
Hardware protected connection
Fingerprint Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
![Page 10: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/10.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 2
• Typical Implementation
Start
Check Local Auth API
Get Token in Keychain
Authenticate
Place token in Keychain **
Start
Use Token** Add attribute to Keychain entry that ties it to having a passcode on the device – not really associated to TouchID
![Page 11: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/11.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 2
• Many Third-Party Application teams jumped in and implemented something• And not updated…
![Page 12: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/12.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 3
• Architecture is visible to iOS Applications – in addition to Apple’s Applications (required iOS 9.x)
TouchID SensorSecure Enclave
Hardware protected connection
Fingerprint Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
Security Framework
![Page 13: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/13.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 3
• Typical Implementation
Start
Check Local Auth API**
Attempt to get token from Keychain
Authenticate
Place token in Keychain *
Start
Use Token* Add attribute to Keychain entry that ties it to having TouchID requirements
Trigger system checks
** Optional
![Page 14: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/14.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 3
• Does require iOS Relese restrictions on users• Not everybody updates
• Can detect and do a weak, but only as strong as the weakest link
![Page 15: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/15.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
HOW TO SPOT LOCAL AUTHENTICATION
Doing Source Code Review?
![Page 16: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/16.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Spotting Local Authentication
LAContext *context = [[LAContext alloc] init];__block NSString *message; // Show the authentication UI with our reason string.[context evaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason: @"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) { if (success) { message = @"evaluatePolicy: succes"; } else { message = [NSString stringWithFormat:@"evaluatePolicy:
%@", authenticationError.localizedDescription]; }
[self printMessage:message inTextView:self.textView]; }];
![Page 17: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/17.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Spotting Local Authentication
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,kSecAccessControlTouchIDAny |
kSecAccessControlApplicationPassword, &error);
NSData *secretPasswordTextData = [@"SECRET_PASSWORD_TEXT" dataUsingEncoding:NSUTF8StringEncoding];
NSDictionary *attributes = @{ (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"SampleService", (__bridge id)kSecValueData: secretPasswordTextData, (__bridge id)kSecUseNoAuthenticationUI: @YES,
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject, (__bridge id)kSecUseAuthenticationContext: context };
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
* kSecAccessControlTouchIDCurrentSet
![Page 18: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/18.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TOUCHID BY-PASSING
![Page 19: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/19.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID By-passing
• When determining risk, consider the following:• Jailbroken Device• By-passable both API and Keychain Access Groups• Swizzle the API• Hook the Keychain API and remove Access Group when inserting
• SuccessID• Does not implement the Access Group removal• https://hexplo.it/successid-touchid-override-simulation/
• Non-Jailbroken Device• By-passable using API• Swizzle the API
![Page 20: Jamie Bowser - A Touch(ID) of iOS Security](https://reader034.vdocuments.mx/reader034/viewer/2022042706/58864b741a28ab32768b629b/html5/thumbnails/20.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Questions
email: [email protected]
Copyright © 2015, Cigital