How to increase sales.
Designed by Apple in California.
There is so much misinformation about the fact that an iPhone can be bricked after replacing the Touch ID sensor by an unauthorized repair shop.
So here are the facts …
The API hides a lot of the implementation details, so most developers won’t know how it really works but Apple documents it in their iOS Security Guide (link below).
When you boot your iPhone up, the filesystem is encrypted. It’s just full of meaningless junk; you can’t use the phone. Once you enter your passcode for the first time, the system reads the filesystem key (which itself is stored encrypted by your passcode), and tries to decrypt it. If your passcode is correct, it will end up with the correct filesystem key, and it can unlock your iPhone’s hard drive and read useful data from it. This filesystem key is called NSFileProtectionComplete.
The class key is protected with a key derived from the user passcode and the device UID.
… when a passcode is entered, the NSFileProtectionComplete key is loaded from the system keybag and unwrapped.
At this point your phone is unlocked. That is all there is to it. This filesystem key gets placed in the Secure Enclave so your iPhone can read/write from its hard drive. We haven’t used TouchID or fingerprints so far, just a passcode. This is why you always need to give your passcode after a restart.
So how does Touch ID work, exactly?
Let’s look at what happens when you lock the phone, and how it’s different between TouchID and non-TouchID:
If Touch ID is turned off, when a device locks, the keys for Data Protection class Complete, which are held in the Secure Enclave, are discarded. The files and keychain items in that class are inaccessible until the user unlocks the device by entering his or her passcode. With Touch ID turned on, the keys are not discarded when the device locks; instead, they’re wrapped with a key that is given to the Touch ID subsystem inside the Secure Enclave. When a user attempts to unlock the device, if Touch ID recognizes the user’s fingerprint, it provides the key for unwrapping the Data Protection keys, and the device is unlocked.
So basically if you have TouchID disabled (passcode only), this key gets thrown away and you need to enter the passcode again next time you unlock. It’s the exact same process as you go through on first-boot.
What Apple is saying here is that TouchID just holds on to the key which you already obtained via your passcode for a while (48 hours if the device stays on). But is TouchID really completely optional? Let’s ask Apple:
When Touch ID scans and recognizes an enrolled fingerprint, the device unlocks without asking for the device passcode. The passcode can always be used instead of Touch ID.
What about other stuff like iTunes purchases? How does that work with Touch ID?
Touch ID can also be configured to approve purchases from the iTunes Store, the App Store, and the iBooks Store, so users don’t have to enter an Apple ID password. When they choose to authorize a purchase, authentication tokens are exchanged between the device and the store. The token and cryptographic nonce are held in the Secure Enclave. The nonce is signed with a Secure Enclave key shared by all devices and the iTunes Store.
So when you enter your iTunes Store password the first time after a reboot, your device gets a temporary token to use for purchases, stores it in the Secure Enclave, and guards it behind TouchID. Again, it’s totally optional; just a shortcut for entering your password.
The same applies to Apple Pay:
The Secure Element will only allow a payment to be made after it receives authorization from the Secure Enclave, confirming the user has authenticated with Touch ID or the device passcode. Touch ID is the default method if available but the passcode can be used at any time instead of Touch ID. A passcode is automatically offered after three unsuccessful attempts to match a fingerprint and after five unsuccessful attempts, the passcode is required. A passcode is also required when Touch ID is not configured or not enabled for Apple Pay.
Man, Apple is really going to regret writing this document…
- It is totally technically possible to rip the Touch ID sensor out of your phone and still be able to unlock it (assuming you have the passcode).
- Touch ID does not seem to be essential for any single feature of the device; it is just a shortcut for entering the passwords you already entered.
- It’s really weird that Apple only checks the Touch ID sensor’s integrity when they update the OS. Shouldn’t iOS check that on every boot?
So what did Apple do wrong?
- Apple should have communicated better (not when performing the update, but when buying the device!) that the Touch ID sensor can only be replaced by an authorised technician.
- If the Touch ID sensor is compromised, iOS should exclusively use the passcode instead.
The passcode is the only thing you really need to unlock the device. Apple should admit that they chose to the wrong option. Looking forward to a legitimate lawsuit or an updated version of iOS.
I always thought that the hardest thing in the world to understand is the income tax, but now we have Error 53, designed by Apple in California.
iOS Security Guide
Credit to springsup on MacRumors
Thanks for dropping by.