There is so much misinformation about this, I'm going to repost the technical explanation I gave in the other thread:
The API hides a lot of the implementation details, so most developers won't know how it really works, but Apple document it in their
iOS Security Guide (PDF).
When you boot your iPhone up, the filesystem is encrypted. It's just full of meaningless junk; you can't use the phone. Once you enter your passcode for the first time, the system reads the filesystem key (which itself is stored encrypted by your passcode), and tries to decrypt it. If your passcode is correct, it will end up with the correct filesystem key, and it can unlock your iPhone's hard drive and read useful data from it. This filesystem key is called "NSFileProtectionComplete".
IMPORTANT: At this point your phone is unlocked. That is all there is to it. This filesystem key gets placed in the Secure Enclave so your iPhone can read/write from its hard drive. We haven't used TouchID or fingerprints so far, just a passcode. This is why you always need to give your passcode after a restart.
So how does TouchID work, exactly?
Let's look at what happens when you lock the phone, and how it's different between TouchID and non-TouchID:
So basically if you have TouchID disabled (passcode only), this key gets thrown away and you need to enter the passcode again next time you unlock. It's the exact same process as you go through on first-boot.
What Apple is saying here is that TouchID just holds on to the key
which you already obtained via your passcode for a while (48 hours if the device stays on). But is TouchID really completely optional? Let's ask Apple:
Okay, I guess that settles it.
What about other stuff like iTunes/ApplePay purchases? How does that work with TouchID?
So when you enter your iTunes Store password the first time after a reboot, your device gets a temporary token to use for purchases, stores it in the Secure Enclave, and guards it behind TouchID. Again, it's totally optional; just a
shortcut for entering your password.
The same applies to Apple Pay:
Man, Apple is really going to regret writing this document...
So yeah, in conclusion:
1.
it is totally technically possible to rip the TouchID sensor out of your phone and still be able to unlock it (assuming you have the passcode).
2. TouchID does not seem to be essential for any single feature of the device; it is only ever a shortcut for entering the passwords you have already
recently entered in to the phone.
3. It's really weird that Apple only check the TouchID sensor's integrity when they update the OS. Surely they should check that on every boot?
So what did Apple do wrong?
1. Apple should have communicated better (not when performing the update, but when buying the device!) that the TouchID sensor can only be replaced by an authorised technician.
2. If the TouchID sensor is compromised, they should fall-back to the passcode. As I said, the passcode is the only thing you
really need to unlock the device.
Law firms? I just did all of your investigation work for you. Feel free to cut me a cheque.
EDIT: Rewritten for greater clarity for non-technical folks.
EDIT2: My personal feeling is that this is a bug -- I mean, what if the legit sensor developed a hardware fault? You don't want the machine to just lock all access. I think Apple
did intend to fall-back to the passcode if the TouchID sensor, but unfortunately this is a catastrophic bug: even if Apple fix it, once you're locked out of the phone you can't update to get the fix. They should release a software update ASAP and repair any affected phones for free.
