Local Authentication par Pierre-Alban Toth
-
Upload
cocoaheads-france -
Category
Software
-
view
2.779 -
download
2
Transcript of Local Authentication par Pierre-Alban Toth
• iOS 7
• iPhone 5s / iPad Air 2 / iPad Mini 3
• Unlock device (Passcode)
• iTunes/AppStore purchases, Pay
• Passcode at restart / after 48hrs idle
• 5 fingerprints max.
• No iCloud/Backup sync
• SECURE ENCLAVE
Secure ?
• Native encryption
• On top of the chip (Isolation == Trust)
• Cryptographic Operations Center
• Touch ID Operations Center
• Simplest Touch ID implementation
• Yes/No answer
• No Keychain interaction
• Parental check, unlock app feature…
LAContext
• Make sure Touch ID is available
• canEvaluatePolicy:error:
LAContext
#import <LocalAuthentication/LocalAuthentication.h>
LAContext *context = [LAContext new];
NSError *error; if([context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) { // Touch ID authentication available }
• Ask for an access
• evaluatePolicy:localizedReason:reply:
LAContext
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"CocoaHeads sessions access" reply:^(BOOL success, NSError *authenticationError) { if (success) { // Access granted ! } else { // Access refused. See authenticationError }}];
• LocalAuthentication errors
‣ LAErrorUserCancel
‣ LAErrorUserSystemCancel
‣ LAErrorUserFallback…
LAContext
• Keychain item access with Passcode
• Touch ID used when available
• Acknowledge access to sensitive data
‣ password, token, credit card…
secItem
• Keychain 101 : Store an item
• Simple ? :)
secItem
NSData *secretKey = [self secretKey]; NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"CocoaHeads", (__bridge id)kSecAttrAccount: @“admin", (__bridge id)kSecValueData: secretKey, (__bridge id)kSecAttrAccessible: (__bridge id)kSecAttrAccessibleAlways};
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil);
• New attribute : kSecAttrAccessControl
• kSecAttrAccessible + kSecAccessControlUserPresence
secItem
NSError *error;
SecAccessControlRef accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, kSecAccessControlUserPresence, &error);
• kSecAttrAccessible…
• …WhenPasscodeSetThisDeviceOnly
‣ No Passcode == item is erased
• …WhenUnlockedThisDeviceOnly
‣ No Passcode == item not accesible
secItem
• All together
secItem
NSData *secretKey = [self secretKey]; NSError *error;
SecAccessControlRef accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, kSecAccessControlUserPresence, &error);
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"CocoaHeads", (__bridge id)kSecAttrAccount: @"admin", (__bridge id)kSecValueData: secretKey, (__bridge id)kSecAttrAccessControl: (__bridge id)accessControl};
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil);
• Keychain 101 : Read an item
secItem
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"CocoaHeads", (__bridge id)kSecAttrAccount: @"admin", (__bridge id)kSecReturnData: @YES};
CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &dataTypeRef);
NSData *secretKey = CFBridgingRelease(dataTypeRef);
• Read an item with ACLs
secItem
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"CocoaHeads", (__bridge id)kSecAttrAccount: @"admin", (__bridge id)kSecReturnData: @YES, (__bridge id)kSecUseOperationPrompt: @"CocoaHeads sessions access"};
dispatch_async(dispatch_get_main_queue(), ^{ CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &dataTypeRef); NSData * secretKey = CFBridgingRelease(dataTypeRef); });
• To learn more… ‣ WWDC 2014 - Session 711 ‣ KeychainTouchID sample code
• Pierre-Alban Toth (@patoth) ‣ iOS dev @ Capitaine Train ‣ https://www.capitainetrain.com/jobs
Thank you !