An iPhone 5S with Touch ID® Sensor by Kelvin Ma via Wikimedia Commons.

Bypassing Apple’s Touch ID… but from certain apps!

Many people consider Apple’s Touch ID the state-of-the-art of fingerprint recognition for mobile devices. Maybe is, but who wants use this feature from a new release of his favorite app must be careful. Developers must pay attention to written algorithm when implementing this feature into their apps.

Leia a versão em português desse artigo aqui.

Apple “thinking different” introduced from 2015 a fingerprint recognition called Touch ID® into their mobile devices. It’s a great way to improve user’s experience with a security feature although some guys here and here present us how to bypass its security.

Touch ID can be used for unlocking a device or provide a way to an app authenticate the user and validate if he is himself. At this point essentially the app’s developer has two ways to implement it:

  • To validating only if the user’s fingerprint is valid. Apple provides this from LocalAuthentication API, e.g., Nubank — a Brazilian startup operating as credit card issuer — uses it into their app.
  • To getting user’s credential stored on Keychain when the app needs to authenticate the user. A fingerprint validation must be performed and if it returns as valid, is allowed to access the Keychain. Who uses this authentication method is Worx Home by Citrix, a mobile multi-platform client to enforce security policies and provision mobile apps managed by EMM platform, namely Citrix XenMobile.

Secure Enclave is how Apple calls the place on their SoC processor does Keychain operations and also where fingerprint map is stored for Touch ID. Keychain is an encrypted database used to store passwords and others secrets. But let’s get focus on Citrix’s app and its capability to use Touch ID feature.

A wrong way to implement Touch ID in your app

XenMobile allows IT admins to enable a PIN requirement on Worx Home for among other things, secure launching of a managed app, such WorxMail email client. This PIN is stored locally on device — optionally on Secure Enclave for iOS supported devices — and its validation occurs locally as well. For iOS supported devices, Citrix offers Touch ID validation. In this case when the PIN is prompted, the user will put his finger on device’s home button and the app will be unlock. Let me give you an example what it does behind the scenes — in short: — in short:

Example 1: What happens on background.

  1. User opens a managed app protected by WorxPIN such as WorxMail;
  2. Worx Home is launched and prompts for Touch ID;
  3. Apple’s API validates if user’s fingerprint is valid;
  4. Is valid, then push Worx PIN from device’s Keychain;
  5. Worx Home puts Worx PIN on prompted field;
  6. Worx Home validates Worx PIN;
  7. If Worx PIN is valid, then allows user launch the app.

I really expecting that, but it doesn’t. I found a way to bypass Touch ID validation and launch a managed app without do authentication when Worx Home prompts for the PIN. Here’s the trick:

Example 2: Exploiting the vulnerability.

  1. Consider a client with micro VPN established, e.g., previously using WorxMail client;
  2. Reboot the iOS device;
  3. Authenticate with device’s passcode normally;
  4. Open WorxMail app;
  5. When prompted for Touch ID, press the Cancel button.
  6. You will be prompted to input the Worx PIN. In this step, close the app by pressing twice on the device’s Home button and sliding the app window to the top.
  7. Open WorxMail again. It will no longer require authentication at this point.

As can you see, I’m not bypassing Touch ID security, but taking advantage of a loophole of how the app have implemented the Touch ID validation.

Exploiting the vulnerability on iOS device

It's the developer responsibility to protect the secrets

  • Use and purge
  • Do not keep secrets in memory
  • Do not save or send
  • When you need to update a secret, update it. Do not delete it and save again. This best practice is to keep ACL rule.

Disclosure details: https://support.citrix.com/article/CTX214006