Objective-C : Unsafe authentication (LocalAuthentication framework)

The application uses framework LocalAuthentication to authenticate the user. This framework doesn’t use Secure Enclave and is prone to hooking on jailbroken devices.

Authentication contexts are used to evaluate authentication policies, allowing apps to request the user to authenticate themselves using personal information such as a fingerprint registered with Touch ID. Touch ID can be implemented in two ways: using the LocalAuthentication framework or using access control based on the Touch ID in the Keychain service. Although both methods must be suitable for most applications, LocalAuthentication has some characteristics that make it less secure for high-risk applications such as banking and insurance:

• LocalAuthentication is determined outside the device’s Secure Enclave, which means that their APIs can be connected and modified on jailbrocken devices.
• LocalAuthentication verifies the authenticity of the user by evaluating the context policy that can be either true or false. This logical assessment implies that the application can not be authenticated by anyone.
• In addition, fingerprints that can be registered in the future will also be successfully evaluated as true.

An LAContext object represents an authentication context. The LAContext class provides a programmatic interface for evaluating authentication policies and access controls, managing credentials, and invalidating authentication contexts.

LAContext.evaluatePolicy does not successfully authenticate a user without the risk of other registered fingerprints being used. It also poses the risk a malicious actor can steal or find a victim’s iOS device and has the ability to bypass the TouchID used in other applications.

Insecure Authentication vulnerabilities take the fourth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.