Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Touch ID and Face ID. Is It Secure?

Julia Mezher
June 29, 2019
450

Touch ID and Face ID. Is It Secure?

Julia Mezher

June 29, 2019
Tweet

Transcript

  1. JULIA POTAPENKO • iOS Software Engineer at Stuzo • Mobile

    Dev Lead at WWCode Kyiv • Co-organizer of OWASP Zhytomyr • Speaker at OWASP, CocoaHeads, WWCode and WTM events
  2. WE WILL TALK ABOUT ★ Touch ID and Face ID

    ★ Secure Enclave ★ Keychain
  3. WE WILL TALK ABOUT ★ Touch ID and Face ID

    ★ Secure Enclave ★ Keychain How to do it? What can go wrong?
  4. SECURE ENCLAVE CREATE AN EXTRA LAYER OF SECURITY FOR YOUR

    PRIVATE KEYS. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/ storing_keys_in_the_secure_enclave
  5. SECURE ENCLAVE • A part of A7 and newer chips

    • Secure Enclave Processor (SEP) is separate from Application Processor (AP) • Shares the RAM with AP but encrypted (TZ0) • SEP has its own OS
  6. SECURE ENCLAVE • Stores only 256-bit elliptic curve private keys

    • Can’t import preexisting keys You can create private key, store it and perform operations on it.
  7. • Biometry is stored on device as mathematical representation •

    It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application
  8. LocalAuthentication • Specify a particular policy and user message •

    The framework coordinates with Secure Enclave • Validation returns boolean value
  9. LocalAuthentication • Specify a particular policy and user message •

    The framework coordinates with Secure Enclave • Validation returns boolean value WARNING
  10. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html LocalAuthentication
  11. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html LocalAuthentication
  12. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html VULNERABLE AGAINST REVERSE ENGINEERS LocalAuthentication
  13. LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil;

    NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html VULNERABLE AGAINST REVERSE ENGINEERS LocalAuthentication USABLE PAYLOAD
  14. KEYCHAIN • A database storing encrypted items • Good for

    storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device
  15. THE CORRECT FLOW EXAMPLE • The user secret is stored

    in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed.
  16. THE CORRECT FLOW EXAMPLE • The user secret is stored

    in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed. WHAT ELSE CAN GO WRONG?
  17. KEYCHAIN • Accessibility and authentication rules SecAccessControlRef • kSecAccessControlTouchIDAny –

    Use any of the registered fingerprints • kSecAccessControlTouchIDCurrentSet – Use the current set of fingerprints when data saved to keychain. If current set changes, the TouchID evaluation fails.
  18. IS IT SECURE? ★ Chance that someone else fingerprint will

    unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
  19. IS IT SECURE? ★ Chance that someone else fingerprint will

    unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 ★ To compare: 4 digit passcode has 1 in 10 000 chance while 6 digit passcode has 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
  20. WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication

    https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html