Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Touch ID and Face ID. Is It Secure?

Dee939e8aa52d13793b2f0c5e463777b?s=47 Julia Potapenko
June 29, 2019
1
330

Touch ID and Face ID. Is It Secure?

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

June 29, 2019
Tweet

More Decks by Julia Potapenko

See All by Julia Potapenko
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
65
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
350
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
160
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
120
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
160

Featured

See All Featured
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
613
55k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
2
550
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
12
870
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
23
3.9k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
237
23k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
117
4.9k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
8k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
311
17k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
289
110k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
390k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.6k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
495
110k

Transcript

  1. OWASP ZHYTOMYR. 29 JUNE 2019. JULIA POTAPENKO TOUCH ID AND

    FACE ID IS IT SECURE?

  2. OWASP ZHYTOMYR. 29 JUNE 2019. JULIA POTAPENKO TOUCH ID AND

    FACE ID IS IT SECURE? Cats Edition

  3. JULIA POTAPENKO • iOS Software Engineer at Stuzo • Mobile

    Dev Lead at WWCode Kyiv • Co-organizer of OWASP Zhytomyr • Speaker at OWASP, CocoaHeads, WWCode and WTM events

  4. WE WILL TALK ABOUT ★ Touch ID and Face ID

    ★ Secure Enclave ★ Keychain

  5. WE WILL TALK ABOUT ★ Touch ID and Face ID

    ★ Secure Enclave ★ Keychain How to do it? What can go wrong?

  6. TOUCH ID AND FACE ID LOCAL AUTHENTICATION

  7. TOUCH ID AND FACE ID LOCAL AUTHENTICATION USER PROTECTED RESOURCES

    PROTECTED ACTIONS

  8. LOCAL AUTHENTICATION https://support.apple.com/en-us/HT204587 https://developer.apple.com/documentation/localauthentication

  9. SECURE ENCLAVE CREATE AN EXTRA LAYER OF SECURITY FOR YOUR

    PRIVATE KEYS. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/ storing_keys_in_the_secure_enclave

  10. SECURE ENCLAVE • A part of A7 and newer chips

    • Secure Enclave Processor (SEP) is separate from Application Processor (AP) • Shares the RAM with AP but encrypted (TZ0) • SEP has its own OS

  11. SECURE ENCLAVE • Stores only 256-bit elliptic curve private keys

    • Can’t import preexisting keys You can create private key, store it and perform operations on it.

  12. • Biometry is stored on device as mathematical representation •

    It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application

  13. LocalAuthentication • Specify a particular policy and user message •

    The framework coordinates with Secure Enclave • Validation returns boolean value

  14. LocalAuthentication • Specify a particular policy and user message •

    The framework coordinates with Secure Enclave • Validation returns boolean value WARNING

  15. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html LocalAuthentication

  16. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html LocalAuthentication

  17. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html VULNERABLE AGAINST REVERSE ENGINEERS LocalAuthentication

  18. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html VULNERABLE AGAINST REVERSE ENGINEERS LocalAuthentication USABLE PAYLOAD

  19. KEYCHAIN

  20. KEYCHAIN • A database storing encrypted items • Good for

    storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device
  21. None

  22. THE CORRECT FLOW EXAMPLE • The user secret is stored

    in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed.

  23. THE CORRECT FLOW EXAMPLE • The user secret is stored

    in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed. WHAT ELSE CAN GO WRONG?

  24. KEYCHAIN • Accessibility and authentication rules

  25. KEYCHAIN • Accessibility and authentication rules SecAccessControlRef • kSecAccessControlTouchIDAny –

    Use any of the registered fingerprints • kSecAccessControlTouchIDCurrentSet – Use the current set of fingerprints when data saved to keychain. If current set changes, the TouchID evaluation fails.
  26. None

  27. ANY VULNERABILITIES IN SECURE ENCLAVE?

  28. https://twitter.com/xerub/status/897896081874329600 HACKER CLAIMS TO HAVE DECRYPTED SECURE ENCLAVE

  29. https://twitter.com/xerub/status/897896081874329600 HACKER CLAIMS TO HAVE DECRYPTED SECURE ENCLAVE

  30. https://youtu.be/ei6NWGfRs2o Apple Secure Enclave Processor Hack Explained • Firmware decryption

    key for iPhone 5s only

  31. IS IT SECURE? ★ Chance that someone else fingerprint will

    unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

  32. IS IT SECURE? ★ Chance that someone else fingerprint will

    unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 ★ To compare: 4 digit passcode has 1 in 10 000 chance while 6 digit passcode has 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

  33. TOUCH ID AND FACE ID ARE VULNERABLE AGAINST TARGETED ATTACKS

    https://youtu.be/2u4ZLGsw1zo
  34. None

  35. WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

  36. https://speakerdeck.com/julep/ owasp-mstg-in-real-life https://speakerdeck.com/julep/owasp- mstg-when-authentication-goes-wrong OTHER TALKS https://www.facebook.com/julia.potapenko.16 https://t.me/OWASP_ZHYTOMYR_CHAT

  37. THANK YOU!