App Development

Enhanced Device Security in iOS 9

With the introduction of the iPhone 5S in the fall of 2013, Apple released two new hardware features that altered how we interact with mobile device security. Buried in the A7 chip (and in the chip of any iOS device with Touch ID) is the Secure Enclave, an isolated component that stores cryptographic information necessary for keychain encryption and data protection. The Secure Enclave enables another security feature, one with which we quite directly interact, Touch ID. The fingerprint information for Touch ID is stored in the Secure Enclave. When the user presses their finger to the Touch ID sensor, the system calculates a mathematical representation of the fingerprint; no fingerprint images are ever stored or transmitted. This representation is sent to the Secure Enclave, which then passes a boolean success value to the requesting application. The application then responds accordingly. This has been the extent of our interaction with Touch ID since iOS 8. At WWDC this year, Apple introduced new APIs that give app developers more flexibility with Touch ID and access to the increased security of Secure Enclave.

Touch ID Enhancements

From the beginning, Touch ID has been both convenient and secure, which is a difficult balance to strike. In iOS 9, developers have been given two new options, one of which leans towards convenience, and the other towards greater security. Allowable reuse duration is the former, which lets the developer specify an amount of time to wait between a device unlock and another Touch ID authentication request. As an example, if the user opens your app within 20 seconds of unlocking the device, you can choose not to prompt the user again. This reuse duration is specified by a property on LAContext.LAContext.touchIDAuthenticationAllowableReuseDuration = 20

This provides a user experience benefit by reducing the amount of repetitive prompts presented, at the cost of slightly reduced security.

Touch ID Enrollment

Touch ID enrollment changes move to the other side of the spectrum. With this new functionality, apps can respond to a change in the set of registered fingerprints. This is accessible through another new property on LAContext. LAContext.evaluatedPolicyDomainState

This property does not give the application any specific information about the set of registered fingerprints. To use this API, the application saves the initial state that it would like to enforce. It then checks the current state any time it needs to do so. The app uses the equality operator == to compare the current state to the state previously saved. No special comparison function is required. The app can then respond accordingly. An app can use this functionality if it needs to assume that the fingerprint state at the time of configuration is a particular identity. If any fingerprints are changed, the app can require that the user re-authenticate to ensure that the fingerprint changes are approved.

Both of these changes are enhancements to authentication using Touch ID. For the remainder of this article, I will discuss changes that allow app developers to take advantage of the Secure Enclave, some of which work in conjunction with Touch ID.

Access Control Lists (ACL)

By using ACLs, app developers can tighten the security on their saved secrets. ACLs place the secrets into the Secure Enclave. The Secure Enclave locks these secrets, and will only release them under certain circumstances.

  • Touch ID

    • There are two authentication types that require Touch ID; .TouchIDAny and .TouchIDCurrentSet.. These types do not fall back to a passcode; the only way to unlock secrets stored with these types is to authenticate with Touch ID. .TouchIDAny will authenticate with any fingerprint registered in the secure enclave, even if that set has changed since registration. .TouchIDCurrentSet will not accept authentication if the set of fingerprints has changed since registration.

    • When the user presses their finger to the Touch ID sensor, the request is sent to the Secure Enclave, as usual. However, the boolean success value is not returned to the application. Instead, the success value is sent to the KeyStore, which also resides in the Secure Enclave. If Touch ID authentication is successful, the KeyStore will return the secret to the application.

  • Application Password

    • All of the above methods for accessing saved secrets are unlocked through user interaction. For additional security, your app can instead protect secrets with an additional password, called an application password. In this scheme, the secret is still stored in the Secure Enclave, but two passwords are required for access, one from the user, and one from the application. The system generates an AES key from each one, and both are required to unlock the secret. The Secure Enclave receives the keys, attempts to unlock the secret, and returns it upon success.

    • The application password must not be stored on the device, or else it will provide no additional security. Apple gave two example use cases for providing the application password, a token sent from a server, and the use of authentication accessories.

  • Private Key Storage

    • The final method for utilizing the Secure Enclave is the storage of private keys. In asymmetric cryptography, a public and private key are generated and used to sign data. One API call, SecKeyGeneratePair(), creates a public and private key. The public key is returned to the app, and the private key is sent directly to the Secure Enclave. This private key cannot be retrieved. When data must be signed, the data is passed to the Secure Enclave. If the app has so requested, the system will then ask for Touch ID verification. If successful, the Secure Enclave will sign the data and return the signature. The private key is never returned to the app. The app can then use the signed data and the public key, for example, to verify that the correct device is attempting to access a web service.

Summary With Touch ID and the Secure Enclave in the iPhone 5S, Apple introduced a convenient way to strengthen the security of our iPhones. In iOS 9, they’ve given app developers even greater access to the tightened security of the Secure Enclave and added more flexibility to how we interact with Touch ID. The message is clear; a simple passcode is no longer enough. With the new functionality in iOS 9, app developers have a much greater capability to protect our users’ sensitive information, ensuring that they will trust us and our software.

A How-to Guide for Apple TV Setup with Charles Proxy

Proxying with Charles is an easy way to monitor and manipulate network traffic as...

Read the article