Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps

This blog will walk you through the technique that I used to bypass Touch ID authentication feature implemented on the Login Page in Evernote and Dropbox IOS apps.

Just Before Getting Started, I will list down the tools that were used in this process:

  1. Iphone 6S with ios 13.3.1
  2. Checkra1n executable for semi tethered Jailbreaking
  3. Frida on PC & frida server on device
  4. Objection on PC

Lets get started folks!!

Prologue

Jailbroken Iphone 6S with ios 13.3.1

You can refer this blog for the entire Jailbreak process: https://www.redmondpie.com/jailbreak-ios-13.3.1-using-checkra1n-heres-how-guide/.

Once you have a jailbroken device the next step in the process is to install frida server through cydia(a store to download all the apps).

Frida server on Iphone 6S

Finally Install frida and objection on Your PC in my case I had mac OS, you can install Objection from https://github.com/sensepost/objection/wiki and frida will get automatically installed , you just need to have python3 installed.

Methodology

Pre Configuration before Attack

Setting up Touch ID in Evernote

Steps:

  1. Go to your profile
  2. Go to settings
  3. Click on passcode Lock
  4. Click `Turn Passcode On`
  5. Setup the passcode and once its done TouchID will be automatically enabled.
Evernote Touch ID enabled

Setting up Touch ID in Dropbox

Steps:

  1. Go to your profile
  2. Click on the settings logo on the top left corner
  3. Click `Turn Passcode On`
  4. Setup the passcode and once its done slide the TouchID button.
Dropbox Touch ID enabled

Understanding the Attack

But…. Before we begin the actual attack Lets Understand the bypass first.

Note: I will just briefly give you an idea about how it was actually bypassed and then we begin with the practical demo.

Basically when a User puts his/her fingerprint for the TouchID auth then a class LAContextis invoked in the application code which in turn calls the evaluatePolicy method , inside this method fingerprint data in the form of a mathematical expression is checked against the fingerprint data stored in Secure Enclave of the device.Depending on the success or failure of the authentication itself, a reply block is invoked that includes a boolean indicating if it was successful or not.

So if the auth was successful we get a boolean true else a boolean false return value.We use a command ios ui biometrics_bypass in objection tool for bypassing this boolean value check , after using this command, objection starts interacting with frida server on the device.Frida server during runtime, changes the false value to true , gives heads up to objection and bang we get access.

Note: Checkout the entire description about this command and how it works https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass in this post.

Final Attack

Steps:

  1. Connect your Iphone with the PC
  2. First we need to identify under what names apps are running on the phone.
  3. Run frida-ps -U on your PC terminal
Frida command on PC terminal

4. The apps are usually running by their own names “Evernote” and “Dropbox” as you can see in the above Image.

5. Open the Evernote App

6. Next step is to run objection with the commands like:

objection -g Evernote explore

Objection command Evernote

7. Now use ios ui biometrics_bypass command as shown below along with that you can also observe a localized reason in the Image was identified by the agent or we can say frida server, Sometimes frida server or the agent isn’t able to identify the touchID pop up while opening the app and you won’t see the localized reason message in objection so make sure to lock the phone without closing the app and again unlock it quickly to observe that the code was hooked properly.

biometric bypass command [Evernote]

8. As you can see below wrong fingerprint attempts were made on the Touch ID , it might sometimes take three attempts to bypass , make sure while making the attempts objection is running in terminal and device is connected with a USB cable.

Evernote fingerprint wrong attempts

9. So finally during the 3rd wrong attempt , below are the results on both objection terminal and app GUI as well:

Bypass Complete on Evernote app

10. As you can see in the image below , Evernote dashboard accessed by bypassing the fingerprint auth mechanism.

Evernote dashboard accessible

Similarly for Dropbox as well follow all the steps from step5 to step9.Finally during the 3rd wrong attempt in the case of dropbox as well , below are the results observed on both objection terminal and app GUI :

Bypass Complete on Dropbox app

Dropbox dashboard also accessible after bypassing the fingerprint auth mechanism.

Dropbox dashboard accessible

Note:Just let me know through DM on my twitter handle https://twitter.com/viperbluff how this Vulnerability can be patched :-)

Hope u guys liked it !!