Skip to main content

Insecure Authentication

Why is this important?

Authentication is one of the most fundamental security requirements. Any issues with authentication can allow attackers to bypass business logic and impersonate users, or even access all data from other users.

Fixing Insecure Authentication

Biometric based authentication is available via two options:

  1. The LocalAuthentication framework: Less suitable for high-risk apps such as banking, because the framework is defined outside of Secure Enclave and susceptible to interception on jail-broken devices.
  2. The Keychain Services: Suitable for high-risk apps because it can interact with securely with the on-device Keychain through dedicated APIs.

Option A: Leverage Keychain Services

  1. Go through the issues that GuardRails identified in the PR

  2. Identify the following patterns:

    LAContext *context = [[LAContext alloc] init];  
    NSError *error = nil;
    NSString *reason = @"Please authenticate using TouchID.";
    if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) {
    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
    localizedReason:reason
    reply:^(BOOL success, NSError *error) {
    if (success) {
    NSLog(@"Auth was OK");
    }
    else {
    //You should do better handling of error here but I'm being lazy
    NSLog(@"Error received: %d", error);
    }
    }];
    }
    else {
    NSLog(@"Can not evaluate Touch ID");
    }

    or:

    if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
    let reason = "Please authenticate yourself"

    context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) {
    [unowned self] success, authenticationError in

    DispatchQueue.main.async {
    if success {
    DVIAUtilities.showAlert(title: "Success", message: "Authentication Successful", viewController: self)
    } else {
    DVIAUtilities.showAlert(title: "Error", message: "Authentication Failed", viewController: self)
    }
    }
    }
    } else {
    DVIAUtilities.showAlert(title: "Touch ID not available", message: "Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device", viewController: self)
    }
  3. Confirm that the lower level of security is a acceptable for your app, otherwise consider leveraging the KeyChain Services instead

  4. Test it and ensure the functionality works as expected

  5. Ship it 🚢 and relax 🌴

More information: