Weitere ähnliche Inhalte Ähnlich wie Jamie Bowser - A Touch(ID) of iOS Security Ähnlich wie Jamie Bowser - A Touch(ID) of iOS Security (20) Mehr von centralohioissa (20) Kürzlich hochgeladen (20) Jamie Bowser - A Touch(ID) of iOS Security2. Copyright © 2015, CigitalCopyright © 2015, Cigital
About me…
• Cigital (3 years)
• Technical Strategist - Mobile (iOS)
• Sr. Consultant (iOS Tooling)
• Consultant (MDM Implementation
and iOS Security guidelines)
• KeyBank (12+ years)
• Application Security Program
Owner (web, mobile, mainframe)
• Java Web Developer (external
and internal sites)
• Other ( x+y/z years)
• NASA UNIX Administrator / Web
administrator
• Developer
• iOS Developer (Touch Unlock by:
Reconditorium Limited)
3. Copyright © 2015, CigitalCopyright © 2015, Cigital
Presentation Scope
• In
• Use of Touch ID in third-party
applications
• How to spot Local Authentication
• Bypass-ability
• Out
• Apple Pay Usage
• iOS (Apple) Usage
5. Copyright © 2015, CigitalCopyright © 2015, Cigital
What really is TouchID
• Touch ID is Apple's biometric fingerprint authentication
technology.
• Reads fingerprint and stores a “mathematical representation” of
the fingerprint in the ”Secure Enclave”
• Secure Enclave is a “walled off architecture” from the rest of the device
view hardware
• Able to store multiple fingerprint representations
• Client Side Authentication
• Biometric
• Possible form of Second Factor Authentication
6. Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture
• Changed with each major release of iOS since released
• Getting better.?.?.?.?.?.
• Currently 3 options to discuss
• Option1 – iOS 7 Release - Initial TouchID release
• Option 2 – iOS 8 Release
• Option 3 – iOS 9 Release
7. Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 1
• Architecture is not visible to iOS Applications – other
than Apple’s Applications
TouchID Sensor
Secure Enclave
Hardware protected connection
Fingerprint
Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
8. Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 1
• No Third-party Implementation Available
• No “Public” API
• Only Public API usage in Apple AppStore
9. Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 2
• Architecture becomes visible to iOS Applications – in
addition to Apple’s Applications
TouchID Sensor
Secure Enclave
Hardware protected connection
Fingerprint
Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
10. Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 2
• Typical Implementation
Start
Check Local
Auth API
Get Token in
Keychain
Authenticate
Place token in
Keychain **
Start
Use Token
** Add attribute to Keychain entry that ties
it to having a passcode on the device – not
really associated to TouchID
11. Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 2
• Many Third-Party Application teams jumped in and
implemented something
• And not updated…
12. Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 3
• Architecture is visible to iOS Applications – in addition to
Apple’s Applications (required iOS 9.x)
TouchID Sensor
Secure Enclave
Hardware protected connection
Fingerprint
Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
Security Framework
13. Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 3
• Typical Implementation
Start
Check Local
Auth API**
Attempt to get
token from
Keychain
Authenticate
Place token in
Keychain *
Start
Use Token* Add attribute to Keychain entry that ties
it to having TouchID requirements
Trigger system
checks
** Optional
14. Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 3
• Does require iOS Relese restrictions on users
• Not everybody updates
• Can detect and do a weak, but only as strong as the
weakest link
15. Copyright © 2015, CigitalCopyright © 2015, Cigital
HOW TO SPOT LOCAL
AUTHENTICATION
Doing Source Code Review?
16. Copyright © 2015, CigitalCopyright © 2015, Cigital
Spotting Local Authentication
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
// Show the authentication UI with our reason string.
[context evaluatePolicy:
LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason: @"Unlock access
to locked feature" reply:^(BOOL success, NSError *authenticationError) {
if (success) {
message = @"evaluatePolicy: succes";
}
else {
message = [NSString stringWithFormat:@"evaluatePolicy: %@",
authenticationError.localizedDescription];
}
[self printMessage:message inTextView:self.textView];
}];
17. Copyright © 2015, CigitalCopyright © 2015, Cigital
Spotting Local Authentication
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlTouchIDAny |
kSecAccessControlApplicationPassword, &error);
NSData *secretPasswordTextData = [@"SECRET_PASSWORD_TEXT"
dataUsingEncoding:NSUTF8StringEncoding];
NSDictionary *attributes = @{
(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrService: @"SampleService",
(__bridge id)kSecValueData: secretPasswordTextData,
(__bridge id)kSecUseNoAuthenticationUI: @YES,
(__bridge id)kSecAttrAccessControl:
(__bridge_transfer id)sacObject,
(__bridge id)kSecUseAuthenticationContext: context
};
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
* kSecAccessControlTouchIDCurrentSet
19. Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID By-passing
• When determining risk, consider the following:
• Jailbroken Device
• By-passable both API and Keychain Access Groups
• Swizzle the API
• Hook the Keychain API and remove Access Group when inserting
• SuccessID
• Does not implement the Access Group removal
• https://hexplo.it/successid-touchid-override-simulation/
• Non-Jailbroken Device
• By-passable using API
• Swizzle the API
20. Copyright © 2015, CigitalCopyright © 2015, Cigital
Questions
email: jbowser@cigital.com
Copyright © 2015, Cigital