Using iOS biometrics features like Touch ID and Face ID is a really convenient way to authenticate a user before performing sensitive actions. These actions, of course, depend on apps’ features. Usually, we test apps that use TouchID/FaceID to log in and to confirm financial actions (e.g. wire transfer). But, do these checks can be treated as 100% secure?
The answer is of course not. Biometrics checks are performed on your device, and like any others ‘client-side checks’ can be bypassed if attacker can control the application/device. In this blog post, I want to show you how easy that hack may be done. To perform the attack, we need:
- jailbroken device (if you do not have one, check this presentation),
- text editor. 😉
Sample app — SecuBank
I prepared a really simple application that asks you for your finger/face and displays a message if the verification was successful or not.
Note that the application’s logic was implemented in Swift:
Now, we have to write a Frida script that bypasses the check. As you can see in the above-pasted code snippet, the evaluatePolicy uses a callback that determines the result. So, the easiest way to achieve the hack is to intercept that callback and make sure it always returns the success=1.
Hacking the SecuBank
At this moment, we just need to open the SecuBank and load the script with Frida:
$frida -U -l bypass.js -f biz.securing.SecuBank --no-pause
In this article, I showed you again that any kind of local checks can be bypassed, including the biometrics ones provided by the iOS/macOS. These checks are really convenient, but you have always to remember that they cannot guarantee any reliability if the device is jailbroken.
If you are interested in implementing such jailbreak checks, take a look at the iOS Security Suite — our open source project!
Implementing anti-tampering mechanism in iOS apps [LINK]
Head of Mobile Security