Slide 1

Slide 1 text

OWASP ZHYTOMYR. 29 JUNE 2019. JULIA POTAPENKO TOUCH ID AND FACE ID IS IT SECURE?

Slide 2

Slide 2 text

OWASP ZHYTOMYR. 29 JUNE 2019. JULIA POTAPENKO TOUCH ID AND FACE ID IS IT SECURE? Cats Edition

Slide 3

Slide 3 text

JULIA POTAPENKO • iOS Software Engineer at Stuzo • Mobile Dev Lead at WWCode Kyiv • Co-organizer of OWASP Zhytomyr • Speaker at OWASP, CocoaHeads, WWCode and WTM events

Slide 4

Slide 4 text

WE WILL TALK ABOUT ★ Touch ID and Face ID ★ Secure Enclave ★ Keychain

Slide 5

Slide 5 text

WE WILL TALK ABOUT ★ Touch ID and Face ID ★ Secure Enclave ★ Keychain How to do it? What can go wrong?

Slide 6

Slide 6 text

TOUCH ID AND FACE ID LOCAL AUTHENTICATION

Slide 7

Slide 7 text

TOUCH ID AND FACE ID LOCAL AUTHENTICATION USER PROTECTED RESOURCES PROTECTED ACTIONS

Slide 8

Slide 8 text

LOCAL AUTHENTICATION https://support.apple.com/en-us/HT204587 https://developer.apple.com/documentation/localauthentication

Slide 9

Slide 9 text

SECURE ENCLAVE CREATE AN EXTRA LAYER OF SECURITY FOR YOUR PRIVATE KEYS. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/ storing_keys_in_the_secure_enclave

Slide 10

Slide 10 text

SECURE ENCLAVE • A part of A7 and newer chips • Secure Enclave Processor (SEP) is separate from Application Processor (AP) • Shares the RAM with AP but encrypted (TZ0) • SEP has its own OS

Slide 11

Slide 11 text

SECURE ENCLAVE • Stores only 256-bit elliptic curve private keys • Can’t import preexisting keys You can create private key, store it and perform operations on it.

Slide 12

Slide 12 text

• Biometry is stored on device as mathematical representation • It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application

Slide 13

Slide 13 text

LocalAuthentication • Specify a particular policy and user message • The framework coordinates with Secure Enclave • Validation returns boolean value

Slide 14

Slide 14 text

LocalAuthentication • Specify a particular policy and user message • The framework coordinates with Secure Enclave • Validation returns boolean value WARNING

Slide 15

Slide 15 text

LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil; NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html LocalAuthentication

Slide 16

Slide 16 text

LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil; NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html LocalAuthentication

Slide 17

Slide 17 text

LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil; NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html VULNERABLE AGAINST REVERSE ENGINEERS LocalAuthentication

Slide 18

Slide 18 text

LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil; NSString *myLocalizedReasonString = @"For Securing App with TouchID"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL) success, NSError *error) { if (success) { // User authenticated successfully } else { // User failed to authenticate successfully } }]; } else { // Could not evaluate policy https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html VULNERABLE AGAINST REVERSE ENGINEERS LocalAuthentication USABLE PAYLOAD

Slide 19

Slide 19 text

KEYCHAIN

Slide 20

Slide 20 text

KEYCHAIN • A database storing encrypted items • Good for storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

THE CORRECT FLOW EXAMPLE • The user secret is stored in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed.

Slide 23

Slide 23 text

THE CORRECT FLOW EXAMPLE • The user secret is stored in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed. WHAT ELSE CAN GO WRONG?

Slide 24

Slide 24 text

KEYCHAIN • Accessibility and authentication rules

Slide 25

Slide 25 text

KEYCHAIN • Accessibility and authentication rules SecAccessControlRef • kSecAccessControlTouchIDAny – Use any of the registered fingerprints • kSecAccessControlTouchIDCurrentSet – Use the current set of fingerprints when data saved to keychain. If current set changes, the TouchID evaluation fails.

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

ANY VULNERABILITIES IN SECURE ENCLAVE?

Slide 28

Slide 28 text

https://twitter.com/xerub/status/897896081874329600 HACKER CLAIMS TO HAVE DECRYPTED SECURE ENCLAVE

Slide 29

Slide 29 text

https://twitter.com/xerub/status/897896081874329600 HACKER CLAIMS TO HAVE DECRYPTED SECURE ENCLAVE

Slide 30

Slide 30 text

https://youtu.be/ei6NWGfRs2o Apple Secure Enclave Processor Hack Explained • Firmware decryption key for iPhone 5s only

Slide 31

Slide 31 text

IS IT SECURE? ★ Chance that someone else fingerprint will unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

Slide 32

Slide 32 text

IS IT SECURE? ★ Chance that someone else fingerprint will unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 ★ To compare: 4 digit passcode has 1 in 10 000 chance while 6 digit passcode has 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

Slide 33

Slide 33 text

TOUCH ID AND FACE ID ARE VULNERABLE AGAINST TARGETED ATTACKS https://youtu.be/2u4ZLGsw1zo

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html

Slide 36

Slide 36 text

https://speakerdeck.com/julep/ owasp-mstg-in-real-life https://speakerdeck.com/julep/owasp- mstg-when-authentication-goes-wrong OTHER TALKS https://www.facebook.com/julia.potapenko.16 https://t.me/OWASP_ZHYTOMYR_CHAT

Slide 37

Slide 37 text

THANK YOU!