JULIA POTAPENKO • iOS Software Engineer at Stuzo • Mobile Dev Lead at WWCode Kyiv • Co-organizer of OWASP Zhytomyr • Speaker at OWASP, CocoaHeads, WWCode and WTM events
SECURE ENCLAVE CREATE AN EXTRA LAYER OF SECURITY FOR YOUR PRIVATE KEYS. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/ storing_keys_in_the_secure_enclave
SECURE ENCLAVE • A part of A7 and newer chips • Secure Enclave Processor (SEP) is separate from Application Processor (AP) • Shares the RAM with AP but encrypted (TZ0) • SEP has its own OS
SECURE ENCLAVE • Stores only 256-bit elliptic curve private keys • Can’t import preexisting keys You can create private key, store it and perform operations on it.
• Biometry is stored on device as mathematical representation • It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application
LocalAuthentication • Specify a particular policy and user message • The framework coordinates with Secure Enclave • Validation returns boolean value WARNING
KEYCHAIN • A database storing encrypted items • Good for storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device
THE CORRECT FLOW EXAMPLE • The user secret is stored in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed.
THE CORRECT FLOW EXAMPLE • The user secret is stored in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed. WHAT ELSE CAN GO WRONG?
KEYCHAIN • Accessibility and authentication rules SecAccessControlRef • kSecAccessControlTouchIDAny – Use any of the registered fingerprints • kSecAccessControlTouchIDCurrentSet – Use the current set of fingerprints when data saved to keychain. If current set changes, the TouchID evaluation fails.
IS IT SECURE? ★ Chance that someone else fingerprint will unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
IS IT SECURE? ★ Chance that someone else fingerprint will unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 ★ To compare: 4 digit passcode has 1 in 10 000 chance while 6 digit passcode has 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html
julep
malarkey
holman
cromwellryan
carmenintech
panda_program
mthomps
smashingmag
jponch
chriscoyier
marcelosomers
lara
geoffreycrofte